IaC 面 (infra/) 与控制面 (server/internal/provision) 双产出,落地 doc/04 §4 「节点是牲口」弹性拓扑与 make-before-break 一键更换。 server/internal/provision: - CloudAdapter 适配层 + Registry(首发 vultr 消耗品池 / hetzner 精品池各一); 厂商凭证仅从 PROVISION_<VENDOR>_* env 注入,不入库不入 git。 - ProvisionService:CreateNode(幂等键重放不重复开机)、DestroyNode(幂等)、 RotateIP(换 IP 不换机 + version bump)、ListProviders。 - Replace 一键更换:先建后拆,新机 up 先于旧机 draining(容量不下降), replacement_uuid 幂等键 + replacements 表分步记录,崩溃可续跑不重复。 - RotatePool:池内滚动轮换,并发度 1–2。 - cmd/nodectl CLI:create/destroy/rotate-ip/replace/rotate-pool/providers。 - 单测(mock 厂商 API + 内存 Store):幂等重放、make-before-break 时序断言、 开机失败/探活超时→destroyed+失败计数+告警钩子、崩溃续跑、RotatePool。 infra/: - terraform/:探针机 + 控制面基线模块化(probe / control-plane)+ README, 低频基线进 state,节点不进 Terraform。 - cloud-init/node.yaml.tmpl:节点引导模板(注入一次性 bootstrap token,task #5)。 - identity-isolation.md:身份隔离登记表(doc/06 §2 红线,无任何凭证)。 migrations/000008:nodes 增 provider_instance_id/elastic_ip_id、node_events 增 ip_rotated、provision_idempotency / replacements 表(附加式,不动现网)。 红线:仅面向新厂商池,绝不纳管现网生产 EC2(deploy/ marzban)。 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
3.0 KiB
Identity isolation register (doc/06 §2 红线)
RED LINE (any phase, never crossed): servers, domains, CDN, object storage, payment, email and phone numbers MUST NOT share any linkable identity. Each vendor uses an independent account + independent email + crypto payment. This file is the authoritative register of which isolated identity backs which asset. It contains NO secrets — only the isolation mapping. Credentials live in independent secret stores (env / files), never here, never in the database, never in git.
How to use this register
- Onboarding a new vendor/asset → add a row before provisioning anything.
- Each row gets a distinct
identity-id(an opaque internal label, e.g.id-a7). Never reuse an identity across rows. - Record the asset, pool, payment rail, and the secret location (where the credential is injected from), not the credential itself.
Data-plane vendor pools (doc/04 §5.2)
Consumed by server/internal/provision. The providers table stores only
name/api_kind/regions/pool/enabled; the matching credential is injected from
the secret location below as PROVISION_<VENDOR>_*.
| identity-id | asset | pool | api_kind | payment | secret location (env) | notes |
|---|---|---|---|---|---|---|
| id-c1 | vendor A | consumable | vultr |
USDT/crypto | PROVISION_VULTR_API_KEY |
small/cheap entry pool; ≥3 vendors target |
| id-c2 | vendor B | consumable | tbd | crypto | PROVISION_<B>_API_KEY |
second consumable vendor |
| id-c3 | vendor C | consumable | tbd | crypto | PROVISION_<C>_API_KEY |
third consumable vendor |
| id-p1 | vendor D | premium | hetzner |
crypto | PROVISION_HETZNER_API_TOKEN |
stable exit/pro entry; native IPs |
Consumable pool and premium pool MUST use different vendor accounts so a mass-burn of the consumable pool never touches the premium pool (doc/04 §4.2).
Management / baseline (Terraform)
Managed by infra/terraform. Independent from all data-plane vendor identities.
| identity-id | asset | purpose | payment | secret location |
|---|---|---|---|---|
| id-m1 | mgmt/probe cloud | probe machines + control-plane host | crypto | TF_VAR_hcloud_token (CI secret) |
| id-m2 | control-plane DB/Redis | user DB, audit_log | — | server deploy secrets |
Adjacent assets (registered elsewhere, listed for completeness)
| identity-id | asset | owner doc |
|---|---|---|
| id-d1 | domain registrar (WHOIS privacy) | doc/05 |
| id-d2 | CDN account | doc/05 |
| id-pay1 | payment / card store (USDT-TRC20) | doc/02 §4 |
| id-tg1 | ops TG bot (anonymous) | doc/04 §5.3 |
Audit checklist (run before each onboarding)
- New identity-id is unique; no email/account reused from another row.
- Payment is crypto / non-KYC; not bound to a real-name account.
- Credential stored only in its secret location; absent from git & DB.
ci/scan-redline.shand a repo/DB secret scan pass.