wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity
Files
e3bad588425c8a4805c033261a8ff96ebaf61ba8
awoooi/scripts/host-ops/awoooi-wrapper.sudoers
OG T 2d43751729
Some checks failed
CD Pipeline / build-and-deploy (push) Successful in 12m17s
Details
run-migration / migrate (push) Failing after 14s
Details
feat(ops): ADR-090-B 零信任收尾範本 — wrapper / sudoers / migrator / CI 
2026-04-18 台北時區 —— ogt + Claude Opus 4.7 (1M)

本 commit 響應本 Session 兩次憑證外洩事故
(feedback_secrets_leak_incidents_2026-04-18.md),
交付統帥可直接部署的零信任基礎設施範本.

檔案清單:

1. scripts/host-ops/awoooi-hosts-add.sh
   - 110 主機 /etc/hosts 白名單 wrapper
   - 只允許預定義主機名,idempotent,帶 IP 格式驗證
   - 安裝: /usr/local/bin/awoooi-hosts-add (root:root 0755)

2. scripts/host-ops/awoooi-wrapper.sudoers
   - 配套 sudoers 規則 (NOPASSWD for wrapper + SIGHUP only)
   - 安裝: /etc/sudoers.d/awoooi-wrapper (root:root 0440)
   - 禁 tee / bash / sh 這類 generic shell access

3. apps/api/migrations/adr090b_awoooi_migrator_role.sql
   - PG 限權角色 awoooi_migrator
   - 只能 DDL (CREATE/ALTER/DROP/INDEX/COMMENT)
   - 明確 REVOKE 所有 DML + default privileges 鎖死
   - 本檔由統帥執行 (需 superuser),不由 Claude 執行

4. k8s/awoooi-prod/awoooi-migrator-secret.template.yaml
   - K8s Secret patch 範本
   - 新增 MIGRATION_DATABASE_URL key (awoooi_migrator 連線串)
   - 與應用 DATABASE_URL 拆開

5. .gitea/workflows/run-migration.yml
   - CI 自動套用新 migration (單 transaction + ON_ERROR_STOP)
   - 用 Gitea secret MIGRATION_DATABASE_URL,不走明碼
   - 每次成功寫一筆 asset_discovery_run (audit trail)

零信任三層防線 (對應 feedback_secrets_leak_incidents):
  L1 對話無密碼 -> wrapper 內建白名單
  L2 操作經 wrapper -> sudoers + awoooi_migrator
  L3 顯示強制遮蔽 -> CI 走 secret,不走 env

本 Session 發現的 3 次憑證外洩全部在 feedback_secrets_leak
memory 登記,並有對應 P0 輪替計畫.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 13:23:39 +08:00

28 lines
1.3 KiB
Plaintext
Raw Blame History

# AWOOOI L4 自動化代理人最小權限 sudoers (ADR-090)
# 建立時間: 2026-04-18 台北時區
# 建立者: ogt + Claude Opus 4.7 (1M)
#
# 安裝位置: /etc/sudoers.d/awoooi-wrapper
# 安裝權限: root:root 0440
# 安裝前驗證: sudo visudo -c -f /path/to/this/file
#
# 設計原則:
# - 以 command path 精確指定,不開 tee / bash / sh 這類 generic shell
# - /etc/hosts 經 awoooi-hosts-add wrapper 白名單限制主機名
# - docker kill 只允許 SIGHUP (reload signal),不允許 SIGTERM/KILL
# - 不放 systemctl / apt / reboot / shutdown 任何系統級指令
# 1. /etc/hosts 白名單式寫入 (wrapper 自己驗證主機名)
wooo ALL=(root) NOPASSWD: /usr/local/bin/awoooi-hosts-add
# 2. Prometheus / Blackbox / Alertmanager config reload (SIGHUP only)
wooo ALL=(root) NOPASSWD: /usr/bin/docker kill -s SIGHUP prometheus
wooo ALL=(root) NOPASSWD: /usr/bin/docker kill -s SIGHUP blackbox-exporter
wooo ALL=(root) NOPASSWD: /usr/bin/docker kill -s SIGHUP alertmanager
# 3. Prometheus / Alertmanager config 檔驗證 (只讀,防禦性)
wooo ALL=(root) NOPASSWD: /usr/bin/docker exec prometheus promtool check config /etc/prometheus/prometheus.yml
wooo ALL=(root) NOPASSWD: /usr/bin/docker exec alertmanager amtool check-config /etc/alertmanager/alertmanager.yml
# 註: 未來新增命令必經 git commit 的 PR review,不可直接手動加
Reference in New Issue View Git Blame Copy Permalink