ai-workspace-infra/playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
474 Commits 14 Branches 1 Tag 1.5 MiB
main
Commit Graph

384 Commits

Author SHA1 Message Date
Haitao Pan
4164e1ff91 refactor(caddy): completely refactor Caddy macOS paths and missing privileges across all roles 2026-06-19 18:22:53 +08:00
Haitao Pan
f66a118c57 fix: resolve Caddy permission denied and macOS path issues in acp_server_codex 2026-06-19 18:16:25 +08:00
Haitao Pan
a0b27a7aee chore: commit pending infra playbook changes including ssh initialization script 2026-06-19 18:09:16 +08:00
Haitao Pan
51565ecf66 fix: resolve nodejs/npm dependency conflict and caddy path/permission issues 2026-06-19 18:08:33 +08:00
Haitao Pan
402c90967a fix: correct acp_server_gemini template name and update nodejs packages for offline installation 2026-06-19 12:25:15 +08:00
Haitao Pan
edc70fb658 fix: remove stale repo + depth=1 for clone; macOS browser/npm/agent_skills/role defaults compatibility 2026-06-19 11:37:33 +08:00
Haitao Pan
45f6f3af89 refactor(acp_server_gemini): upgrade to use antigravity-cli 2026-06-19 10:42:24 +08:00
Haitao Pan
d876d69684 fix: make Vault admin bootstrap idempotent 2026-06-19 09:54:21 +08:00
Haitao Pan
c57642dce2 fix: retry OpenClaw compile cache reset 2026-06-19 09:50:46 +08:00
Haitao Pan
06e10fb0e1 fix: skip common baseline for macOS Postgres 2026-06-19 09:48:42 +08:00
Haitao Pan
7c5884c615 fix: use user Vault paths on macOS 2026-06-19 09:45:46 +08:00
Haitao Pan
51d28b5d8b fix(postgres): install via brew command on macOS, not homebrew module 
The community.general.homebrew module auto-detects a brew prefix and can pick a
stale Intel Homebrew at /usr/local that crashes on newer macOS versions
('unknown or unsupported macOS version'). Use a brew command with the Apple
Silicon prefix first on PATH (matching vault/openclaw), plus
HOMEBREW_NO_AUTO_UPDATE, keeping the task idempotent.
 2026-06-18 12:55:51 +00:00
Haitao Pan
b85a80b8f8 fix(vault): resolve admin entity_id via entity-alias (idempotent bootstrap) 
Logging in to obtain entity_id becomes MFA-gated once the login enforcement
exists, so re-runs failed with 'missing entityID'. Look up the entity via its
userpass entity-alias (create entity+alias on first run) and drop the now
unused bootstrap token revoke. Idempotent and backward compatible.
 2026-06-18 12:39:42 +00:00
Haitao Pan
a7ad856e05 fix(common): macOS (Darwin) compatibility for baseline 
The Base hardening tasks (timedatectl timezone, /etc/hostname, hostname,
/etc/hosts, ssh hardening, fail2ban, file limits, firewall) use become: true
and Linux-only tooling, so they fail on macOS where the deploy is unprivileged
(timedatectl is also absent). Guard the whole Base block with
ansible_os_family != 'Darwin'.

Add a Common | Darwin baseline branch (common_darwin.yml) that installs shared
Homebrew CLI prerequisites (jq) used by helper scripts in other roles, e.g.
vault's init_vault_admin.sh. Packages are listed in common_darwin_brew_packages.
 2026-06-18 12:12:17 +00:00
Haitao Pan
7dcd2307ea fix: use user bridge directory on macOS 2026-06-18 18:11:31 +08:00
Haitao Pan
33ef20e064 fix: add macOS ACP path defaults 2026-06-18 18:08:14 +08:00
Haitao Pan
7e886ec009 fix: omit ACP binary chown on macOS 2026-06-18 18:04:19 +08:00
Haitao Pan
740b0a5e72 fix: guard Linux ACP tasks on macOS 2026-06-18 17:52:21 +08:00
Haitao Pan
091cd1bfc1 fix: skip OpenClaw Caddy tasks on macOS 2026-06-18 17:49:23 +08:00
Haitao Pan
4ca20c8603 fix: support native macOS deployment 2026-06-18 17:45:01 +08:00
Haitao Pan
e83c1a73ac fix: replace hardcoded ubuntu user/group/home in 6 vhost role defaults for macOS 2026-06-18 16:57:38 +08:00
Haitao Pan
39bdc7c1fd fix: make agent CLI version check non-fatal (codex optional dep on macOS) 2026-06-18 16:53:53 +08:00
Haitao Pan
8a62cc4e59 fix: use argv for chromium version check to handle paths with spaces 2026-06-18 16:49:18 +08:00
Haitao Pan
4a60ff30e4 fix: make agent_skills defaults cross-platform (HOME, user, group) 2026-06-18 16:46:16 +08:00
Haitao Pan
a3fd2679ef fix: skip apt rsync installation on macOS (rsync is built-in) 2026-06-18 16:44:01 +08:00
Haitao Pan
74d027e649 fix: ensure env directory exists before writing playwright configuration on macOS 2026-06-18 16:32:31 +08:00
Haitao Pan
aabf296461 fix: disable apt and become for browser setup on macOS 2026-06-18 16:30:04 +08:00
Haitao Pan
044a264256 feat: full macOS (Darwin) compatibility fixes for Ansible playbooks 2026-06-18 16:26:51 +08:00
Haitao Pan
c7784f2063 fix: restart opencode acp through launchd 2026-06-18 14:51:40 +08:00
Haitao Pan
5e3db5dfd5 feat: run opencode acp with launchd on macos 2026-06-18 14:51:06 +08:00
Haitao Pan
75c4c98613 feat: run codex acp with launchd on macos 2026-06-18 14:50:14 +08:00
Haitao Pan
2946a7bc42 fix: route codex acp setup on macos 2026-06-18 14:50:00 +08:00
Haitao Pan
dbbce5ff49 feat: support macos runtime deployment 2026-06-18 14:48:04 +08:00
Haitao Pan
0e1f8ab7cf fix: install openclaw multi-session plugin 2026-06-18 10:01:51 +08:00
Haitao Pan
532c57a359 fix(offline): skip online repos for docker/nodejs and add ubuntu 26.04 support 2026-06-17 20:43:16 +08:00
Haitao Pan
c1162f7ea2 fix(qmd): configure LiteLLM embedding gateway and inject auth token 2026-06-17 14:43:34 +08:00
Haitao Pan
13d986a078 feat(ai-workspace): add Vault KV secrets dump and restore 2026-06-17 14:09:12 +08:00
Haitao Pan
5e363249ce feat(ai-workspace): add encrypted backup and restore playbooks 2026-06-17 14:05:06 +08:00
Haitao Pan
1ac560e482 feat(ai-workspace): add backup/restore/migration role and playbook 2026-06-17 13:59:49 +08:00
Haitao Pan
b36a1c44e5 fix(firewall): allow ssh http https ingress 2026-06-17 13:59:49 +08:00
Haitao Pan
e5991301c6 feat(ai): parameterize LiteLLM URL and models for gateway_openclaw and acp_server_hermes to avoid hardcoded ports 2026-06-17 06:45:06 +08:00
Haitao Pan
3809a8cb6b feat(ai): configure Hermes and OpenClaw to safely connect to local LiteLLM API endpoint by default using AI_WORKSPACE_AUTH_TOKEN 2026-06-16 23:19:30 +08:00
Haitao Pan
596f52ba12 fix(litellm): revert DEEPSEEK_API_KEY fallback to litellm_master_key 2026-06-16 23:10:54 +08:00
Haitao Pan
d49b472ddb fix(litellm): add DEEPSEEK_API_KEY and OPENAI_API_KEY to litellm environment variables 2026-06-16 23:01:19 +08:00
Haitao Pan
93cbe2cd1b feat: allow /ui* and /health in caddy allowed_api for minimal gateway mode 2026-06-16 16:51:58 +08:00
Haitao Pan
5630df788a fix: make ai runtime npm installs idempotent 2026-06-16 15:04:14 +08:00
Haitao Pan
c07d12b5fe feat: consume prebuilt workspace runtimes 2026-06-15 21:58:50 +08:00
Haitao Pan
d92979f22d fix(litellm): ensure config directory and users exist before provisioning database 2026-06-15 18:31:54 +08:00
Haitao Pan
2658727d19 feat: increase ClientAliveCountMax to 15 2026-06-15 18:13:55 +08:00
Haitao Pan
dcf49e4ebf feat: configure SSH ClientAlive settings for persistent sessions 2026-06-15 18:07:12 +08:00
Haitao Pan
126a19e282 feat(security): add SSH hardening, fail2ban tasks, connection check helper, and doc 2026-06-15 17:50:00 +08:00
Haitao Pan
c627f016bf fix: move ACP service checks to final validation phase 2026-06-15 16:59:03 +08:00
Haitao Pan
5f00409550 fix: correct npm global bin path for acp_server_codex 2026-06-15 16:36:12 +08:00
Haitao Pan
40ed86a070 feat: deliver versioned AI Workspace Runtime (role split, run-mode matrix, bridge domain) 2026-06-15 16:12:37 +08:00
Haitao Pan
178664f262 feat: allow a portable LiteLLM Python runtime 2026-06-15 15:44:52 +08:00
Haitao Pan
2243b5d0c8 fix: support LiteLLM on Debian 11 2026-06-15 15:36:20 +08:00
Haitao Pan
65aef78937 fix: trust NodeSource armored signing key 2026-06-15 15:16:06 +08:00
Haitao Pan
2f4d3ad930 fix: make offline runtime reprovisioning stable 2026-06-15 15:12:56 +08:00
Haitao Pan
4228c1a6df fix: correct docker repository task yaml 2026-06-14 14:19:42 +08:00
Haitao Pan
cfe89432a1 fix: allow pinned nodejs runtime downgrades 2026-06-14 13:50:05 +08:00
Haitao Pan
645ac9bd17 fix: support Debian runtime deployment paths 2026-06-14 13:47:26 +08:00
Haitao Pan
3084ab7940 feat: deliver versioned AI Workspace Runtime 2026-06-14 13:19:44 +08:00
Haitao Pan
f15c384a34 fix: provision local litellm db and qmd fallback 2026-06-14 11:25:28 +08:00
Haitao Pan
6346684af5 fix: support standalone postgres and dynamic litellm path 2026-06-14 11:09:52 +08:00
Haitao Pan
bfb6b17e29 fix: run standalone vault without inventory group 2026-06-14 10:54:22 +08:00
Haitao Pan
2319c592fb feat: support standalone vault deployment 2026-06-14 10:42:41 +08:00
Haitao Pan
41853eedd9 fix: allow bridge validation url override 2026-06-14 10:30:06 +08:00
Haitao Pan
5e359cc5d8 fix: resolve openclaw user uid dynamically 2026-06-14 10:16:27 +08:00
Haitao Pan
4b6b1de8a7 fix: reload openclaw user systemd bus 2026-06-14 10:08:22 +08:00
Haitao Pan
ae78231fac fix: bootstrap hermes acp shim 2026-06-14 09:54:43 +08:00
Haitao Pan
7f6854e9de fix: sync agent skills over local connection 2026-06-14 09:33:58 +08:00
Haitao Pan
a15016ef1f feat: install agent cli toolchain 2026-06-14 09:25:30 +08:00
Haitao Pan
e2ae564745 feat: unify ai workspace deployment auth 2026-06-14 09:09:40 +08:00
Haitao Pan
944d59f911 feat: standardise public_access controls across roles and introduce global security_level 2026-06-12 14:31:25 +08:00
Haitao Pan
b8d4df9230 docs: rename var to litellm_api_caddy_strict_whitelist and update documentation 2026-06-12 09:44:24 +08:00
Haitao Pan
1574287a4d feat: add litellm_api_caddy_public_access variable to control Caddy proxy behavior 2026-06-12 09:39:45 +08:00
Haitao Pan
e9dec70225 docs: relax Caddy routing to allow LiteLLM UI backend API calls 2026-06-12 09:36:03 +08:00
Haitao Pan
e3952916af docs: reformat litellm deployment guide to complement readme 2026-06-12 09:21:37 +08:00
Haitao Pan
47d4931ff7 docs: update litellm README to Minimal AI API Gateway spec and clean up config 2026-06-12 09:11:12 +08:00
Haitao Pan
7ef5005ae1 refactor(litellm): remove hardcoded provider API keys from defaults and env templates 2026-06-12 09:08:33 +08:00
Haitao Pan
9196625bd0 feat(litellm): enable STORE_MODEL_IN_DB to allow UI model management 2026-06-11 22:46:22 +08:00
Haitao Pan
a076370b68 security(litellm): move plain text master key to vault encrypted host_vars 2026-06-11 22:45:18 +08:00
Haitao Pan
21cbbca9be fix(litellm): use UI_USERNAME and UI_PASSWORD env vars instead of LITELLM_ prefixed 2026-06-11 22:33:35 +08:00
Haitao Pan
c22a8c8266 feat(litellm): serve UI on api domain and clear default model lists 2026-06-11 21:45:10 +08:00
Haitao Pan
96ad38ff14 fix(litellm): disable Caddy basic auth and remove manual schema application to avoid migration conflicts 2026-06-11 18:28:18 +08:00
Haitao Pan
c1cb19b59b fix(litellm): add PATH to systemd unit to expose prisma-client-py 2026-06-11 17:29:07 +08:00
Haitao Pan
1d8516d160 fix(litellm): add PYTHONPATH to systemd unit, grant all table/sequence permissions to litellm DB user 2026-06-11 17:21:19 +08:00
Haitao Pan
9cde355688 fix(litellm): sslmode=disable for localhost Docker PG, remove environment_variables override from config.yaml 2026-06-11 17:09:49 +08:00
Haitao Pan
e6a3d95578 fix(litellm): install prisma client and generate prisma bindings correctly during deployment 2026-06-11 16:45:22 +08:00
Haitao Pan
814a81f088 feat(litellm): support dynamic master key via extra vars and generate caddy bcrypt hash on the fly 2026-06-11 16:33:17 +08:00
Haitao Pan
d5a17a8301 fix(litellm): allow access to root path on ui domain instead of returning 404 2026-06-11 16:15:06 +08:00
Haitao Pan
01af16cd54 fix(litellm): use docker exec for pg provisioning 2026-06-11 16:14:03 +08:00
Haitao Pan
a68cf68d14 feat(litellm): restore secure automated DB provisioning using raw sudo psql 2026-06-11 16:09:12 +08:00
Haitao Pan
d57ef6458d chore(litellm): skip automated db provisioning due to missing superuser password 2026-06-11 15:57:25 +08:00
Haitao Pan
4a14572b5b fix(litellm): revert become_user to local TCP password auth 2026-06-11 15:56:43 +08:00
Haitao Pan
fc7a23617c fix(litellm): use become_user postgres for db provisioning 2026-06-11 15:50:51 +08:00
Haitao Pan
fc1bff0061 fix(litellm): bypass stunnel and use port 5432 for local DB provisioning 2026-06-11 15:47:09 +08:00
Haitao Pan
db9d564ef3 fix(litellm): install psycopg2 before provisioning db 2026-06-11 15:35:11 +08:00
Haitao Pan
d573a4651b fix(litellm): remove delegate_to 127.0.0.1 in provision-database 2026-06-11 15:33:51 +08:00
Haitao Pan
ce6d970bda feat(litellm): separate api/ui caddy fragments, add models, secure db with sslmode 2026-06-11 15:29:31 +08:00
Haitao Pan
a817a0e732 fix(litellm): install litellm[proxy] to get all deps incl websockets 2026-06-11 11:42:16 +08:00
Haitao Pan
e56cb63032 fix(litellm): add PYTHONPATH env and fix websockets dep for litellm service 2026-06-11 11:41:29 +08:00
Haitao Pan
e5efac92e4 feat: add litellm gateway deployment playbook and role 2026-06-11 10:05:42 +08:00
Haitao Pan
42b8443f91 Allow common HTTP and HTTPS ports 2026-06-08 17:43:53 +08:00
Haitao Pan
7e0dc61924 fix: preserve xworkmate bridge review token in ingress 2026-06-07 23:01:47 +08:00
Haitao Pan
f451b5cd20 fix(playbook): move openclaw session contract checks out of deploy validation 
The OpenClaw session contract smoke and SSE long-task stream checks lived in
roles/vhosts/xworkmate_bridge/tasks/validate.yml and ran during the Deploy
stage. They depend on the public OpenClaw gateway producing a 'pong' reply,
which the deployed bridge cannot guarantee end-to-end. When the gateway
returns an empty completion envelope, the entire Deploy job fails after the
bridge binary has already been installed and is healthy.

Move these checks to the GitHub Actions validate stage in xworkmate-bridge
where they belong. The bridge's own deploy validation now only asserts the
bridge's own state (Caddy config, systemd unit, ports, /api/ping, /acp/rpc
capabilities, routing.resolve).
 2026-06-05 19:28:38 +08:00
Haitao Pan
6c234f9544 fix(playbook): update openclaw smoke tests to poll for async task completion 2026-06-04 14:48:31 +08:00
Haitao Pan
6d3418284a fix(playbook): adjust system-level xworkmate-bridge.service to run as ubuntu user and ensure the user exists 2026-06-04 14:36:24 +08:00
Haitao Pan
d7199c511b fix(playbook): stop, disable, and clean up obsolete user-level xworkmate-serve service to prevent port 8787 conflicts 2026-06-04 14:30:13 +08:00
Haitao Pan
61eb40624d fix(xworkmate_bridge): resolve config.yaml PermissionError during deployment caused by immutable flag 2026-06-04 11:48:09 +08:00
Haitao Pan
dcdc9bea7b feat: Remote Desktop Ansible Deployment for xworkmate-bridge 2026-06-03 10:49:49 +08:00
Haitao Pan
2f2e9d8f9b fix: pin OpenClaw Codex plugin 2026-06-01 14:53:18 +08:00
Haitao Pan
ba4daa3597 fix: align bridge OpenClaw protocol 4 deployment 2026-06-01 13:48:52 +08:00
Haitao Pan
402faa02e1 fix: validate bridge token consistency 2026-06-01 10:02:13 +08:00
Haitao Pan
ce0dd3cee1 Wire review bridge token deployment 2026-05-30 10:34:51 +08:00
Haitao Pan
003d48e748 Merge branch 'codex/acp-connection-closed-cleanup' 2026-05-26 13:56:22 +08:00
Haitao Pan
69e7691287 chore: align AI agent runtime playbooks 2026-05-26 12:58:56 +08:00
Haitao Pan
71e3449622 Use SSE curl for OpenClaw validation 2026-05-26 11:29:25 +08:00
Haitao Pan
805a3fbda9 Focus bridge validation on OpenClaw RPC 2026-05-26 11:26:21 +08:00
Haitao Pan
22662cc538 Validate OpenClaw through bridge RPC 2026-05-26 11:06:22 +08:00
Haitao Pan
7fbba293a0 Fix Hermes deploy validation status check 2026-05-23 16:04:50 +08:00
Haitao Pan
f51958a4a2 chore: set xworkmate bridge openclaw active budget to five 2026-05-22 19:13:26 +08:00
Haitao Pan
aa674a7dac fix: serialize xworkmate bridge openclaw tasks 2026-05-22 19:10:31 +08:00
Haitao Pan
9765158371 fix: validate ebook over public HTTPS 2026-05-20 16:35:46 +08:00
Haitao Pan
5ff5e2f1eb fix: validate ebook vhost over local TLS 2026-05-20 16:35:03 +08:00
Haitao Pan
dfad2a0a5c fix: use Caddy conf.d for ebook vhost 2026-05-20 16:34:30 +08:00
Haitao Pan
29dd6a38b7 feat: deploy modern IT history ebook 2026-05-20 16:27:54 +08:00
Haitao Pan
ae1e5813a9 fix: allow OpenClaw bridge validation to finish 2026-05-18 17:53:55 +08:00
Haitao Pan
4b2ab8401b Align XFCE XRDP browser setup with Chrome deb 2026-05-18 05:42:17 +08:00
Haitao Pan
72bee745b3 tune openclaw default thinking for gateway tasks 2026-05-15 12:29:01 +08:00
Haitao Pan
0c3e673e78 fix openclaw gateway default model deploy config 2026-05-15 12:10:31 +08:00
Haitao Pan
07f72e2c46 Relax bridge SSE keepalive validation 2026-05-11 14:45:27 +08:00
Haitao Pan
ad49ba1b22 Configure OpenClaw admission through bridge config 2026-05-11 13:21:41 +08:00
Haitao Pan
b6b0e3ddad Use OpenClaw default agent model 2026-05-11 12:53:39 +08:00
Haitao Pan
3ae95ea54d Enable production OpenClaw artifact plugin 2026-05-11 12:35:09 +08:00
Haitao Pan
6c1ad92ff4 Handle live OpenClaw gateway runtime path 2026-05-11 12:14:31 +08:00
Haitao Pan
f023bd3961 Configure stable OpenClaw concurrency 2026-05-11 11:47:09 +08:00
Haitao Pan
95efae0060 Configure stable OpenClaw concurrency 2026-05-11 11:45:32 +08:00
Haitao Pan
1fa9ca2457 fix: validate OpenClaw SSE ingress 2026-05-08 18:58:51 +08:00
Haitao Pan
9f3449b635 fix: proxy xworkmate artifact downloads 2026-05-06 10:05:09 +08:00
Haitao Pan
289468e188 fix: remove legacy acp-server ingress contract 2026-05-03 12:31:07 +08:00
Haitao Pan
a50dc24619 fix: align xworkmate bridge ingress contract 2026-05-03 12:14:27 +08:00
Haitao Pan
dd0201e483 fix: expose bridge gateway ingress 2026-05-03 11:22:09 +08:00
Haitao Pan
d3efb08e8d chore: submit remaining playbooks changes 2026-05-02 19:41:38 +08:00
Haitao Pan
54b234b2bc fix: reload bridge unit before service start 2026-05-02 19:17:34 +08:00
Haitao Pan
a250cf70e5 fix: remove root openclaw dependency from bridge unit 2026-05-02 19:06:58 +08:00
Haitao Pan
f6167c1e89 fix: run openclaw gateway as user service 2026-05-02 18:51:46 +08:00
Haitao Pan
14c77e6e5e fix: propagate bridge image ref into systemd 2026-05-02 18:20:30 +08:00
Haitao Pan
3d091118c2 fix: retry bridge hermes diagnostic validation 2026-05-02 18:11:17 +08:00
Haitao Pan
9ba79fb05a fix: recover openclaw ollama secret from host env 2026-05-02 17:57:43 +08:00