fix(cd): CD_PUSH_TOKEN + backup 路徑使用 BACKUP_ROOT 環境變數

- cd.yaml: GITEA_CD_TOKEN → CD_PUSH_TOKEN（Gitea 保留 GITEA_ 前綴）
- ADR-069: 同步更新 token 名稱說明
- backup-from-110.sh: 改用 BACKUP_ROOT 環境變數（預設 /home/ollama/backup/110）
  避免 /var/log /var/run 需要 root 權限
- 已部署到 188 + cron 0 1 * * * 設定完成

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/cd.yaml

@@ -332,7 +332,7 @@ jobs:
       - name: Deploy to K8s (ArgoCD GitOps)
         env:
           SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
-          GITEA_TOKEN: ${{ secrets.GITEA_CD_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.CD_PUSH_TOKEN }}
         run: |
           mkdir -p ~/.ssh
           echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key

docs/adr/ADR-069-infra-gitops-sprint-b.md

@@ -47,7 +47,7 @@ Gitea Actions 原生支援此標記，不會觸發新的 CD run。
 
 ### 新增 Secret
 
-`GITEA_CD_TOKEN`: Gitea Personal Access Token，用於 CD pipeline push kustomization.yaml  
+`CD_PUSH_TOKEN`: Gitea Personal Access Token，用於 CD pipeline push kustomization.yaml  
 - 建立：Gitea → Settings → Applications → Generate Token  
 - 權限：`write:repository`  
 - 加到 Gitea Repository Secrets: Settings → Secrets → Add Secret
@@ -62,13 +62,13 @@ Gitea Actions 原生支援此標記，不會觸發新的 CD run。
 
 ### 注意事項
 
-- `secrets.GITEA_CD_TOKEN` 需手動在 Gitea 建立並設定
+- `secrets.CD_PUSH_TOKEN` 需手動在 Gitea 建立並設定
 - CD pipeline 現在有 `git push` 操作，需確保 runner 有網路存取 Gitea (192.168.0.110:3001)
 - ArgoCD `ignoreDifferences` 排除 Deployment image 欄位，否則 ArgoCD 會顯示 OutOfSync
 
 ## 設定清單
 
 - [ ] 在 Gitea 建立 Personal Access Token（write:repository 權限）
-- [ ] 加到 Gitea Repository Secrets: `GITEA_CD_TOKEN`
+- [ ] 加到 Gitea Repository Secrets: `CD_PUSH_TOKEN`
 - [ ] 確認 ArgoCD Application 已建立：`kubectl get app awoooi-prod -n argocd`
 - [ ] 確認 ArgoCD 可存取 Gitea：檢查 ArgoCD Repo Server 網路策略

scripts/ops/backup-from-110.sh

@@ -24,8 +24,9 @@
 # =============================================================================
 set -euo pipefail
 
-LOG="/var/log/backup-from-110.log"
-LAST_SUCCESS_FILE="/var/run/backup-110.last_success"
+BACKUP_ROOT="${BACKUP_ROOT:-/home/ollama/backup/110}"
+LOG="${BACKUP_ROOT}/backup.log"
+LAST_SUCCESS_FILE="${BACKUP_ROOT}/last_success"
 DATE=$(date +%Y%m%d-%H%M%S)
 ERRORS=0
 
@@ -40,7 +41,7 @@ log "Backing up Harbor registry..."
 if rsync -avz --delete \
     -e "ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=10" \
     wooo@192.168.0.110:/var/lib/docker/volumes/harbor_harbor-data/_data/ \
-    /backup/110/harbor/ >> "$LOG" 2>&1; then
+    ${BACKUP_ROOT}/harbor/ >> "$LOG" 2>&1; then
     log "✅ Harbor backup OK"
 else
     log "❌ ERROR: Harbor backup failed"
@@ -52,7 +53,7 @@ log "Backing up Gitea repos..."
 if rsync -avz --delete \
     -e "ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=10" \
     wooo@192.168.0.110:/var/lib/docker/volumes/gitea_gitea-data/_data/ \
-    /backup/110/gitea/ >> "$LOG" 2>&1; then
+    ${BACKUP_ROOT}/gitea/ >> "$LOG" 2>&1; then
     log "✅ Gitea backup OK"
 else
     log "❌ ERROR: Gitea backup failed"
@@ -66,7 +67,7 @@ if ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=5 \
     if rsync -avz \
         -e "ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=10" \
         wooo@192.168.0.110:/home/wooo/bitan-pharmacy.git/ \
-        /backup/110/bitan-pharmacy.git/ >> "$LOG" 2>&1; then
+        ${BACKUP_ROOT}/bitan-pharmacy.git/ >> "$LOG" 2>&1; then
         log "✅ bitan-pharmacy.git backup OK"
     else
         log "⚠️  bitan-pharmacy.git backup failed (non-fatal)"