Files
pangolin/infra/identity-isolation.md
wangjia 3d5bac66b4 feat(provision): 弹性节点基建 Terraform + 一键更换 (tsk_6u0FxmbC7Yeq)
IaC 面 (infra/) 与控制面 (server/internal/provision) 双产出,落地 doc/04 §4
「节点是牲口」弹性拓扑与 make-before-break 一键更换。

server/internal/provision:
- CloudAdapter 适配层 + Registry(首发 vultr 消耗品池 / hetzner 精品池各一);
  厂商凭证仅从 PROVISION_<VENDOR>_* env 注入,不入库不入 git。
- ProvisionService:CreateNode(幂等键重放不重复开机)、DestroyNode(幂等)、
  RotateIP(换 IP 不换机 + version bump)、ListProviders。
- Replace 一键更换:先建后拆,新机 up 先于旧机 draining(容量不下降),
  replacement_uuid 幂等键 + replacements 表分步记录,崩溃可续跑不重复。
- RotatePool:池内滚动轮换,并发度 1–2。
- cmd/nodectl CLI:create/destroy/rotate-ip/replace/rotate-pool/providers。
- 单测(mock 厂商 API + 内存 Store):幂等重放、make-before-break 时序断言、
  开机失败/探活超时→destroyed+失败计数+告警钩子、崩溃续跑、RotatePool。

infra/:
- terraform/:探针机 + 控制面基线模块化(probe / control-plane)+ README,
  低频基线进 state,节点不进 Terraform。
- cloud-init/node.yaml.tmpl:节点引导模板(注入一次性 bootstrap token,task #5)。
- identity-isolation.md:身份隔离登记表(doc/06 §2 红线,无任何凭证)。

migrations/000008:nodes 增 provider_instance_id/elastic_ip_id、node_events
增 ip_rotated、provision_idempotency / replacements 表(附加式,不动现网)。

红线:仅面向新厂商池,绝不纳管现网生产 EC2(deploy/ marzban)。

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-13 14:23:39 +08:00

3.0 KiB

Identity isolation register (doc/06 §2 红线)

RED LINE (any phase, never crossed): servers, domains, CDN, object storage, payment, email and phone numbers MUST NOT share any linkable identity. Each vendor uses an independent account + independent email + crypto payment. This file is the authoritative register of which isolated identity backs which asset. It contains NO secrets — only the isolation mapping. Credentials live in independent secret stores (env / files), never here, never in the database, never in git.

How to use this register

  1. Onboarding a new vendor/asset → add a row before provisioning anything.
  2. Each row gets a distinct identity-id (an opaque internal label, e.g. id-a7). Never reuse an identity across rows.
  3. Record the asset, pool, payment rail, and the secret location (where the credential is injected from), not the credential itself.

Data-plane vendor pools (doc/04 §5.2)

Consumed by server/internal/provision. The providers table stores only name/api_kind/regions/pool/enabled; the matching credential is injected from the secret location below as PROVISION_<VENDOR>_*.

identity-id asset pool api_kind payment secret location (env) notes
id-c1 vendor A consumable vultr USDT/crypto PROVISION_VULTR_API_KEY small/cheap entry pool; ≥3 vendors target
id-c2 vendor B consumable tbd crypto PROVISION_<B>_API_KEY second consumable vendor
id-c3 vendor C consumable tbd crypto PROVISION_<C>_API_KEY third consumable vendor
id-p1 vendor D premium hetzner crypto PROVISION_HETZNER_API_TOKEN stable exit/pro entry; native IPs

Consumable pool and premium pool MUST use different vendor accounts so a mass-burn of the consumable pool never touches the premium pool (doc/04 §4.2).

Management / baseline (Terraform)

Managed by infra/terraform. Independent from all data-plane vendor identities.

identity-id asset purpose payment secret location
id-m1 mgmt/probe cloud probe machines + control-plane host crypto TF_VAR_hcloud_token (CI secret)
id-m2 control-plane DB/Redis user DB, audit_log server deploy secrets

Adjacent assets (registered elsewhere, listed for completeness)

identity-id asset owner doc
id-d1 domain registrar (WHOIS privacy) doc/05
id-d2 CDN account doc/05
id-pay1 payment / card store (USDT-TRC20) doc/02 §4
id-tg1 ops TG bot (anonymous) doc/04 §5.3

Audit checklist (run before each onboarding)

  • New identity-id is unique; no email/account reused from another row.
  • Payment is crypto / non-KYC; not bound to a real-name account.
  • Credential stored only in its secret location; absent from git & DB.
  • ci/scan-redline.sh and a repo/DB secret scan pass.