feat: auto-generate or reuse DEPLOY_TOKEN for local ansible vault

docs/setup-ai-workspace-all-in-one.md

@@ -5,22 +5,22 @@
 > [!TIP]
 > ## ⏳ TL;DR (太长不看版)
 > 
-> **一键标准部署 (无需本地 Ansible 环境，直接在目标机执行)：**
+> **一键标准部署 (无需配置任何前置环境，自带随机密钥保护)：**
 > ```bash
-> curl -sfL https://raw.githubusercontent.com/ai-workspace-infra/playbooks/main/setup-ai-workspace-all-in-one.sh | VAULT_PASS="您的密码" bash -
+> curl -sfL https://raw.githubusercontent.com/ai-workspace-infra/playbooks/main/setup-ai-workspace-all-in-one.sh | bash -
 > ```
 > 
 > **一键极严防御部署 (瘫痪所有外网接口，强制全内网/VPN架构)：**
 > ```bash
-> curl -sfL https://raw.githubusercontent.com/ai-workspace-infra/playbooks/main/setup-ai-workspace-all-in-one.sh | AI_WORKSPACE_SECURITY_LEVEL=strict VAULT_PASS="您的密码" bash -
+> curl -sfL https://raw.githubusercontent.com/ai-workspace-infra/playbooks/main/setup-ai-workspace-all-in-one.sh | AI_WORKSPACE_SECURITY_LEVEL=strict bash -
 > ```
 > 
 > **组合技：极严防御 + 单独开白名单口子 (如仅开放 LiteLLM 接口)：**
 > ```bash
-> curl -sfL https://raw.githubusercontent.com/ai-workspace-infra/playbooks/main/setup-ai-workspace-all-in-one.sh | AI_WORKSPACE_SECURITY_LEVEL=strict LITELLM_API_CADDY_STRICT_WHITELIST=true VAULT_PASS="您的密码" bash -
+> curl -sfL https://raw.githubusercontent.com/ai-workspace-infra/playbooks/main/setup-ai-workspace-all-in-one.sh | AI_WORKSPACE_SECURITY_LEVEL=strict LITELLM_API_CADDY_STRICT_WHITELIST=true bash -
 > ```
 > 
-> **高级定制：一键部署全架构并按需开启可选功能 (如 XRDP)：**
+> **高级定制：一键部署全架构并按需开启可选功能 (如 XRDP，并自定义认证 Token)：**
 > ```bash
 > curl -sfL https://raw.githubusercontent.com/ai-workspace-infra/playbooks/main/setup-ai-workspace-all-in-one.sh | \
 >   XWORKSPACE_CONSOLE_ENABLE_XRDP=true \
@@ -29,7 +29,7 @@
 >   GATEWAY_OPENCLAW_PUBLIC_ACCESS=false \
 >   VAULT_PUBLIC_ACCESS=false \
 >   LITELLM_API_CADDY_STRICT_WHITELIST=true \
->   VAULT_PASS="您的密码" \
+>   DEPLOY_TOKEN="my-secure-custom-token-123" \
 >   bash -
 > ```
 

setup-ai-workspace-all-in-one.sh

@@ -87,25 +87,31 @@ append_var "GATEWAY_OPENCLAW_PUBLIC_ACCESS"     "gateway_openclaw_public_access"
 append_var "VAULT_PUBLIC_ACCESS"                "vault_public_access"
 append_var "XWORKSPACE_CONSOLE_ENABLE_XRDP"     "xworkspace_console_enable_xrdp"
 
-# 4. Handle Vault Password
-VAULT_OPT=""
-if [ -n "$VAULT_PASS" ]; then
-    VAULT_FILE=$(mktemp)
-    echo "$VAULT_PASS" > "$VAULT_FILE"
-    VAULT_OPT="--vault-password-file $VAULT_FILE"
-    info "Vault password provided via environment."
+# 4. Handle Vault Password (Auth Token)
+# If DEPLOY_TOKEN is provided, use it. Otherwise, generate a random one or reuse existing.
+VAULT_FILE="$HOME/.vault_password"
+
+if [ -n "$DEPLOY_TOKEN" ]; then
+    echo "$DEPLOY_TOKEN" > "$VAULT_FILE"
+    info "Using provided DEPLOY_TOKEN as the Vault password."
+elif [ -f "$VAULT_FILE" ]; then
+    info "Found existing Vault password at $VAULT_FILE, reusing it."
+else
+    info "No DEPLOY_TOKEN provided and no existing vault password found. Generating a secure random token..."
+    # Generate a random 32-character token
+    openssl rand -base64 32 > "$VAULT_FILE"
+    info "Generated new Vault password and saved to $VAULT_FILE"
 fi
 
+# Ensure correct permissions for the vault file
+chmod 600 "$VAULT_FILE"
+VAULT_OPT="--vault-password-file $VAULT_FILE"
+
 # 5. Run Ansible Playbook locally
 info "Running Ansible Playbook locally..."
 eval "ansible-playbook -i '127.0.0.1,' -c local setup-ai-workspace-all-in-one.yml $VAULT_OPT $ANSIBLE_EXTRA_VARS"
 RET=$?
 
-# Clean up vault file
-if [ -n "$VAULT_OPT" ]; then
-    rm -f "$VAULT_FILE"
-fi
-
 if [ $RET -eq 0 ]; then
     success "AI Workspace deployed successfully!"
 else