wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 5 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/security/domain-tls-certbot-inventory.snapshot.json
Your Name 32b553ee8f
All checks were successful
CD Pipeline / tests (push) Successful in 1m26s
Details
Code Review / ai-code-review (push) Successful in 14s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m23s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m54s
Details
feat(security): 新增 DNS TLS 只讀清冊
2026-06-11 18:40:54 +08:00

769 lines
22 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"certificate_paths": [
"/etc/letsencrypt/live/aiops.wooo.work/fullchain.pem",
"/etc/letsencrypt/live/bitan.wooo.work/fullchain.pem",
"/etc/letsencrypt/live/gitlab.wooo.work/fullchain.pem",
"/etc/letsencrypt/live/harbor.wooo.work/fullchain.pem",
"/etc/letsencrypt/live/mo.wooo.work/fullchain.pem",
"/etc/letsencrypt/live/registry.wooo.work/fullchain.pem",
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem",
"/etc/letsencrypt/live/stock.wooo.work/fullchain.pem",
"/etc/letsencrypt/live/vtuber.wooo.work/fullchain.pem",
"/etc/letsencrypt/live/www.tsenyang.com/fullchain.pem"
],
"execution_boundaries": {
"action_buttons_allowed": false,
"certbot_renew_executed": false,
"dns_query_executed": false,
"host_write_executed": false,
"live_tls_probe_executed": false,
"nginx_reload_executed": false,
"runtime_gate_opened": false,
"secret_value_collected": false
},
"generated_at": "2026-06-11T18:40:00+08:00",
"git_commit": "99efc627",
"managed_domains": [
{
"acme_challenge_present": false,
"acme_challenge_roots": [],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/aiops.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": false,
"certificate_path_domains": [
"aiops.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/aiops.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_all_sites"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "aiops.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"/etc/nginx/sites-enabled/all-sites.conf"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_ready_for_owner_review",
"server_block_refs": [
"host188_all_sites#1",
"host188_all_sites#2"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://192.168.0.125:32334/api/",
"http://192.168.0.125:32334/api/v1/ws",
"http://192.168.0.125:32335"
],
"websocket_route_count": 1
},
{
"acme_challenge_present": false,
"acme_challenge_roots": [],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/bitan.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": false,
"certificate_path_domains": [
"bitan.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/bitan.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_all_sites"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "bitan.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"/etc/nginx/sites-enabled/all-sites.conf"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_ready_for_owner_review",
"server_block_refs": [
"host188_all_sites#12",
"host188_all_sites#13"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://192.168.0.110:3003"
],
"websocket_route_count": 1
},
{
"acme_challenge_present": true,
"acme_challenge_roots": [
"/var/www/certbot"
],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/sentry.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": true,
"certificate_path_domains": [
"sentry.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_internal_tools_https"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "gitea.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"owner_confirmation_required"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_owner_confirmation_required",
"server_block_refs": [
"host188_internal_tools_https#1",
"host188_internal_tools_https#5"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://192.168.0.110:3001"
],
"websocket_route_count": 1
},
{
"acme_challenge_present": false,
"acme_challenge_roots": [],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/gitlab.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": false,
"certificate_path_domains": [
"gitlab.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/gitlab.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_all_sites"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "gitlab.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"/etc/nginx/sites-enabled/all-sites.conf"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_ready_for_owner_review",
"server_block_refs": [
"host188_all_sites#3",
"host188_all_sites#4"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://192.168.0.110:8929"
],
"websocket_route_count": 0
},
{
"acme_challenge_present": true,
"acme_challenge_roots": [
"/var/www/certbot"
],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/harbor.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": false,
"certificate_path_domains": [
"harbor.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/harbor.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_internal_tools_https"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "harbor.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"owner_confirmation_required"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_ready_for_owner_review",
"server_block_refs": [
"host188_internal_tools_https#1",
"host188_internal_tools_https#7"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://192.168.0.110:5000"
],
"websocket_route_count": 0
},
{
"acme_challenge_present": true,
"acme_challenge_roots": [
"/var/www/certbot"
],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/sentry.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": true,
"certificate_path_domains": [
"sentry.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_internal_tools_https"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "langfuse.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"owner_confirmation_required"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_owner_confirmation_required",
"server_block_refs": [
"host188_internal_tools_https#1",
"host188_internal_tools_https#6"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://192.168.0.110:3100"
],
"websocket_route_count": 0
},
{
"acme_challenge_present": false,
"acme_challenge_roots": [],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/mo.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": false,
"certificate_path_domains": [
"mo.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/mo.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_all_sites"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "mo.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"/etc/nginx/sites-enabled/all-sites.conf"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_ready_for_owner_review",
"server_block_refs": [
"host188_all_sites#10",
"host188_all_sites#11"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://127.0.0.1:5003"
],
"websocket_route_count": 0
},
{
"acme_challenge_present": true,
"acme_challenge_roots": [
"/var/www/certbot"
],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/registry.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": false,
"certificate_path_domains": [
"registry.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/registry.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_internal_tools_https"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "registry.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"owner_confirmation_required"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_ready_for_owner_review",
"server_block_refs": [
"host188_internal_tools_https#1",
"host188_internal_tools_https#8"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://192.168.0.110:5000"
],
"websocket_route_count": 0
},
{
"acme_challenge_present": true,
"acme_challenge_roots": [
"/var/www/certbot"
],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/sentry.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": false,
"certificate_path_domains": [
"sentry.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_internal_tools_https"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "sentry.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"owner_confirmation_required"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_ready_for_owner_review",
"server_block_refs": [
"host188_internal_tools_https#1",
"host188_internal_tools_https#4"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://192.168.0.110:9000"
],
"websocket_route_count": 0
},
{
"acme_challenge_present": false,
"acme_challenge_roots": [],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/sentry.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": true,
"certificate_path_domains": [
"sentry.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_all_sites",
"host188_internal_tools_https"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "signoz.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"/etc/nginx/sites-enabled/all-sites.conf",
"owner_confirmation_required"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_owner_confirmation_required",
"server_block_refs": [
"host188_all_sites#5",
"host188_internal_tools_https#2"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2",
"infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://127.0.0.1:3301"
],
"websocket_route_count": 1
},
{
"acme_challenge_present": true,
"acme_challenge_roots": [
"/var/www/certbot",
"/var/www/html"
],
"admin_route_count": 2,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/stock.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": false,
"certificate_path_domains": [
"stock.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/stock.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_all_sites",
"host188_internal_tools_https"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "stock.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"/etc/nginx/sites-enabled/all-sites.conf",
"owner_confirmation_required"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_ready_for_owner_review",
"server_block_refs": [
"host188_all_sites#8",
"host188_all_sites#9",
"host188_internal_tools_https#1",
"host188_internal_tools_https#3"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2",
"infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://192.168.0.110:31235"
],
"websocket_route_count": 2
},
{
"acme_challenge_present": false,
"acme_challenge_roots": [],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/www.tsenyang.com/privkey.pem"
],
"certificate_owner_confirmation_required": true,
"certificate_path_domains": [
"www.tsenyang.com"
],
"certificate_paths": [
"/etc/letsencrypt/live/www.tsenyang.com/fullchain.pem"
],
"config_ids": [
"host188_all_sites"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "tsenyang.com",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"/etc/nginx/sites-enabled/all-sites.conf"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_owner_confirmation_required",
"server_block_refs": [
"host188_all_sites#6",
"host188_all_sites#7"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://127.0.0.1:3000"
],
"websocket_route_count": 0
},
{
"acme_challenge_present": true,
"acme_challenge_roots": [
"/var/www/html"
],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/vtuber.wooo.work/privkey.pem"
],
"certificate_owner_confirmation_required": false,
"certificate_path_domains": [
"vtuber.wooo.work"
],
"certificate_paths": [
"/etc/letsencrypt/live/vtuber.wooo.work/fullchain.pem"
],
"config_ids": [
"host188_all_sites"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "vtuber.wooo.work",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl",
"80"
],
"live_paths": [
"/etc/nginx/sites-enabled/all-sites.conf"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_ready_for_owner_review",
"server_block_refs": [
"host188_all_sites#14",
"host188_all_sites#15"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"https://192.168.0.110"
],
"websocket_route_count": 1
},
{
"acme_challenge_present": false,
"acme_challenge_roots": [],
"admin_route_count": 0,
"certbot_renewal_status": "not_executed",
"certificate_key_paths": [
"/etc/letsencrypt/live/www.tsenyang.com/privkey.pem"
],
"certificate_owner_confirmation_required": false,
"certificate_path_domains": [
"www.tsenyang.com"
],
"certificate_paths": [
"/etc/letsencrypt/live/www.tsenyang.com/fullchain.pem"
],
"config_ids": [
"host188_all_sites"
],
"control_tier": "C0",
"dns_resolution_status": "not_executed",
"domain": "www.tsenyang.com",
"hosts": [
"192.168.0.188"
],
"listens": [
"443 ssl http2",
"80"
],
"live_paths": [
"/etc/nginx/sites-enabled/all-sites.conf"
],
"live_tls_probe_status": "not_executed",
"owner_review_status": "repo_only_ready_for_owner_review",
"server_block_refs": [
"host188_all_sites#6",
"host188_all_sites#7"
],
"source_paths": [
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2"
],
"tls_certificate_path_present": true,
"upstreams": [
"http://127.0.0.1:3000"
],
"websocket_route_count": 0
}
],
"mode": "repo_only_from_nginx_source_of_truth",
"next_steps": [
"請 owner 確認 certificate path 是否由 SAN 或 wildcard 合法覆蓋;未確認前不得 renew 或 reload。",
"未來若要做 live TLS / DNS probe需另行 scope approval本清冊只保留 repo-only 證據。",
"任何 certbot renew、Nginx reload 或 DNS 變更都必須另開維護窗口、rollback owner 與 post-check。"
],
"owner_confirmation_required_domains": [
{
"certificate_path_domains": [
"sentry.wooo.work"
],
"domain": "gitea.wooo.work",
"owner_review_status": "repo_only_owner_confirmation_required",
"tls_certificate_path_present": true
},
{
"certificate_path_domains": [
"sentry.wooo.work"
],
"domain": "langfuse.wooo.work",
"owner_review_status": "repo_only_owner_confirmation_required",
"tls_certificate_path_present": true
},
{
"certificate_path_domains": [
"sentry.wooo.work"
],
"domain": "signoz.wooo.work",
"owner_review_status": "repo_only_owner_confirmation_required",
"tls_certificate_path_present": true
},
{
"certificate_path_domains": [
"www.tsenyang.com"
],
"domain": "tsenyang.com",
"owner_review_status": "repo_only_owner_confirmation_required",
"tls_certificate_path_present": true
}
],
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"schema_version": "domain_tls_certbot_inventory_v1",
"source_nginx_report": "docs/security/nginx-config-drift-repo.snapshot.json",
"summary": {
"acme_challenge_domain_count": 7,
"action_buttons_allowed": false,
"admin_route_domain_count": 1,
"certbot_renew_executed": false,
"certificate_owner_confirmation_required_count": 4,
"dns_change_executed": false,
"live_tls_probe_executed": false,
"managed_domain_count": 14,
"nginx_reload_executed": false,
"owner_response_accepted_count": 0,
"owner_response_received_count": 0,
"owner_response_request_sent_count": 0,
"runtime_gate_count": 0,
"source_config_count": 3,
"unique_certificate_path_count": 10,
"websocket_route_domain_count": 6
}
}
Reference in New Issue View Git Blame Copy Permalink