awoooi/scripts/ops/ansible-validate.sh

#!/usr/bin/env bash
# 從開發機或 CI 驗證 AWOOOI Ansible assets。

set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
cd "$ROOT_DIR"
export ANSIBLE_ROLES_PATH="$ROOT_DIR/infra/ansible/roles${ANSIBLE_ROLES_PATH:+:$ANSIBLE_ROLES_PATH}"

echo "== YAML 解析 =="
python3 - <<'PY'
from pathlib import Path
import sys
import yaml

paths = (
    sorted(Path("infra/ansible").rglob("*.yml"))
    + sorted(Path("ops/reboot-recovery").rglob("*.yml"))
    + sorted(Path(".gitea/workflows").rglob("*.yml"))
    + [Path("ops/monitoring/alerts-unified.yml")]
)
for path in paths:
    with path.open() as fh:
        yaml.safe_load(fh)
    print(f"YAML_OK {path}")
PY

echo "== Shell 語法 =="
bash -n \
  scripts/reboot-recovery/full-stack-cold-start-check.sh \
  scripts/reboot-recovery/full-stack-recovery-scorecard.sh \
  scripts/reboot-recovery/dr-offsite-operator-checklist.sh \
  scripts/reboot-recovery/wait-dr-offsite-ready.sh \
  scripts/reboot-recovery/cold-start-textfile-exporter.sh \
  scripts/reboot-recovery/install-cold-start-monitor-110.sh \
  scripts/reboot-recovery/reboot-recovery-readiness-audit.sh \
  scripts/reboot-recovery/verify-cold-start-monitor-deploy.sh \
  scripts/reboot-recovery/p3-controlled-release-gate.sh \
  scripts/ops/bootstrap-ansible-validation-env.sh \
  scripts/ops/deploy-alerts.sh \
  scripts/cron_backup_restore_test.sh \
  scripts/backup/common.sh \
  scripts/backup/backup-all.sh \
  scripts/backup/backup-status.sh \
  scripts/backup/backup-gitea.sh \
  scripts/backup/backup-harbor.sh \
  scripts/backup/backup-momo.sh \
  scripts/backup/backup-awoooi.sh \
  scripts/backup/backup-awoooi-frequent.sh \
  scripts/backup/backup-langfuse.sh \
  scripts/backup/backup-monitoring.sh \
  scripts/backup/backup-signoz.sh \
  scripts/backup/backup-open-webui.sh \
  scripts/backup/backup-clawbot.sh \
  scripts/backup/backup-configs.sh \
  scripts/backup/backup-momo-188-pg.sh \
  scripts/backup/backup-sentry.sh \
  scripts/backup/backup-ai-artifacts.sh \
  scripts/backup/backup-public-routes.sh \
  scripts/backup/configure-offsite-rclone.sh \
  scripts/backup/configure-offsite-b2.sh \
  scripts/backup/sync-offsite-backups.sh \
  scripts/backup/backup-offsite-readiness-gate.sh \
  scripts/backup/offsite-escrow-evidence-report.sh \
  scripts/backup/verify-offsite-full-sync.sh \
  scripts/backup/mark-credential-escrow-verified.sh \
  scripts/backup/check-backup-integrity.sh
echo "Shell 語法 OK"

echo "== Python 語法 =="
python3 -m py_compile \
  scripts/ops/docker-stats-textfile-exporter.py \
  scripts/ops/systemd-units-textfile-exporter.py \
  scripts/ops/storage-health-textfile-exporter.py \
  scripts/ops/backup-health-textfile-exporter.py \
  scripts/ops/backup-alert-label-contract-check.py \
  scripts/ops/backup-alert-live-visibility-check.py \
  scripts/ops/recovery-scorecard-contract-check.py \
  scripts/ops/doc-secrets-sanity-check.py
echo "Python 語法 OK"

echo "== 文件 Secrets 檢查 =="
python3 scripts/ops/doc-secrets-sanity-check.py

echo "== 備份告警 Label 合約 =="
python3 scripts/ops/backup-alert-label-contract-check.py

echo "== Recovery scorecard 合約 =="
python3 scripts/ops/recovery-scorecard-contract-check.py

if ! command -v ansible-playbook >/dev/null 2>&1; then
  echo "WARN ansible-playbook 未安裝；已略過 Ansible syntax-check"
  exit 0
fi

echo "== Ansible syntax-check =="
for playbook in \
  infra/ansible/playbooks/site.yml \
  infra/ansible/playbooks/110-devops.yml \
  infra/ansible/playbooks/188-ai-web.yml \
  infra/ansible/playbooks/nginx-sync.yml; do
  ansible-playbook -i infra/ansible/inventory/hosts.yml "$playbook" --syntax-check
done

if command -v ansible-lint >/dev/null 2>&1; then
  echo "== ansible-lint =="
  # Reboot readiness needs syntax / loader safety, not historical style churn.
  # Keep this on the minimum profile so existing naming debt does not block the
  # cold-start recovery gate; style cleanup belongs in a separate refactor.
  ansible-lint --profile min infra/ansible/playbooks/
else
  echo "WARN ansible-lint 未安裝；已略過 ansible-lint"
fi