ai-workspace-infra/playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
449 Commits 14 Branches 1 Tag 1.5 MiB
Shell 71.3%
Jinja 24.5%
Python 3.4%
PowerShell 0.5%
Groovy 0.3%
c3f3b8ac8e
Go to file
Haitao Pan c3f3b8ac8e refactor(agent_skills): run on target host, git-clone sources, drop delegate_to localhost 
Make the role work identically under both execution models:
- local/pull (curl|bash -> ansible-playbook -c local; localhost == host)
- remote controller (ansible-playbook -i inventory over ssh; tasks run on host)

Changes:
- Remove ALL delegate_to: localhost (the old raw 'command: rsync' detected
  local-vs-remote via ansible_connection, but delegate_to localhost forced it
  to 'local', so the user@host push branch was dead code -> remote runs wrote
  to the controller's /root and failed).
- Acquire xworkspace-core-skills via ansible.builtin.git clone ON THE HOST
  (most universal/cross-platform), instead of requiring a controller-side dir.
- Merge core skills into the canonical dir with ansible.builtin.copy
  (remote_src, host-local) instead of raw rsync; installer adapters install
  directly into the canonical dir on the host.
- Drop rsync-only vars/excludes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 14:57:49 +08:00
deepflow/deepflow-agent-playbook feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
docs docs: pin runtime asset names 2026-06-15 22:02:52 +08:00
examples fix: kill legacy http.server, reload systemd and start services after deploy 2026-06-09 20:40:46 +08:00
group_vars feat(xworkmate_bridge): add Windows Scheduled Task deployment and skip Caddy on Windows 2026-06-21 20:18:11 +08:00
host_vars fix: correct yaml formatting in host_vars litellm.yml 2026-06-12 13:03:28 +08:00
inventory feat(inventory): add Terraform CMDB dynamic inventory for ai-workspace 2026-06-23 20:57:58 +08:00
roles refactor(agent_skills): run on target host, git-clone sources, drop delegate_to localhost 2026-06-24 14:57:49 +08:00
scripts chore: move bootstrap script to xworkspace-console repo 2026-06-12 19:47:16 +08:00
skills/release-branch-policy feat(platform): refresh k3s bootstrap and release controls 2026-04-03 16:41:12 +08:00
vars chore: align AI agent runtime playbooks 2026-05-26 12:58:56 +08:00
.gitignore chore: qmd version bump, macOS container runtime deps, ignore inventory pycache 2026-06-23 21:01:57 +08:00
.gitleaksignore chore: ignore gitleaks false positive in docs 2026-06-15 18:02:37 +08:00
alicloud_dns_record.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
alicloud_dns_sync.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
ansible.cfg feat: consume prebuilt workspace runtimes 2026-06-15 21:58:50 +08:00
api.plist.j2 feat: full macOS (Darwin) compatibility fixes for Ansible playbooks 2026-06-18 16:26:51 +08:00
apply-branch-protection.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
bootstrap_cloud_dev_desktop.yml feat(playbooks): add cloud desktop bootstrap flow 2026-04-10 17:09:59 +08:00
common feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
common_setup.yml feat(ansible): extract playbooks and roles into standalone repository 2025-12-21 19:09:46 +08:00
console.plist.j2 fix(console): serve dashboard/dist via local python http.server (not npm/caddy) 2026-06-24 09:44:01 +08:00
create_audit_user.yml Add readonly SSH audit user role and playbooks 2026-04-10 11:08:47 +08:00
create_readonly_ssh_user.yml Add readonly SSH audit user role and playbooks 2026-04-10 11:08:47 +08:00
deploy_accounts_svc_plus.yml fix: inject image ref into accounts deploy 2026-04-12 14:23:10 +08:00
deploy_acp_codex_vhosts.yml Align xworkmate bridge playbooks with live services 2026-04-20 17:20:03 +08:00
deploy_acp_gemini_vhosts.yml Align xworkmate bridge playbooks with live services 2026-04-20 17:20:03 +08:00
deploy_acp_opencode_vhosts.yml Align xworkmate bridge playbooks with live services 2026-04-20 17:20:03 +08:00
deploy_agent_hermes.yml chore: align AI agent runtime playbooks 2026-05-26 12:58:56 +08:00
deploy_agent_svc_plus.yml Make TLS cert name configurable 2026-04-11 12:55:31 +08:00
deploy_apisix_svc.plus.yaml feat(playbooks): add managed APISIX service deploy 2026-04-10 17:14:38 +08:00
deploy_apisix.yml feat(playbooks): add cloud desktop bootstrap flow 2026-04-10 17:09:59 +08:00
deploy_billing_service.yml Deploy billing-service from build artifact 2026-04-12 19:05:17 +08:00
deploy_blackbox_exporters_vhosts.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_console_svc_plus.yml deploy: align console ingress and dns contract 2026-04-12 18:14:28 +08:00
deploy_deepflow_agent feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_docs_svc_plus.yml Add docs.svc.plus deployment playbook 2026-04-14 18:21:01 +08:00
deploy_exporters_vhosts.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_gateway_openclaw.yml fix: wait safely for apt locks 2026-06-15 14:32:24 +08:00
deploy_grafana_docker.yaml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_modern_it_history.yml fix: keep ebook deploy on Node 24 hosts 2026-05-20 16:28:43 +08:00
deploy_monitor_server.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_neurapress_docker.yaml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_nginx_vhosts.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_nodejs_vhosts.yml feat(playbooks): rename root authorized key bootstrap playbook 2026-04-04 13:16:07 +08:00
deploy_OpenObserve_docker.yaml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_openresty_vhosts.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_otel_docker.yaml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_postgre_vhosts.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_postgresql_svc_plus.yml Add managed postgresql.svc.plus deployment 2026-04-05 19:09:25 +08:00
deploy_QMD.yml fix: preserve macOS launchd service roles 2026-06-18 17:46:24 +08:00
deploy_redis_vhosts.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_stunnel-client.yml Fix ansible-core callback compatibility 2026-04-10 17:50:55 +08:00
deploy_svc_plus_core_services_stack.yml feat(playbooks): add cloud desktop bootstrap flow 2026-04-10 17:09:59 +08:00
deploy_svc_plus_extended-services.yml Fix ansible-core callback compatibility 2026-04-10 17:50:55 +08:00
deploy_Tempo_docker.yaml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_tiny_monitor_server_vhost.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_vhosts_otel-collector.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_VictoriaLogs_docker.yaml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_VictoriaMetrics_docker.yaml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_xcontrol_dashboard.yml update 2025-12-31 23:24:02 +08:00
deploy_xcontrol_server._vhosts.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy_xray_exporter.yml feat: wire multi-node billing deployment config 2026-04-12 13:14:41 +08:00
deploy_xworkmate_bridge_vhosts.yml fix: preserve macOS launchd service roles 2026-06-18 17:46:24 +08:00
deploy_zitadel_docker.yaml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy-docker-harbor.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
deploy-docker-keycloak.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
destroy_cloud_dev_desktop.yml feat(playbooks): add cloud desktop bootstrap flow 2026-04-10 17:09:59 +08:00
gnome_xrdp_minimal.yaml Migrate XRDP and Cloudflare playbooks 2026-04-05 16:54:48 +08:00
gpu_inference_01_prepare.yml feat(gpu_inference): add comprehensive GPU inference infrastructure with Sealos, Ray, and vLLM 2026-04-23 19:17:23 +08:00
gpu_inference_02_sealos.yml feat(gpu_inference): add comprehensive GPU inference infrastructure with Sealos, Ray, and vLLM 2026-04-23 19:17:23 +08:00
gpu_inference_03_gpu_operator.yml feat(gpu_inference): add comprehensive GPU inference infrastructure with Sealos, Ray, and vLLM 2026-04-23 19:17:23 +08:00
gpu_inference_04_ray.yml feat(gpu_inference): add comprehensive GPU inference infrastructure with Sealos, Ray, and vLLM 2026-04-23 19:17:23 +08:00
gpu_inference_05_vllm.yml feat(gpu_inference): add comprehensive GPU inference infrastructure with Sealos, Ray, and vLLM 2026-04-23 19:17:23 +08:00
gpu_inference_site.yml feat(gpu_inference): add comprehensive GPU inference infrastructure with Sealos, Ray, and vLLM 2026-04-23 19:17:23 +08:00
gpu_k8s_init.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
gpu_k8s_reset.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
harden_ssh_root_key_only.yml Migrate XRDP and Cloudflare playbooks 2026-04-05 16:54:48 +08:00
init_chaos_mesh feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_chartmuseum feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_deepflow feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_flagger-loadtester feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_gitlab feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_grafana_alloy feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_harbor_server feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_jenkins feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_k3s_cluster_agent feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_k3s_cluster_server feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_k3s_cluster_std feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_k3s_cluster_with_argo_server feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_observability-agent feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_observability-server feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_openldap feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_splunk-otel-collector feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_telegraf feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_vault feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init_vpn_gateway.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
init-harbor-server feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
inventory.ini chore: unify xworkspace console service 2026-06-13 07:43:11 +08:00
k3s_platform_addon.yml refactor(platform): split addon step for external-dns 2026-04-04 06:11:44 +08:00
k3s_platform_bootstrap_with_gitops.yml refactor(platform): keep bootstrap playbook bootstrap-only 2026-04-04 06:38:10 +08:00
k3s_reset.yml feat(k3s): absorb bootstrap defaults and add reset entrypoint 2026-04-04 09:50:09 +08:00
k3s-cluster.yaml feat(ansible): extract playbooks and roles into standalone repository 2025-12-21 19:09:46 +08:00
keycloak_server feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
LICENSE feat(platform): refresh k3s bootstrap and release controls 2026-04-03 16:41:12 +08:00
plasma_xrdp_minimal.yaml Migrate XRDP and Cloudflare playbooks 2026-04-05 16:54:48 +08:00
pre_setup.sh feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
README.md fix: align bridge OpenClaw protocol 4 deployment 2026-06-01 13:48:52 +08:00
renew_nodes_ssl_certs feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
setup-ai-agent-skills.yml fix: wait safely for apt locks 2026-06-15 14:32:24 +08:00
setup-ai-workspace-all-in-one.yml feat: consume prebuilt workspace runtimes 2026-06-15 21:58:50 +08:00
setup-ai-workspace-backup.yml feat(ai-workspace): add encrypted backup and restore playbooks 2026-06-17 14:05:06 +08:00
setup-ai-workspace-migration.yml feat(ai-workspace): add backup/restore/migration role and playbook 2026-06-17 13:59:49 +08:00
setup-ai-workspace-preflight.yml feat: consume prebuilt workspace runtimes 2026-06-15 21:58:50 +08:00
setup-ai-workspace-restore.yml feat(ai-workspace): add encrypted backup and restore playbooks 2026-06-17 14:05:06 +08:00
setup-ai-workspace-runtime.yml fix: remove stale repo + depth=1 for clone; macOS browser/npm/agent_skills/role defaults compatibility 2026-06-19 11:37:33 +08:00
setup-caddy.yml Add caddy vhost role and setup playbook 2026-01-12 11:07:25 +08:00
setup-docker.yml feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
setup-litellm.yaml fix: preserve macOS launchd service roles 2026-06-18 17:46:24 +08:00
setup-nextjs.yml Add Next.js vhost role 2026-01-12 11:24:58 +08:00
setup-nodejs.yml fix: wait safely for apt locks 2026-06-15 14:32:24 +08:00
setup-postgres-standalone.yaml fix: preserve macOS launchd service roles 2026-06-18 17:46:24 +08:00
setup-python3.yml feat(playbooks): rename root authorized key bootstrap playbook 2026-04-04 13:16:07 +08:00
setup-root-authorized-key.yml feat(playbooks): rename root authorized key bootstrap playbook 2026-04-04 13:16:07 +08:00
setup-vault.yaml fix: preserve macOS launchd service roles 2026-06-18 17:46:24 +08:00
setup-xfce-xrdp.yaml fix(xfce): skip Linux XFCE/XRDP desktop stack on macOS 2026-06-22 12:46:31 +08:00
setup-xworkspace-console.yaml fix(console): serve dashboard/dist via local python http.server (not npm/caddy) 2026-06-24 09:44:01 +08:00
test.yml Merge branch 'codex/openclaw-playbook-concurrency' 2026-06-22 13:25:45 +08:00
ttyd.plist.j2 feat: full macOS (Darwin) compatibility fixes for Ansible playbooks 2026-06-18 16:26:51 +08:00
update_cloudflare_dns.yml Migrate XRDP and Cloudflare playbooks 2026-04-05 16:54:48 +08:00
update_cloudflare_svc_plus_dns.yml Migrate XRDP and Cloudflare playbooks 2026-04-05 16:54:48 +08:00
vpn-overlay-dnat.yaml feat(ansible): extract playbooks and roles into standalone repository 2025-12-21 19:09:46 +08:00
vpn-overlay-vxlan-hub.yaml feat(ansible): extract playbooks and roles into standalone repository 2025-12-21 19:09:46 +08:00
vpn-overlay-vxlan-site.yaml feat(ansible): extract playbooks and roles into standalone repository 2025-12-21 19:09:46 +08:00
vpn-wireguard-hub.yaml feat(ansible): extract playbooks and roles into standalone repository 2025-12-21 19:09:46 +08:00
vpn-wireguard-over-vless.yml fix: align bridge OpenClaw protocol 4 deployment 2026-06-01 13:48:52 +08:00
vpn-wireguard-site.yaml feat(ansible): extract playbooks and roles into standalone repository 2025-12-21 19:09:46 +08:00
vpn-xray-client.yaml feat(ansible): extract playbooks and roles into standalone repository 2025-12-21 19:09:46 +08:00
vpn-xray-hub.yaml feat(ansible): extract playbooks and roles into standalone repository 2025-12-21 19:09:46 +08:00
vpn-xray-tproxy.yaml feat(ansible): extract playbooks and roles into standalone repository 2025-12-21 19:09:46 +08:00
wireguard_ali_vpn_gw feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
wireguard_client feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
wireguard_gateway feat(playbooks): add comprehensive vhosts roles and ops scripts 2025-12-21 19:23:19 +08:00
xworkspace_console_macos.yml feat: full macOS (Darwin) compatibility fixes for Ansible playbooks 2026-06-18 16:26:51 +08:00

README.md

playbooks

XWorkmate Bridge Distributed VPN

The bidirectional WireGuard-over-VLESS transport for the two XWorkmate bridge nodes is deployed by:

ansible-playbook -i inventory.ini vpn-wireguard-over-vless.yml

The implementation uses split bridge groups (xworkmate_bridge and cn_xworkmate_bridge) under xworkmate_bridge_distributed, stores private keys and the shared management-side Xray UUID in https://vault.svc.plus, and keeps the host's default xray.service untouched. The runbook lives in roles/vhosts/xworkmate_bridge_distributed_vpn/README.md.

Cloud Dev Desktop

The cloud dev desktop flow lives here as two playbooks:

  1. bootstrap_cloud_dev_desktop.yml
  2. destroy_cloud_dev_desktop.yml

bootstrap_cloud_dev_desktop.yml now includes the create/bootstrap/verify sequence in one entry point. The control-plane repo calls these playbooks from ../playbooks.

Traffic Billing Stack

The traffic billing stack now has a single aggregate playbook:

deploy_svc_plus_core_services_stack.yml

It orchestrates these existing playbooks in dependency order:

  1. deploy_billing_service.yml
  2. deploy_xworkmate_bridge_vhosts.yml
  3. deploy_xray_exporter.yml
  4. deploy_agent_svc_plus.yml
  5. deploy_accounts_svc_plus.yml
  6. deploy_stunnel-client.yml
  7. deploy_apisix.yml
  8. deploy_console_svc_plus.yml

Full stack deploy

cd /Users/shenlan/workspaces/cloud-neutral-toolkit/playbooks
export INTERNAL_SERVICE_TOKEN=...
export DATABASE_URL=postgres://...
export FRONTEND_IMAGE=ghcr.io/x-evor/dashboard:latest
export STACK_TARGET_HOST=jp_xhttp_contabo_host
export console_service_sync_dns=true
ansible-playbook -i inventory.ini deploy_svc_plus_core_services_stack.yml

STACK_ENV_FILE=./.env is optional. Use it when you want the aggregate playbook to read a local .env file; GitHub Actions or other CI runners can skip it and pass values with -e instead.

Deploy to one target host directly

Use STACK_TARGET_HOST to override the stack host groups when you want all services to target the same inventory host. For console-only runs, use Ansible's -l jp_xhttp_contabo_host limit instead of a separate host variable, and keep console_service_sync_dns=true if you want DNS reconciliation.

cd /Users/shenlan/workspaces/cloud-neutral-toolkit/playbooks
export STACK_TARGET_HOST=jp_xhttp_contabo_host
export INTERNAL_SERVICE_TOKEN=...
export DATABASE_URL=postgres://...
export FRONTEND_IMAGE=ghcr.io/x-evor/dashboard:latest
export console_service_sync_dns=true
ansible-playbook -i inventory.ini -l jp_xhttp_contabo_host deploy_svc_plus_core_services_stack.yml

Deploy only selected services

Use STACK_SERVICES with a comma-separated list:

  • billing-service
  • xworkmate-bridge
  • xray-exporter
  • agent
  • accounts
  • stunnel-client
  • apisix
  • console
cd /Users/shenlan/workspaces/cloud-neutral-toolkit/playbooks
export STACK_TARGET_HOST=jp-xhttp-contabo.svc.plus
export STACK_SERVICES=xray-exporter,billing-service,agent,xworkmate-bridge
export INTERNAL_SERVICE_TOKEN=...
export DATABASE_URL=postgres://...
ansible-playbook -i inventory.ini -l jp_xhttp_contabo_host deploy_svc_plus_core_services_stack.yml

Notes

  • accounts and console still use their existing role contracts.
  • console requires FRONTEND_IMAGE because the target host only does pull-only compose deployment.
  • console now writes a Caddy fragment named like <server-name>-<release_id>-<hostname>-<domain>.caddy instead of managing the Caddy service container itself.
  • billing-service requires DATABASE_URL.
  • xray-exporter and agent require INTERNAL_SERVICE_TOKEN.
  • xworkmate-bridge accepts XWORKMATE_BRIDGE_HOSTS, and also follows STACK_TARGET_HOST when you want to deploy the whole stack to one host.

Deploy console to a specific host and sync DNS

deploy_console_svc_plus.yml now accepts console_service_sync_dns=true to rebuild and reconcile DNS records after deployment. For host selection, use Ansible's -l jp_xhttp_contabo_host limit.

Example:

cd /Users/shenlan/workspaces/cloud-neutral-toolkit/playbooks
ansible-playbook -i inventory.ini deploy_console_svc_plus.yml \
  -e console_service_sync_dns=true \
  -e FRONTEND_IMAGE=ghcr.io/x-evor/dashboard:latest