From a0b27a7aee1ebb9d0d32c9024b95e20b479a84e9 Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Fri, 19 Jun 2026 18:09:16 +0800
Subject: [PATCH] chore: commit pending infra playbook changes including ssh
 initialization script

---
 roles/github/README.md                        | 26 ++++++++++++++++---
 roles/github/defaults/main.yml                |  5 +++-
 roles/github/vars/main.yml                    | 10 +++----
 .../vhosts/acp_server_gemini/tasks/config.yml |  2 +-
 roles/vhosts/common/files/init_ssh_key.exp    | 26 +++++++++++++++++++
 5 files changed, 58 insertions(+), 11 deletions(-)
 create mode 100755 roles/vhosts/common/files/init_ssh_key.exp

diff --git a/roles/github/README.md b/roles/github/README.md
index 1fe48aa..bd468d6 100644
--- a/roles/github/README.md
+++ b/roles/github/README.md
@@ -5,8 +5,8 @@ This role manages GitHub Organization Rulesets to enforce branch protection and
 ## Governance Rules
 
 ### 1. Global Main Protection
-- **Target:** `main` branch
-- **Inclusion:** All repositories (`~ALL`)
+- **Target:** `{{ github_target_branch }}` branch
+- **Inclusion:** `{{ github_repository_name }}`
 - **Rules:**
   - Prevent deletion.
   - Prevent force pushes (non-fast-forward).
@@ -14,8 +14,8 @@ This role manages GitHub Organization Rulesets to enforce branch protection and
   - Dismiss stale reviews on push.
 
 ### 2. Global Release Protection
-- **Target:** `release/*` branches
-- **Inclusion:** All repositories (`~ALL`)
+- **Target:** `{{ github_release_branch_pattern }}` branches
+- **Inclusion:** `{{ github_repository_name }}`
 - **Rules:**
   - Prevent deletion.
   - Prevent force pushes.
@@ -37,4 +37,22 @@ ansible-playbook apply-branch-protection.yml
 
 ## Configuration
 - `github_org_name`: Defined in `defaults/main.yml`.
+- `github_repository_name`: Optional repository scope. Defaults to `~ALL`.
+- `github_target_branch`: Main branch target. Defaults to `main`.
+- `github_release_branch_pattern`: Release branch pattern. Defaults to `release/*`.
 - `github_rulesets`: Defined in `vars/main.yml`.
+
+## Common usage
+
+Target one repository and one release branch:
+
+```bash
+export GITHUB_TOKEN=your_admin_token
+ansible-playbook apply-branch-protection.yml \
+  -e github_org_name=cloud-neutral \
+  -e github_repository_name=xstream-vpn \
+  -e github_target_branch=main \
+  -e github_release_branch_pattern=release/http3-quic-stable
+```
+
+If you want the rule to apply to all repositories in the organization, keep the default `github_repository_name=~ALL`.
diff --git a/roles/github/defaults/main.yml b/roles/github/defaults/main.yml
index 4b2f6e2..9dd99f2 100644
--- a/roles/github/defaults/main.yml
+++ b/roles/github/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
 github_org_name: "cloud-neutral"
 owner: "{{ github_org_name }}"
-repo: ""
\ No newline at end of file
+repo: ""
+github_repository_name: "~ALL"
+github_target_branch: "main"
+github_release_branch_pattern: "release/*"
diff --git a/roles/github/vars/main.yml b/roles/github/vars/main.yml
index d6713b8..0c9a07c 100644
--- a/roles/github/vars/main.yml
+++ b/roles/github/vars/main.yml
@@ -6,11 +6,11 @@ github_rulesets:
     conditions:
       ref_name:
         include:
-          - "refs/heads/main"
+          - "refs/heads/{{ github_target_branch }}"
         exclude: []
       repository_name:
         include:
-          - "~ALL"
+          - "{{ github_repository_name }}"
         exclude: []
         protected: false
     rules:
@@ -30,11 +30,11 @@ github_rulesets:
     conditions:
       ref_name:
         include:
-          - "refs/heads/release/*"
+          - "refs/heads/{{ github_release_branch_pattern }}"
         exclude: []
       repository_name:
         include:
-          - "~ALL"
+          - "{{ github_repository_name }}"
         exclude: []
         protected: false
     rules:
@@ -47,4 +47,4 @@ github_rulesets:
           dismiss_stale_reviews_on_push: true
           require_code_owner_reviews: false
           require_last_push_approval: false
-          required_review_thread_resolution: false
\ No newline at end of file
+          required_review_thread_resolution: false
diff --git a/roles/vhosts/acp_server_gemini/tasks/config.yml b/roles/vhosts/acp_server_gemini/tasks/config.yml
index a171691..feb958b 100644
--- a/roles/vhosts/acp_server_gemini/tasks/config.yml
+++ b/roles/vhosts/acp_server_gemini/tasks/config.yml
@@ -76,7 +76,7 @@
 
 - name: Deploy Gemini ACP systemd service
   ansible.builtin.template:
-    src: gemini-acp.service.j2
+    src: gemini-acp-adapter.service.j2
     dest: "/etc/systemd/system/{{ acp_gemini_service_name }}.service"
     owner: root
     group: root
diff --git a/roles/vhosts/common/files/init_ssh_key.exp b/roles/vhosts/common/files/init_ssh_key.exp
new file mode 100755
index 0000000..4790277
--- /dev/null
+++ b/roles/vhosts/common/files/init_ssh_key.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+
+if {[llength $argv] != 3} {
+    puts "Usage: ./init_ssh_key.exp <username> <host> <password>"
+    exit 1
+}
+
+set user [lindex $argv 0]
+set host [lindex $argv 1]
+set password [lindex $argv 2]
+
+set timeout 20
+
+spawn ssh-copy-id -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $user@$host
+
+expect {
+    "*assword:*" {
+        send "$password\r"
+        expect eof
+    }
+    "All keys were skipped because they already exist on the remote system." {
+        expect eof
+    }
+    eof {
+    }
+}