diff --git a/k8s/awoooi-prod/04-repair-ssh-key-template.yaml b/k8s/awoooi-prod/04-repair-ssh-key-template.yaml new file mode 100644 index 00000000..d231d0df --- /dev/null +++ b/k8s/awoooi-prod/04-repair-ssh-key-template.yaml @@ -0,0 +1,39 @@ +# k8s/awoooi-prod/04-repair-ssh-secret.yaml +# SSH Secret Template — 不含實際私鑰 (存於 K8s,不上 Git) +# 2026-04-05 Claude Code: Sprint 3 Host Auto-Repair +# +# 建立方式: +# ssh-keygen -t ed25519 -C "awoooi-repair-bot-2026" -f /tmp/awoooi_repair_bot -N "" +# kubectl create secret generic awoooi-repair-ssh-key \ +# -n awoooi-prod \ +# --from-file=id_ed25519=/tmp/awoooi_repair_bot \ +# --from-file=id_ed25519.pub=/tmp/awoooi_repair_bot.pub +# +# 主機配置 (已完成 2026-04-05): +# 110 ~/.ssh/authorized_keys: command="/home/wooo/bin/repair-bot-110.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding +# 188 ~/.ssh/authorized_keys: command="/home/ollama/bin/repair-bot-188.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding +# +# 安全設計: +# - SSH key 在 K8s Secret,掛載到 API pod /etc/repair-ssh/ +# - command= 限制:SSH 連線只能執行白名單修復腳本,不能執行任意命令 +# - repair-bot-110.sh / repair-bot-188.sh 只允許 docker compose up -d 或 systemctl restart +# +# 驗證方式: +# ssh -i /tmp/awoooi_repair_bot -o StrictHostKeyChecking=no wooo@192.168.0.110 health +# → 預期: REPAIR_BOT_HEALTHY:110 +# ssh -i /tmp/awoooi_repair_bot -o StrictHostKeyChecking=no ollama@192.168.0.188 health +# → 預期: REPAIR_BOT_HEALTHY:188 + +apiVersion: v1 +kind: Secret +metadata: + name: awoooi-repair-ssh-key + namespace: awoooi-prod + annotations: + # 此 template 不含實際私鑰,需手動 kubectl create secret 建立 + awoooi.io/secret-type: "ssh-repair-bot" + awoooi.io/created: "2026-04-05" + awoooi.io/key-comment: "awoooi-repair-bot-2026" +type: Opaque +# data: 不在版控中 — 使用上方 kubectl create secret 指令建立 +# 實際 secret 已存在於 K8s cluster (awoooi-prod namespace) diff --git a/scripts/repair-bot/repair-bot-110.sh b/scripts/repair-bot/repair-bot-110.sh index eaaa7069..5870e065 100755 --- a/scripts/repair-bot/repair-bot-110.sh +++ b/scripts/repair-bot/repair-bot-110.sh @@ -12,7 +12,7 @@ # 部署位置: /home/wooo/bin/repair-bot-110.sh (on 192.168.0.110) # 使用者: wooo -LOG="/var/log/awoooi-repair-bot.log" +LOG="${HOME}/.repair-bot.log" log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG"; } # 白名單: component → compose dir diff --git a/scripts/repair-bot/repair-bot-188.sh b/scripts/repair-bot/repair-bot-188.sh index ba5822f7..f4590834 100755 --- a/scripts/repair-bot/repair-bot-188.sh +++ b/scripts/repair-bot/repair-bot-188.sh @@ -11,7 +11,7 @@ # 部署位置: /home/ollama/bin/repair-bot-188.sh (on 192.168.0.188) # 使用者: ollama -LOG="/var/log/awoooi-repair-bot.log" +LOG="${HOME}/.repair-bot.log" log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG"; } # 白名單: component → 修復方式