wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity

fix(ansible): clear lint baseline debt
All checks were successful
Ansible Lint / lint (push) Successful in 28s
Details

Browse Source
This commit is contained in:
Your Name
2026-05-18 04:17:39 +08:00
parent ec18dec0d3
commit dca1eb642f
5 changed files with 47 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/LOGBOOK.md
View File

@@ -5,6 +5,14 @@
**修正**
- `.gitea/workflows/ansible-lint.yml``runs-on``self-hosted` 改為 `ubuntu-latest`,對齊目前 Gitea runner label contract。
- `infra/ansible/playbooks/188-ai-web.yml`:補一行 CI label 註解,讓本次 push 能實際觸發新的 ansible-lint workflow 驗證。
- 新 run `2245` 已成功被 runner 接走,但暴露 35 個既有 ansible-lint baseline debt本輪同步清理
- 30 個 `name[casing]`:將 `nginx` / `keepalived` / `bitan` / `n8n` / handler names 改為大寫開頭。
- 5 個 `no-changed-when`:對只在缺狀態時執行的 command/shell 補上明確 `changed_when`
**本地驗證**
- `ruby -e 'require "yaml"; Dir["infra/ansible/playbooks/*.yml"].each { |p| YAML.load_file(p) }; puts "yaml ok"'`pass。
- `git diff --check`pass。
- `PATH=/tmp/awoooi-ansible-lint/bin:$PATH PYTHONPATH=/tmp/awoooi-ansible-lint python -m ansiblelint infra/ansible/playbooks/`pass0 failures / 0 warningsproduction profile。
**目前整體進度**
- Alertmanager 低風險自動修復主線:約 98%。
@@ -14,7 +22,7 @@
- Truth-chain 對「自動修復成功但驗證降級」的判讀:約 99%。
- 188 OpenClaw runtime hygiene約 60%。
- Token hygiene約 55%。
- Gitea infra-lint 可執行性:約 90%runner label 已對齊,待新 run 驗證)。
- Gitea infra-lint 可執行性:約 95%runner label 已對齊,既有 lint debt 已清理,待下一輪 run 驗證)。
## 2026-05-18 | T39 188 OpenClaw systemd 與 Telegram token hygiene 盤點

16
infra/ansible/playbooks/110-devops.yml
View File

@@ -46,6 +46,7 @@
- name: "Swap | 格式化 swap2.img (若剛建立)"
ansible.builtin.command:
cmd: "mkswap /swap2.img"
changed_when: true
when: not swap2_stat.stat.exists
tags: swap
@@ -107,17 +108,18 @@
# ========================================================================
# bitan pharmacy Docker 服務
# ========================================================================
- name: "bitan | 確認 bitan container 運作中"
- name: "Bitan | 確認 bitan container 運作中"
ansible.builtin.command:
cmd: "docker ps --filter name=bitan --filter status=running --format '{{ '{{' }}.Names{{ '}}' }}'"
register: bitan_status
changed_when: false
tags: bitan
- name: "bitan | 若停止則啟動"
- name: "Bitan | 若停止則啟動"
ansible.builtin.command:
cmd: "docker compose up -d"
chdir: /home/wooo/apps/bitan-pharmacy
changed_when: true
when: bitan_status.stdout == ""
tags: bitan
@@ -135,13 +137,13 @@
# ========================================================================
# keepalived
# ========================================================================
- name: "keepalived | 確認服務運作中"
- name: "Keepalived | 確認服務運作中"
ansible.builtin.systemd:
name: keepalived
register: keepalived_status
tags: keepalived
- name: "keepalived | 警告keepalived 未運作"
- name: "Keepalived | 警告keepalived 未運作"
ansible.builtin.debug:
msg: "⚠️ keepalived 未運作VIP 200 可能失效"
when: keepalived_status.status.ActiveState != "active"
@@ -150,13 +152,13 @@
# ========================================================================
# Nginx harbor conf 指向確認
# ========================================================================
- name: "nginx | 確認 harbor nginx conf 存在"
- name: "Nginx | 確認 harbor nginx conf 存在"
ansible.builtin.stat:
path: /etc/nginx/sites-enabled/harbor.conf
register: harbor_nginx
tags: nginx
- name: "nginx | 確認 harbor conf 指向 :5000 (非 :5050)"
- name: "Nginx | 確認 harbor conf 指向 :5000 (非 :5050)"
ansible.builtin.command:
cmd: "grep -c ':5050' /etc/nginx/sites-enabled/harbor.conf"
register: harbor_conf_check
@@ -165,7 +167,7 @@
when: harbor_nginx.stat.exists
tags: nginx
- name: "nginx | 警告harbor conf 仍指向 :5050"
- name: "Nginx | 警告harbor conf 仍指向 :5050"
ansible.builtin.debug:
msg: "⚠️ harbor nginx conf 仍有 :5050請確認已修正為 :5000"
when: harbor_nginx.stat.exists and harbor_conf_check.stdout != "0"

27
infra/ansible/playbooks/188-ai-web.yml
View File

@@ -132,6 +132,7 @@
| crontab -u ollama -
args:
executable: /bin/bash
changed_when: true
when: >-
'0 2 * * * /home/ollama/momo-pro/scripts/pg_backup.sh >> /home/ollama/momo_backups/backup.log 2>&1'
in momo_pg_crontab.stdout_lines
@@ -152,50 +153,52 @@
# ========================================================================
# n8n / open-webui (Sprint A 新啟動)
# ========================================================================
- name: "n8n | 確認容器運作中"
- name: "N8N | 確認容器運作中"
ansible.builtin.command:
cmd: "docker ps --filter name=n8n --filter status=running --format '{{ '{{' }}.Names{{ '}}' }}'"
register: n8n_status
changed_when: false
tags: n8n
- name: "n8n | 若停止則啟動"
- name: "N8N | 若停止則啟動"
ansible.builtin.command:
cmd: "docker compose up -d"
chdir: /opt/n8n
changed_when: true
when: n8n_status.stdout == ""
tags: n8n
- name: "open-webui | 確認容器運作中"
- name: "Open-webui | 確認容器運作中"
ansible.builtin.command:
cmd: "docker ps --filter name=open-webui --filter status=running --format '{{ '{{' }}.Names{{ '}}' }}'"
register: openwebui_status
changed_when: false
tags: open_webui
- name: "open-webui | 若停止則啟動"
- name: "Open-webui | 若停止則啟動"
ansible.builtin.command:
cmd: "docker compose up -d"
chdir: /opt/open-webui
changed_when: true
when: openwebui_status.stdout == ""
tags: open_webui
# ========================================================================
# Nginx 狀態確認
# ========================================================================
- name: "nginx | 確認服務運作中"
- name: "Nginx | 確認服務運作中"
ansible.builtin.systemd:
name: nginx
register: nginx_status
tags: nginx
- name: "nginx | 警告nginx 未運作"
- name: "Nginx | 警告nginx 未運作"
ansible.builtin.debug:
msg: "🚨 nginx 未運作!"
when: nginx_status.status.ActiveState != "active"
tags: nginx
- name: "nginx | 確認 all-sites.conf 無 gitlab block"
- name: "Nginx | 確認 all-sites.conf 無 gitlab block"
ansible.builtin.command:
cmd: "grep -c 'gitlab' /etc/nginx/sites-enabled/all-sites.conf"
register: gitlab_check
@@ -203,7 +206,7 @@
failed_when: false
tags: nginx
- name: "nginx | 警告all-sites.conf 仍含 gitlab block"
- name: "Nginx | 警告all-sites.conf 仍含 gitlab block"
ansible.builtin.debug:
msg: "⚠️ all-sites.conf 仍含 gitlab 設定,請確認 Sprint A 清除是否完整"
when: gitlab_check.stdout != "0"
@@ -212,19 +215,19 @@
# ========================================================================
# keepalived MASTER
# ========================================================================
- name: "keepalived | 確認服務運作中"
- name: "Keepalived | 確認服務運作中"
ansible.builtin.systemd:
name: keepalived
register: keepalived_status
tags: keepalived
- name: "keepalived | 警告keepalived 未運作"
- name: "Keepalived | 警告keepalived 未運作"
ansible.builtin.debug:
msg: "⚠️ keepalived MASTER 未運作VIP:200 降級為 110 BACKUP"
when: keepalived_status.status.ActiveState != "active"
tags: keepalived
- name: "keepalived | 確認 VIP:200 由本機持有"
- name: "Keepalived | 確認 VIP:200 由本機持有"
ansible.builtin.command:
cmd: "ip addr show | grep 192.168.0.200"
register: vip_check
@@ -232,7 +235,7 @@
failed_when: false
tags: keepalived
- name: "keepalived | 警告VIP:200 不在本機"
- name: "Keepalived | 警告VIP:200 不在本機"
ansible.builtin.debug:
msg: "⚠️ VIP 192.168.0.200 不在 188 (MASTER 可能已 failover 到 110)"
when: vip_check.rc != 0

24
infra/ansible/playbooks/nginx-sync.yml
View File

@@ -13,7 +13,7 @@
nginx_conf_dest: /etc/nginx/sites-enabled/all-sites.conf
tasks:
- name: "nginx | 部署 all-sites.conf"
- name: "Nginx | 部署 all-sites.conf"
ansible.builtin.template:
src: "{{ nginx_conf_src }}"
dest: "{{ nginx_conf_dest }}"
@@ -21,17 +21,17 @@
group: root
mode: "0644"
backup: true
notify: reload nginx
notify: Reload nginx
tags: ["188", "nginx"]
- name: "nginx | 測試設定"
- name: "Nginx | 測試設定"
ansible.builtin.command:
cmd: "nginx -t"
changed_when: false
tags: ["188", "nginx"]
handlers:
- name: reload nginx
- name: Reload nginx
ansible.builtin.systemd:
name: nginx
state: reloaded
@@ -45,20 +45,20 @@
ollama_proxy_dest: /etc/nginx/sites-enabled/110-ollama-proxy.conf
tasks:
- name: "nginx | 確認 110 nginx 無 all-sites-from-188.conf 在 sites-enabled"
- name: "Nginx | 確認 110 nginx 無 all-sites-from-188.conf 在 sites-enabled"
ansible.builtin.stat:
path: /etc/nginx/sites-enabled/all-sites-from-188.conf
register: stale_conf
tags: ["110", "nginx"]
- name: "nginx | 警告110 仍有 all-sites-from-188.conf (已非 188 管控)"
- name: "Nginx | 警告110 仍有 all-sites-from-188.conf (已非 188 管控)"
ansible.builtin.debug:
msg: "⚠️ 110 sites-enabled 仍有 all-sites-from-188.conf應已封存"
when: stale_conf.stat.exists
tags: ["110", "nginx"]
# ADR-110: Ollama GCP 三層容災 — 110 作為 nginx proxy 轉發 K3s 流量到 GCP
- name: "nginx | 部署 Ollama GCP Proxy 配置"
- name: "Nginx | 部署 Ollama GCP Proxy 配置"
ansible.builtin.template:
src: "{{ ollama_proxy_src }}"
dest: "{{ ollama_proxy_dest }}"
@@ -66,23 +66,23 @@
group: root
mode: "0644"
backup: true
notify: reload nginx 110
notify: Reload nginx 110
tags: ["110", "nginx", "ollama-proxy"]
- name: "nginx | 測試 110 設定"
- name: "Nginx | 測試 110 設定"
ansible.builtin.command:
cmd: "nginx -t"
changed_when: false
tags: ["110", "nginx", "ollama-proxy"]
- name: "nginx | 確認 nginx 已啟動"
- name: "Nginx | 確認 nginx 已啟動"
ansible.builtin.systemd:
name: nginx
state: started
enabled: true
tags: ["110", "nginx", "ollama-proxy"]
- name: "nginx | 驗證 Ollama proxy 端口監聽"
- name: "Nginx | 驗證 Ollama proxy 端口監聽"
ansible.builtin.wait_for:
port: "{{ item }}"
host: 127.0.0.1
@@ -94,7 +94,7 @@
tags: ["110", "nginx", "ollama-proxy"]
handlers:
- name: reload nginx 110
- name: Reload nginx 110
ansible.builtin.systemd:
name: nginx
state: reloaded

4
infra/ansible/playbooks/restore-password-auth.yml
View File

@@ -16,7 +16,7 @@
regexp: '^#?PasswordAuthentication'
line: 'PasswordAuthentication yes'
state: present
notify: reload sshd
notify: Reload sshd
- name: "SSH | 設定系統使用者密碼"
ansible.builtin.user:
@@ -25,7 +25,7 @@
no_log: true
handlers:
- name: reload sshd
- name: Reload sshd
ansible.builtin.systemd:
name: ssh
state: reloaded