{ "certificate_paths": [ "/etc/letsencrypt/live/aiops.wooo.work/fullchain.pem", "/etc/letsencrypt/live/bitan.wooo.work/fullchain.pem", "/etc/letsencrypt/live/gitlab.wooo.work/fullchain.pem", "/etc/letsencrypt/live/harbor.wooo.work/fullchain.pem", "/etc/letsencrypt/live/mo.wooo.work/fullchain.pem", "/etc/letsencrypt/live/registry.wooo.work/fullchain.pem", "/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem", "/etc/letsencrypt/live/stock.wooo.work/fullchain.pem", "/etc/letsencrypt/live/vtuber.wooo.work/fullchain.pem", "/etc/letsencrypt/live/www.tsenyang.com/fullchain.pem" ], "execution_boundaries": { "action_buttons_allowed": false, "certbot_renew_executed": false, "dns_query_executed": false, "host_write_executed": false, "live_tls_probe_executed": false, "nginx_reload_executed": false, "runtime_gate_opened": false, "secret_value_collected": false }, "generated_at": "2026-06-11T18:40:00+08:00", "git_commit": "99efc627", "managed_domains": [ { "acme_challenge_present": false, "acme_challenge_roots": [], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/aiops.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": false, "certificate_path_domains": [ "aiops.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/aiops.wooo.work/fullchain.pem" ], "config_ids": [ "host188_all_sites" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "aiops.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "/etc/nginx/sites-enabled/all-sites.conf" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_ready_for_owner_review", "server_block_refs": [ "host188_all_sites#1", "host188_all_sites#2" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://192.168.0.125:32334/api/", "http://192.168.0.125:32334/api/v1/ws", "http://192.168.0.125:32335" ], "websocket_route_count": 1 }, { "acme_challenge_present": false, "acme_challenge_roots": [], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/bitan.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": false, "certificate_path_domains": [ "bitan.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/bitan.wooo.work/fullchain.pem" ], "config_ids": [ "host188_all_sites" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "bitan.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "/etc/nginx/sites-enabled/all-sites.conf" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_ready_for_owner_review", "server_block_refs": [ "host188_all_sites#12", "host188_all_sites#13" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://192.168.0.110:3003" ], "websocket_route_count": 1 }, { "acme_challenge_present": true, "acme_challenge_roots": [ "/var/www/certbot" ], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/sentry.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": true, "certificate_path_domains": [ "sentry.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem" ], "config_ids": [ "host188_internal_tools_https" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "gitea.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "owner_confirmation_required" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_owner_confirmation_required", "server_block_refs": [ "host188_internal_tools_https#1", "host188_internal_tools_https#5" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://192.168.0.110:3001" ], "websocket_route_count": 1 }, { "acme_challenge_present": false, "acme_challenge_roots": [], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/gitlab.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": false, "certificate_path_domains": [ "gitlab.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/gitlab.wooo.work/fullchain.pem" ], "config_ids": [ "host188_all_sites" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "gitlab.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "/etc/nginx/sites-enabled/all-sites.conf" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_ready_for_owner_review", "server_block_refs": [ "host188_all_sites#3", "host188_all_sites#4" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://192.168.0.110:8929" ], "websocket_route_count": 0 }, { "acme_challenge_present": true, "acme_challenge_roots": [ "/var/www/certbot" ], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/harbor.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": false, "certificate_path_domains": [ "harbor.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/harbor.wooo.work/fullchain.pem" ], "config_ids": [ "host188_internal_tools_https" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "harbor.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "owner_confirmation_required" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_ready_for_owner_review", "server_block_refs": [ "host188_internal_tools_https#1", "host188_internal_tools_https#7" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://192.168.0.110:5000" ], "websocket_route_count": 0 }, { "acme_challenge_present": true, "acme_challenge_roots": [ "/var/www/certbot" ], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/sentry.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": true, "certificate_path_domains": [ "sentry.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem" ], "config_ids": [ "host188_internal_tools_https" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "langfuse.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "owner_confirmation_required" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_owner_confirmation_required", "server_block_refs": [ "host188_internal_tools_https#1", "host188_internal_tools_https#6" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://192.168.0.110:3100" ], "websocket_route_count": 0 }, { "acme_challenge_present": false, "acme_challenge_roots": [], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/mo.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": false, "certificate_path_domains": [ "mo.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/mo.wooo.work/fullchain.pem" ], "config_ids": [ "host188_all_sites" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "mo.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "/etc/nginx/sites-enabled/all-sites.conf" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_ready_for_owner_review", "server_block_refs": [ "host188_all_sites#10", "host188_all_sites#11" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://127.0.0.1:5003" ], "websocket_route_count": 0 }, { "acme_challenge_present": true, "acme_challenge_roots": [ "/var/www/certbot" ], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/registry.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": false, "certificate_path_domains": [ "registry.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/registry.wooo.work/fullchain.pem" ], "config_ids": [ "host188_internal_tools_https" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "registry.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "owner_confirmation_required" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_ready_for_owner_review", "server_block_refs": [ "host188_internal_tools_https#1", "host188_internal_tools_https#8" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://192.168.0.110:5000" ], "websocket_route_count": 0 }, { "acme_challenge_present": true, "acme_challenge_roots": [ "/var/www/certbot" ], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/sentry.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": false, "certificate_path_domains": [ "sentry.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem" ], "config_ids": [ "host188_internal_tools_https" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "sentry.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "owner_confirmation_required" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_ready_for_owner_review", "server_block_refs": [ "host188_internal_tools_https#1", "host188_internal_tools_https#4" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://192.168.0.110:9000" ], "websocket_route_count": 0 }, { "acme_challenge_present": false, "acme_challenge_roots": [], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/sentry.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": true, "certificate_path_domains": [ "sentry.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem" ], "config_ids": [ "host188_all_sites", "host188_internal_tools_https" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "signoz.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "/etc/nginx/sites-enabled/all-sites.conf", "owner_confirmation_required" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_owner_confirmation_required", "server_block_refs": [ "host188_all_sites#5", "host188_internal_tools_https#2" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2", "infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://127.0.0.1:3301" ], "websocket_route_count": 1 }, { "acme_challenge_present": true, "acme_challenge_roots": [ "/var/www/certbot", "/var/www/html" ], "admin_route_count": 2, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/stock.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": false, "certificate_path_domains": [ "stock.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/stock.wooo.work/fullchain.pem" ], "config_ids": [ "host188_all_sites", "host188_internal_tools_https" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "stock.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "/etc/nginx/sites-enabled/all-sites.conf", "owner_confirmation_required" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_ready_for_owner_review", "server_block_refs": [ "host188_all_sites#8", "host188_all_sites#9", "host188_internal_tools_https#1", "host188_internal_tools_https#3" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2", "infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://192.168.0.110:31235" ], "websocket_route_count": 2 }, { "acme_challenge_present": false, "acme_challenge_roots": [], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/www.tsenyang.com/privkey.pem" ], "certificate_owner_confirmation_required": true, "certificate_path_domains": [ "www.tsenyang.com" ], "certificate_paths": [ "/etc/letsencrypt/live/www.tsenyang.com/fullchain.pem" ], "config_ids": [ "host188_all_sites" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "tsenyang.com", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "/etc/nginx/sites-enabled/all-sites.conf" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_owner_confirmation_required", "server_block_refs": [ "host188_all_sites#6", "host188_all_sites#7" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://127.0.0.1:3000" ], "websocket_route_count": 0 }, { "acme_challenge_present": true, "acme_challenge_roots": [ "/var/www/html" ], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/vtuber.wooo.work/privkey.pem" ], "certificate_owner_confirmation_required": false, "certificate_path_domains": [ "vtuber.wooo.work" ], "certificate_paths": [ "/etc/letsencrypt/live/vtuber.wooo.work/fullchain.pem" ], "config_ids": [ "host188_all_sites" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "vtuber.wooo.work", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl", "80" ], "live_paths": [ "/etc/nginx/sites-enabled/all-sites.conf" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_ready_for_owner_review", "server_block_refs": [ "host188_all_sites#14", "host188_all_sites#15" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "https://192.168.0.110" ], "websocket_route_count": 1 }, { "acme_challenge_present": false, "acme_challenge_roots": [], "admin_route_count": 0, "certbot_renewal_status": "not_executed", "certificate_key_paths": [ "/etc/letsencrypt/live/www.tsenyang.com/privkey.pem" ], "certificate_owner_confirmation_required": false, "certificate_path_domains": [ "www.tsenyang.com" ], "certificate_paths": [ "/etc/letsencrypt/live/www.tsenyang.com/fullchain.pem" ], "config_ids": [ "host188_all_sites" ], "control_tier": "C0", "dns_resolution_status": "not_executed", "domain": "www.tsenyang.com", "hosts": [ "192.168.0.188" ], "listens": [ "443 ssl http2", "80" ], "live_paths": [ "/etc/nginx/sites-enabled/all-sites.conf" ], "live_tls_probe_status": "not_executed", "owner_review_status": "repo_only_ready_for_owner_review", "server_block_refs": [ "host188_all_sites#6", "host188_all_sites#7" ], "source_paths": [ "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2" ], "tls_certificate_path_present": true, "upstreams": [ "http://127.0.0.1:3000" ], "websocket_route_count": 0 } ], "mode": "repo_only_from_nginx_source_of_truth", "next_steps": [ "請 owner 確認 certificate path 是否由 SAN 或 wildcard 合法覆蓋;未確認前不得 renew 或 reload。", "未來若要做 live TLS / DNS probe,需另行 scope approval;本清冊只保留 repo-only 證據。", "任何 certbot renew、Nginx reload 或 DNS 變更都必須另開維護窗口、rollback owner 與 post-check。" ], "owner_confirmation_required_domains": [ { "certificate_path_domains": [ "sentry.wooo.work" ], "domain": "gitea.wooo.work", "owner_review_status": "repo_only_owner_confirmation_required", "tls_certificate_path_present": true }, { "certificate_path_domains": [ "sentry.wooo.work" ], "domain": "langfuse.wooo.work", "owner_review_status": "repo_only_owner_confirmation_required", "tls_certificate_path_present": true }, { "certificate_path_domains": [ "sentry.wooo.work" ], "domain": "signoz.wooo.work", "owner_review_status": "repo_only_owner_confirmation_required", "tls_certificate_path_present": true }, { "certificate_path_domains": [ "www.tsenyang.com" ], "domain": "tsenyang.com", "owner_review_status": "repo_only_owner_confirmation_required", "tls_certificate_path_present": true } ], "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "followup_owner", "rollback_owner", "maintenance_window", "validation_plan" ], "schema_version": "domain_tls_certbot_inventory_v1", "source_nginx_report": "docs/security/nginx-config-drift-repo.snapshot.json", "summary": { "acme_challenge_domain_count": 7, "action_buttons_allowed": false, "admin_route_domain_count": 1, "certbot_renew_executed": false, "certificate_owner_confirmation_required_count": 4, "dns_change_executed": false, "live_tls_probe_executed": false, "managed_domain_count": 14, "nginx_reload_executed": false, "owner_response_accepted_count": 0, "owner_response_received_count": 0, "owner_response_request_sent_count": 0, "runtime_gate_count": 0, "source_config_count": 3, "unique_certificate_path_count": 10, "websocket_route_domain_count": 6 } }