From dca1eb642fd0008c4e457d70e6e76666f8430b19 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 18 May 2026 04:17:39 +0800 Subject: [PATCH] fix(ansible): clear lint baseline debt --- docs/LOGBOOK.md | 10 ++++++- infra/ansible/playbooks/110-devops.yml | 16 ++++++----- infra/ansible/playbooks/188-ai-web.yml | 27 ++++++++++--------- infra/ansible/playbooks/nginx-sync.yml | 24 ++++++++--------- .../playbooks/restore-password-auth.yml | 4 +-- 5 files changed, 47 insertions(+), 34 deletions(-) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 084397d7..63ae8d09 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -5,6 +5,14 @@ **修正**: - `.gitea/workflows/ansible-lint.yml`:`runs-on` 從 `self-hosted` 改為 `ubuntu-latest`,對齊目前 Gitea runner label contract。 - `infra/ansible/playbooks/188-ai-web.yml`:補一行 CI label 註解,讓本次 push 能實際觸發新的 ansible-lint workflow 驗證。 +- 新 run `2245` 已成功被 runner 接走,但暴露 35 個既有 ansible-lint baseline debt;本輪同步清理: + - 30 個 `name[casing]`:將 `nginx` / `keepalived` / `bitan` / `n8n` / handler names 改為大寫開頭。 + - 5 個 `no-changed-when`:對只在缺狀態時執行的 command/shell 補上明確 `changed_when`。 + +**本地驗證**: +- `ruby -e 'require "yaml"; Dir["infra/ansible/playbooks/*.yml"].each { |p| YAML.load_file(p) }; puts "yaml ok"'`:pass。 +- `git diff --check`:pass。 +- `PATH=/tmp/awoooi-ansible-lint/bin:$PATH PYTHONPATH=/tmp/awoooi-ansible-lint python -m ansiblelint infra/ansible/playbooks/`:pass,0 failures / 0 warnings,production profile。 **目前整體進度**: - Alertmanager 低風險自動修復主線:約 98%。 @@ -14,7 +22,7 @@ - Truth-chain 對「自動修復成功但驗證降級」的判讀:約 99%。 - 188 OpenClaw runtime hygiene:約 60%。 - Token hygiene:約 55%。 -- Gitea infra-lint 可執行性:約 90%(runner label 已對齊,待新 run 驗證)。 +- Gitea infra-lint 可執行性:約 95%(runner label 已對齊,既有 lint debt 已清理,待下一輪 run 驗證)。 ## 2026-05-18 | T39 188 OpenClaw systemd 與 Telegram token hygiene 盤點 diff --git a/infra/ansible/playbooks/110-devops.yml b/infra/ansible/playbooks/110-devops.yml index 43ed0c4d..42f2c2ae 100644 --- a/infra/ansible/playbooks/110-devops.yml +++ b/infra/ansible/playbooks/110-devops.yml @@ -46,6 +46,7 @@ - name: "Swap | 格式化 swap2.img (若剛建立)" ansible.builtin.command: cmd: "mkswap /swap2.img" + changed_when: true when: not swap2_stat.stat.exists tags: swap @@ -107,17 +108,18 @@ # ======================================================================== # bitan pharmacy Docker 服務 # ======================================================================== - - name: "bitan | 確認 bitan container 運作中" + - name: "Bitan | 確認 bitan container 運作中" ansible.builtin.command: cmd: "docker ps --filter name=bitan --filter status=running --format '{{ '{{' }}.Names{{ '}}' }}'" register: bitan_status changed_when: false tags: bitan - - name: "bitan | 若停止則啟動" + - name: "Bitan | 若停止則啟動" ansible.builtin.command: cmd: "docker compose up -d" chdir: /home/wooo/apps/bitan-pharmacy + changed_when: true when: bitan_status.stdout == "" tags: bitan @@ -135,13 +137,13 @@ # ======================================================================== # keepalived # ======================================================================== - - name: "keepalived | 確認服務運作中" + - name: "Keepalived | 確認服務運作中" ansible.builtin.systemd: name: keepalived register: keepalived_status tags: keepalived - - name: "keepalived | 警告:keepalived 未運作" + - name: "Keepalived | 警告:keepalived 未運作" ansible.builtin.debug: msg: "⚠️ keepalived 未運作,VIP 200 可能失效" when: keepalived_status.status.ActiveState != "active" @@ -150,13 +152,13 @@ # ======================================================================== # Nginx harbor conf 指向確認 # ======================================================================== - - name: "nginx | 確認 harbor nginx conf 存在" + - name: "Nginx | 確認 harbor nginx conf 存在" ansible.builtin.stat: path: /etc/nginx/sites-enabled/harbor.conf register: harbor_nginx tags: nginx - - name: "nginx | 確認 harbor conf 指向 :5000 (非 :5050)" + - name: "Nginx | 確認 harbor conf 指向 :5000 (非 :5050)" ansible.builtin.command: cmd: "grep -c ':5050' /etc/nginx/sites-enabled/harbor.conf" register: harbor_conf_check @@ -165,7 +167,7 @@ when: harbor_nginx.stat.exists tags: nginx - - name: "nginx | 警告:harbor conf 仍指向 :5050" + - name: "Nginx | 警告:harbor conf 仍指向 :5050" ansible.builtin.debug: msg: "⚠️ harbor nginx conf 仍有 :5050,請確認已修正為 :5000" when: harbor_nginx.stat.exists and harbor_conf_check.stdout != "0" diff --git a/infra/ansible/playbooks/188-ai-web.yml b/infra/ansible/playbooks/188-ai-web.yml index 752fe362..6754e086 100644 --- a/infra/ansible/playbooks/188-ai-web.yml +++ b/infra/ansible/playbooks/188-ai-web.yml @@ -132,6 +132,7 @@ | crontab -u ollama - args: executable: /bin/bash + changed_when: true when: >- '0 2 * * * /home/ollama/momo-pro/scripts/pg_backup.sh >> /home/ollama/momo_backups/backup.log 2>&1' in momo_pg_crontab.stdout_lines @@ -152,50 +153,52 @@ # ======================================================================== # n8n / open-webui (Sprint A 新啟動) # ======================================================================== - - name: "n8n | 確認容器運作中" + - name: "N8N | 確認容器運作中" ansible.builtin.command: cmd: "docker ps --filter name=n8n --filter status=running --format '{{ '{{' }}.Names{{ '}}' }}'" register: n8n_status changed_when: false tags: n8n - - name: "n8n | 若停止則啟動" + - name: "N8N | 若停止則啟動" ansible.builtin.command: cmd: "docker compose up -d" chdir: /opt/n8n + changed_when: true when: n8n_status.stdout == "" tags: n8n - - name: "open-webui | 確認容器運作中" + - name: "Open-webui | 確認容器運作中" ansible.builtin.command: cmd: "docker ps --filter name=open-webui --filter status=running --format '{{ '{{' }}.Names{{ '}}' }}'" register: openwebui_status changed_when: false tags: open_webui - - name: "open-webui | 若停止則啟動" + - name: "Open-webui | 若停止則啟動" ansible.builtin.command: cmd: "docker compose up -d" chdir: /opt/open-webui + changed_when: true when: openwebui_status.stdout == "" tags: open_webui # ======================================================================== # Nginx 狀態確認 # ======================================================================== - - name: "nginx | 確認服務運作中" + - name: "Nginx | 確認服務運作中" ansible.builtin.systemd: name: nginx register: nginx_status tags: nginx - - name: "nginx | 警告:nginx 未運作" + - name: "Nginx | 警告:nginx 未運作" ansible.builtin.debug: msg: "🚨 nginx 未運作!" when: nginx_status.status.ActiveState != "active" tags: nginx - - name: "nginx | 確認 all-sites.conf 無 gitlab block" + - name: "Nginx | 確認 all-sites.conf 無 gitlab block" ansible.builtin.command: cmd: "grep -c 'gitlab' /etc/nginx/sites-enabled/all-sites.conf" register: gitlab_check @@ -203,7 +206,7 @@ failed_when: false tags: nginx - - name: "nginx | 警告:all-sites.conf 仍含 gitlab block" + - name: "Nginx | 警告:all-sites.conf 仍含 gitlab block" ansible.builtin.debug: msg: "⚠️ all-sites.conf 仍含 gitlab 設定,請確認 Sprint A 清除是否完整" when: gitlab_check.stdout != "0" @@ -212,19 +215,19 @@ # ======================================================================== # keepalived MASTER # ======================================================================== - - name: "keepalived | 確認服務運作中" + - name: "Keepalived | 確認服務運作中" ansible.builtin.systemd: name: keepalived register: keepalived_status tags: keepalived - - name: "keepalived | 警告:keepalived 未運作" + - name: "Keepalived | 警告:keepalived 未運作" ansible.builtin.debug: msg: "⚠️ keepalived MASTER 未運作,VIP:200 降級為 110 BACKUP" when: keepalived_status.status.ActiveState != "active" tags: keepalived - - name: "keepalived | 確認 VIP:200 由本機持有" + - name: "Keepalived | 確認 VIP:200 由本機持有" ansible.builtin.command: cmd: "ip addr show | grep 192.168.0.200" register: vip_check @@ -232,7 +235,7 @@ failed_when: false tags: keepalived - - name: "keepalived | 警告:VIP:200 不在本機" + - name: "Keepalived | 警告:VIP:200 不在本機" ansible.builtin.debug: msg: "⚠️ VIP 192.168.0.200 不在 188 (MASTER 可能已 failover 到 110)" when: vip_check.rc != 0 diff --git a/infra/ansible/playbooks/nginx-sync.yml b/infra/ansible/playbooks/nginx-sync.yml index e3674929..8832bbe2 100644 --- a/infra/ansible/playbooks/nginx-sync.yml +++ b/infra/ansible/playbooks/nginx-sync.yml @@ -13,7 +13,7 @@ nginx_conf_dest: /etc/nginx/sites-enabled/all-sites.conf tasks: - - name: "nginx | 部署 all-sites.conf" + - name: "Nginx | 部署 all-sites.conf" ansible.builtin.template: src: "{{ nginx_conf_src }}" dest: "{{ nginx_conf_dest }}" @@ -21,17 +21,17 @@ group: root mode: "0644" backup: true - notify: reload nginx + notify: Reload nginx tags: ["188", "nginx"] - - name: "nginx | 測試設定" + - name: "Nginx | 測試設定" ansible.builtin.command: cmd: "nginx -t" changed_when: false tags: ["188", "nginx"] handlers: - - name: reload nginx + - name: Reload nginx ansible.builtin.systemd: name: nginx state: reloaded @@ -45,20 +45,20 @@ ollama_proxy_dest: /etc/nginx/sites-enabled/110-ollama-proxy.conf tasks: - - name: "nginx | 確認 110 nginx 無 all-sites-from-188.conf 在 sites-enabled" + - name: "Nginx | 確認 110 nginx 無 all-sites-from-188.conf 在 sites-enabled" ansible.builtin.stat: path: /etc/nginx/sites-enabled/all-sites-from-188.conf register: stale_conf tags: ["110", "nginx"] - - name: "nginx | 警告:110 仍有 all-sites-from-188.conf (已非 188 管控)" + - name: "Nginx | 警告:110 仍有 all-sites-from-188.conf (已非 188 管控)" ansible.builtin.debug: msg: "⚠️ 110 sites-enabled 仍有 all-sites-from-188.conf,應已封存" when: stale_conf.stat.exists tags: ["110", "nginx"] # ADR-110: Ollama GCP 三層容災 — 110 作為 nginx proxy 轉發 K3s 流量到 GCP - - name: "nginx | 部署 Ollama GCP Proxy 配置" + - name: "Nginx | 部署 Ollama GCP Proxy 配置" ansible.builtin.template: src: "{{ ollama_proxy_src }}" dest: "{{ ollama_proxy_dest }}" @@ -66,23 +66,23 @@ group: root mode: "0644" backup: true - notify: reload nginx 110 + notify: Reload nginx 110 tags: ["110", "nginx", "ollama-proxy"] - - name: "nginx | 測試 110 設定" + - name: "Nginx | 測試 110 設定" ansible.builtin.command: cmd: "nginx -t" changed_when: false tags: ["110", "nginx", "ollama-proxy"] - - name: "nginx | 確認 nginx 已啟動" + - name: "Nginx | 確認 nginx 已啟動" ansible.builtin.systemd: name: nginx state: started enabled: true tags: ["110", "nginx", "ollama-proxy"] - - name: "nginx | 驗證 Ollama proxy 端口監聽" + - name: "Nginx | 驗證 Ollama proxy 端口監聽" ansible.builtin.wait_for: port: "{{ item }}" host: 127.0.0.1 @@ -94,7 +94,7 @@ tags: ["110", "nginx", "ollama-proxy"] handlers: - - name: reload nginx 110 + - name: Reload nginx 110 ansible.builtin.systemd: name: nginx state: reloaded diff --git a/infra/ansible/playbooks/restore-password-auth.yml b/infra/ansible/playbooks/restore-password-auth.yml index 0b1eac1d..4c592937 100644 --- a/infra/ansible/playbooks/restore-password-auth.yml +++ b/infra/ansible/playbooks/restore-password-auth.yml @@ -16,7 +16,7 @@ regexp: '^#?PasswordAuthentication' line: 'PasswordAuthentication yes' state: present - notify: reload sshd + notify: Reload sshd - name: "SSH | 設定系統使用者密碼" ansible.builtin.user: @@ -25,7 +25,7 @@ no_log: true handlers: - - name: reload sshd + - name: Reload sshd ansible.builtin.systemd: name: ssh state: reloaded