fix(recovery): remove 188 deploy sudo secret
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Failing after 3m13s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped

This commit is contained in:
Your Name
2026-06-30 22:40:24 +08:00
parent 1c3c7279ac
commit b474f80c66
3 changed files with 30 additions and 11 deletions

View File

@@ -3,8 +3,7 @@
# 執行方式: bash deploy-to-188.sh
set -euo pipefail
HOST="ollama@192.168.0.188"
PASS="0936223270"
HOST="${HOST:-ollama@192.168.0.188}"
echo "=== 部署 awoooi-startup 到 192.168.0.188 ==="
@@ -18,16 +17,22 @@ scp awoooi-startup.service "$HOST:/tmp/awoooi-startup.service"
# 3. 安裝
echo "[3/4] 安裝..."
ssh "$HOST" "
echo '$PASS' | sudo -S bash -c '
cp /tmp/awoooi-startup.sh /usr/local/bin/awoooi-startup.sh
chmod +x /usr/local/bin/awoooi-startup.sh
cp /tmp/awoooi-startup.service /etc/systemd/system/awoooi-startup.service
systemctl daemon-reload
systemctl enable awoooi-startup.service
echo done
ssh "$HOST" 'set -euo pipefail
if sudo -n true >/dev/null 2>&1; then
SUDO="sudo -n"
elif [ "${AWOOOI_ALLOW_INTERACTIVE_SUDO:-0}" = "1" ] && [ -t 0 ]; then
SUDO="sudo"
else
echo "BLOCKED sudo_password_required_passwordless_sudo_or_tty_required" >&2
exit 77
fi
$SUDO install -m 0755 /tmp/awoooi-startup.sh /usr/local/bin/awoooi-startup.sh
$SUDO install -m 0644 /tmp/awoooi-startup.service /etc/systemd/system/awoooi-startup.service
$SUDO systemctl daemon-reload
$SUDO systemctl enable awoooi-startup.service
echo done
'
"
# 4. 驗證
echo "[4/4] 驗證安裝..."

View File

@@ -7,6 +7,7 @@ ROOT = Path(__file__).resolve().parents[3]
SCRIPT = ROOT / "scripts" / "reboot-recovery" / "188-host-hygiene-maintenance-checklist.sh"
STARTUP_188 = ROOT / "scripts" / "reboot-recovery" / "awoooi-startup.sh"
STARTUP_188_SERVICE = ROOT / "scripts" / "reboot-recovery" / "awoooi-startup.service"
DEPLOY_188 = ROOT / "scripts" / "reboot-recovery" / "deploy-to-188.sh"
def test_188_and_110_default_to_reachable_runtime_identities() -> None:
@@ -49,3 +50,13 @@ def test_188_startup_unit_timeout_matches_reboot_slo() -> None:
text = STARTUP_188_SERVICE.read_text(encoding="utf-8")
assert "TimeoutStartSec=600" in text
def test_188_deploy_helper_does_not_embed_sudo_password() -> None:
text = DEPLOY_188.read_text(encoding="utf-8")
assert "sudo -S" not in text
assert "PASS=" not in text
assert "PASSWORD" not in text
assert "sudo -n true" in text
assert "BLOCKED sudo_password_required_passwordless_sudo_or_tty_required" in text