对齐文件规范

2026-03-27 16:58:41 +08:00
parent 231b6713c4
commit 31709425e2
235 changed files with 5433 additions and 2850 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,8 @@
 .ssh
 # 本地填写的验证编排环境变量（从 scripts/.env.verify.example 复制）
 scripts/.env.verify
 # 可选：export ANSIBLE_LOCAL_TMP=$PWD/.ansible-tmp（无写权限 ~/.ansible 时）
 .ansible-tmp/
 _bmad
 _bmad-output
 design-artifacts
--- a/README.md
+++ b/README.md
@@ -5,60 +5,64 @@
 如果你是第一次看，不用担心，按下面顺序一步一步来就行。
 **路径约定**：下文与总览中的文件路径均相对于**仓库根目录**（在仓库根执行脚本，例如 `./scripts/...`）。
 ## 先知道这仓库怎么逛
 - 文档主入口：`docs/00-00-构建总览.md`
- 部署环境说明：`docs/00-04-部署环境说明.md`（节点布局、IP、版本等）
+- 部署环境说明：`docs/00-02-部署环境说明.md`（节点布局、IP、版本等）
 - 脚本主入口：`scripts/README.md`
- 验证状态一览：`docs/00-02-验证矩阵.md`
+- 仓库契约（AI/贡献者必读）：`project-context.md`（真源、验证框架、noop/gate、敏感信息约束）
- 测试与验证框架设计：`docs/00-05-测试与验证框架.md`
+- 测试与验证框架设计：`docs/00-03-测试与验证框架.md`
 - **验证入口**：`./scripts/verify.sh`（`full/run-all/run`）
-简单理解这三份入口的分工：
+编号语义（用于快速判断“是否必须可执行”）：
- `README.md`：新手入口，看“要做什么、按什么顺序做”；
+- `00-**`：纯文档域（索引/说明/状态板等）
- `00-00-构建总览.md`：文档导航，看“下一步该看哪一篇”；
+- `XX-00`（`XX>0`）：系列入口/导航页
- `00-01-k3s-基础概念.md`：概念速查，看“不懂的 K3s/Traefik/NetworkPolicy 术语”；
+- `XX-YY`（`XX>0 && YY>0`）：分项实践页，必须包含可执行物（YAML 路径或命令块）
 - `00-02-验证矩阵.md`：状态面板，看「哪些文档已在真实环境跑通过」；自动化复验用 `./scripts/verify.sh run-all`（见 `00-05`），矩阵里的状态/备注建议仍手工维护。
-目录约定很简单：
+简单理解这几份入口的分工：
- 主文档都在 `docs/`
+- `README.md`：新手入口，看「要做什么、按什么顺序做」；
- 脚本都在 `scripts/`
+- `docs/00-00-构建总览.md`：文档导航 + **学习主线（6 步）**与**附录长单**；
- 脚本默认从仓库根目录执行（例如 `./scripts/...`）
+- `docs/00-01-k3s-基础概念.md`：概念速查，看「不懂的 K3s/Traefik/NetworkPolicy 术语」；
 - `./scripts/verify.sh`：按 `doc_id` 的自动化验证入口（`full/run-all/run`；清单由 `ansible/playbooks/verify/` 自动生成，且仅包含执行域 `XX>0 && YY>0`）。
-## 新手推荐安装顺序（口语版）
+目录约定：
-1. **先看总览，别急着装**
+- 主文档：`docs/`
-   打开 `docs/00-00-构建总览.md`，先把整体拓扑和机器分工看明白。
+- 脚本：`scripts/`
-2. **装 K3s 集群（两种方式二选一）**
+## 学习主线（6 步，推荐）
   - **自动化**：按 `docs/01-06-节点初始化-ansible-实践.md`，或在仓库根执行 `./scripts/deploy-lab.sh k3s`（可选 `K3S_PREPARE_STORAGE=true`），完成 61~64 初始化 + server/worker（详见 `scripts/README.md`）。
   - **手动**：先按 `docs/01-01-k3s-控制节点含traefik.md` 装控制节点 61，再按 `docs/01-02-k3s-工作节点.md` 加工作节点 62~64。
-3. **确认节点 Ready**
+与 `docs/00-00-构建总览.md` 中主线一致；更细的**流程图与分叉说明**也在该篇。
   执行 `kubectl get nodes`，确认所有节点 Ready。
-4. **先用 nginx 做最小验证**
+1. **总览与环境**：读 `docs/00-00-构建总览.md`；需要对照机器与版本时打开 `docs/00-02-部署环境说明.md`。
-   按 `docs/04-03-k3s-nginx-demo.md`，先打通“能访问”这件事，再上 nodejs。
+2. **概念速查（可跳过）**：读 `docs/00-01-k3s-基础概念.md`；时间紧可跳过，**碰壁再回来看**。
 3. **安装 K3s（二选一）**：**自动化** — `docs/01-06-节点初始化-ansible-实践.md`，或仓库根执行 `./scripts/deploy-lab.sh k3s`（可选 `K3S_PREPARE_STORAGE=true`，详见 `scripts/README.md`）；**手动** — `docs/01-01-k3s-控制节点含traefik.md` 再 `docs/01-02-k3s-工作节点.md`。
 4. **确认节点 Ready**：`kubectl get nodes`，全部 Ready。
 5. **Nginx 最小验证**：`docs/02-00-nginx-系列说明.md` → `docs/02-05-nginx-验证矩阵-一键部署.md`，先打通「能访问」；也可在装好集群并配置 `.env.verify` 后直接 `./scripts/verify.sh run 02-05`。
 6. **Node.js 主线入口**：`docs/04-01-k3s-nodejs-高级部署.md`；`docs/04-02`～`04-14` 为分项，**按需展开**，不挤进主线编号。
-5. **再做 nodejs、dashboard、acme**
+**主线之后（按需，不占主线序号）**：Traefik 面板与证书（如 `docs/03-01-k3s-traefik-dashboard.md`、`docs/03-02-k3s-traefik-acme.md`）、存储与应用（`03-05` 起、`05-**`）等 — 见总览中的「主线之后的分叉」与专题导航。
   对应看 `docs/04-01-k3s-nodejs-高级部署.md`、`docs/03-01-k3s-traefik-dashboard.md`、`docs/03-02-k3s-traefik-acme.md`。
-6. **遇到 502/不通，直接用脚本排障**
+**任意一步卡住**：排障见 `scripts/README.md`（如 firewalld 基线、入口链路诊断）；NetworkPolicy 见 `docs/06-01-k3s-networkpolicy-故障排查.md`。
   去 `scripts/README.md` 抄命令，优先跑入口链路诊断和 firewalld 基线脚本。
-## 30 分钟快速通关（最小必做）
+## 30 分钟快速通关（4 步）
-如果你时间有限，先只做这 4 步，跑通再扩展：
+相当于**跳过主线第 2 步（概念）**并**压缩第 1 步（只抓总览要点）**；跑通再按 6 步补全。
-1. **装集群**：用 Ansible 按 `docs/01-06-节点初始化-ansible-实践.md` 一键安装（推荐）；或按 `docs/01-01` + `docs/01-02` 手动装控制节点（61）与工作节点（62）
+1. **装集群**：Ansible 按 `docs/01-06-节点初始化-ansible-实践.md`（推荐）；或 `docs/01-01` + `docs/01-02` 手动装控制节点（61）与工作节点（62）。
-2. 执行 `kubectl get nodes`，确认节点 Ready
+2. `kubectl get nodes`，确认节点 Ready。
-3. 按 `docs/04-03-k3s-nginx-demo.md` 部署 nginx 示例并访问一次
+3. 按 `docs/02-05-nginx-验证矩阵-一键部署.md` 部署 nginx 矩阵并访问一次（可先读 `docs/02-00-nginx-系列说明.md`）。
-4. 若访问不通，按 `scripts/README.md` 先跑 firewalld 基线与入口链路诊断脚本
+4. 若访问不通，按 `scripts/README.md` 先跑 firewalld 基线与入口链路诊断脚本。
-跑到这里就算「基础链路通关」。后面再继续 nodejs、dashboard、acme 会轻松很多。  
+跑到这里算「基础链路通关」。后续再补 `04-01`、Traefik、存储等会轻松很多。  
-如果你愿意，也可以顺手在 `docs/00-02-验证矩阵.md` 里，把对应文档的状态改成“已验证”，方便以后回顾。
+若愿意，可在对应实验篇文档里补充你自己的“已验证环境/日期/版本”记录（不再维护统一矩阵页）。
 ## 一句话建议
-先把基础链路（61/62:80）跑通，再叠加业务；每做完一步都做一次 `curl` 验证，排障会轻松很多。
+先把基础链路（如 61/62:80）跑通，再叠加业务；每做完一步做一次 `curl` 验证，排障会轻松很多。
 补充：`verify.sh` 支持按范围筛选执行（`--series`、`--id-regex`、`--exclude-noop`、`--require-teardown`），适合做分批回归与 CI 分层跑批。
--- a/ansible/files/00-01-k3s-基础概念/README.md
+++ b/ansible/files/00-01-k3s-基础概念/README.md
@@ -1,9 +0,0 @@
 # 00-01-k3s-基础概念（占位）
 对应文档：[`docs/00-01-k3s-基础概念.md`](../../docs/00-01-k3s-基础概念.md)
 ## 说明
 - 本篇为概念性文档，**不提供可部署的 Kubernetes 清单**。
 - 验证方式：按文档理解与对照集群实际输出即可（无 `kubectl apply -f` 目标）。
--- a/ansible/files/00-04-部署环境说明/README.md
+++ b/ansible/files/00-04-部署环境说明/README.md
@@ -1,9 +0,0 @@
 # 00-04-部署环境说明（占位）
 对应文档：[`docs/00-04-部署环境说明.md`](../../docs/00-04-部署环境说明.md)
 ## 说明
 - 本篇为环境说明文档，**不提供可部署的 Kubernetes 清单**。
 - 验证方式：按文档逐项核对你的实际环境信息（节点、磁盘挂载、版本等）。
--- a/ansible/files/01-01-k3s-控制节点含traefik/README.md
+++ b/ansible/files/01-01-k3s-控制节点含traefik/README.md
@@ -1,13 +0,0 @@
 # 01-01-k3s-控制节点含traefik（占位）
 对应文档：[`docs/01-01-k3s-控制节点含traefik.md`](../../docs/01-01-k3s-控制节点含traefik.md)
 ## 说明
 - 本篇主要是 **K3s 安装与集群初始化**，核心部署逻辑在 Ansible playbook 中。
 - 本目录仅作为 doc_id 对齐占位；不单独维护 K8s manifests。
 ## 关联（参考）
 - Ansible：`ansible/playbooks/k3s-init-and-install.yml`
--- a/ansible/files/01-02-k3s-工作节点/README.md
+++ b/ansible/files/01-02-k3s-工作节点/README.md
@@ -1,13 +0,0 @@
 # 01-02-k3s-工作节点（占位）
 对应文档：[`docs/01-02-k3s-工作节点.md`](../../docs/01-02-k3s-工作节点.md)
 ## 说明
 - 本篇主要是 **工作节点加入 K3s 集群** 与节点侧配置。
 - 本目录仅作为 doc_id 对齐占位；不单独维护 K8s manifests。
 ## 关联（参考）
 - Ansible：`ansible/playbooks/k3s-init-and-install.yml`
--- a/ansible/files/01-03-armv7-standalone-docker/README.md
+++ b/ansible/files/01-03-armv7-standalone-docker/README.md
@@ -1,9 +0,0 @@
 # 01-03-armv7-standalone-docker（占位）
 对应文档：[`docs/01-03-armv7-standalone-docker.md`](../../docs/01-03-armv7-standalone-docker.md)
 ## 说明
 - 本篇为 armv7 设备的 Docker 独立部署说明，**不提供 K3s/Kubernetes 清单**。
 - 本目录仅用于 doc_id 对齐占位。
--- a/ansible/files/01-04-双控制节点ha/README.md
+++ b/ansible/files/01-04-双控制节点ha/README.md
@@ -1,9 +0,0 @@
 # 01-04-双控制节点ha（占位）
 对应文档：[`docs/01-04-双控制节点ha.md`](../../docs/01-04-双控制节点ha.md)
 ## 说明
 - 本篇为 HA/双控制节点方案说明，部署更多依赖集群架构与外部 LB 配置。
 - 本目录仅用于 doc_id 对齐占位；不提供独立 K8s manifests。
--- a/ansible/files/01-05-armv7-nfs服务安装/README.md
+++ b/ansible/files/01-05-armv7-nfs服务安装/README.md
@@ -1,9 +0,0 @@
 # 01-05-armv7-nfs服务安装（占位）
 对应文档：[`docs/01-05-armv7-nfs服务安装.md`](../../docs/01-05-armv7-nfs服务安装.md)
 ## 说明
 - 本篇为 armv7 设备上 NFS 服务安装说明，**不提供 K3s/Kubernetes 清单**。
 - 本目录仅用于 doc_id 对齐占位。
--- a/ansible/files/01-06-节点初始化-ansible-实践/README.md
+++ b/ansible/files/01-06-节点初始化-ansible-实践/README.md
@@ -1,13 +0,0 @@
 # 01-06-节点初始化-ansible-实践（占位）
 对应文档：[`docs/01-06-节点初始化-ansible-实践.md`](../../docs/01-06-节点初始化-ansible-实践.md)
 ## 说明
 - 本篇的“真源”是 Ansible playbooks（初始化、安装、验证）。
 - 本目录仅用于 doc_id 对齐占位；不单独维护 K8s manifests。
 ## 关联（参考）
 - Ansible：`ansible/playbooks/k3s-init-and-install.yml`
--- a/ansible/files/01-07-haproxy/README.md
+++ b/ansible/files/01-07-haproxy/README.md
@@ -1,38 +0,0 @@
 # 01-07 HAProxy 配置
 ## 核心目标
 本目录下的 **所有 `*.cfg` 必须可被 HAProxy 正确解析并符合文档意图**。验证分两层：
 | 层次 | 含义 | 如何验证 |
 |------|------|----------|
 | **① 语法正确** | `haproxy -c -f <cfg>` 无致命错误 | 见下文「仅校验 cfg」或主验证脚本第 2 步 |
 | **② 运行与后端** | 在 OpenWrt 上实际监听 18080/18443 时，经第三方主机 curl 可达 K3s/Traefik 后端 | `./scripts/01-07-verify-haproxy.sh`（完整流程，含 curl） |
 仓库内 **frontend 已统一为 `18080` / `18443`**（与 LuCI 的 80/443 分离）；backend 仍指向各节点 **80/443**（Traefik 入口）。按环境修改 `192.168.2.61`～`192.168.2.64`。
 ## 仅校验本目录 cfg（不跑 curl）
 仅需确认 **① 语法**，在仓库根目录执行：
 ```bash
 ./scripts/01-07-verify-haproxy.sh --cfg-only
 ```
 会将本目录全部 `*.cfg` 拷到 OpenWrt 的 `/tmp/haproxy-verify/`，对每台文件执行 `haproxy -c`（与 OpenWrt 上安装的 HAProxy 版本一致）。
 **说明**：`haproxy-https.cfg` 含 `ssl crt /etc/ssl/haproxy.pem`；若路由器上**没有**该 pem，语法检查可能失败，脚本会标为 `[SKIP]`。在 OpenWrt 放置有效 pem 后应能通过 `haproxy -c`。
 ## 文件一览
 | 文件 | 说明（对应 `docs/01-07-openwrt-haproxy.md`） |
 |------|-----------------------------------------------|
 | `haproxy-no-check.cfg` | §2 最简；§3.1 在其 `server` 行加 `check` |
 | `haproxy-http.cfg` | §3.2 HTTP 健康检查（明文 80 后端） |
 | `haproxy-tls.cfg` | §3.3 TLS 握手检查（443 后端，`mode tcp`） |
 | `haproxy-https.cfg` | §3.4 HTTPS 应用层检查（需 HAProxy 终结 TLS，由 HAProxy 提供证书） |
 | `haproxy-proxy-http-tls.cfg` | §5 PROXY + HTTP/TLS 检查 |
 ## 与 Ansible / OpenWrt
 可与 Ansible 共用（复制到 OpenWrt 或通过 playbook 下发）。一键把 **uhttpd 80/443 + HAProxy 18080/18443** 落到路由器见 `scripts/01-07-deploy-openwrt-haproxy.sh`。
--- a/ansible/files/01-07-haproxy/haproxy-http.cfg
+++ b/ansible/files/01-07-haproxy/haproxy-http.cfg
--- a/ansible/files/01-07-haproxy/haproxy-https.cfg
+++ b/ansible/files/01-07-haproxy/haproxy-https.cfg
--- a/ansible/files/01-07-haproxy/haproxy-no-check.cfg
+++ b/ansible/files/01-07-haproxy/haproxy-no-check.cfg
--- a/ansible/files/01-07-haproxy/haproxy-proxy-http-tls.cfg
+++ b/ansible/files/01-07-haproxy/haproxy-proxy-http-tls.cfg
--- a/ansible/files/01-07-haproxy/haproxy-tls.cfg
+++ b/ansible/files/01-07-haproxy/haproxy-tls.cfg
--- a/ansible/files/02-00-nginx-系列说明/README.md
+++ b/ansible/files/02-00-nginx-系列说明/README.md
@@ -1,12 +0,0 @@
 # 02-00-nginx-系列说明（占位）
 对应文档：[`docs/02-00-nginx-系列说明.md`](../../docs/02-00-nginx-系列说明.md)
 ## 清单复用说明
 本系列（02-01～02-04）的可部署清单统一收敛在：
 - `ansible/files/02-05-nginx-matrix/`
 本目录仅用于 doc_id 对齐占位。
--- a/ansible/files/02-01-nginx-control-ingress/README.md
+++ b/ansible/files/02-01-nginx-control-ingress/README.md
@@ -1,15 +0,0 @@
 # 02-01-nginx-control-ingress（占位）
 对应文档：[`docs/02-01-nginx-control-ingress.md`](../../docs/02-01-nginx-control-ingress.md)
 ## 真源清单
 - 复用清单目录：`ansible/files/02-05-nginx-matrix/`
 - 对应文件：`01-control-ingress.yaml`
 应用示例：
 ```bash
 kubectl apply -f ansible/files/02-05-nginx-matrix/01-control-ingress.yaml
 ```
--- a/ansible/files/02-02-nginx-control-ingressroute/README.md
+++ b/ansible/files/02-02-nginx-control-ingressroute/README.md
@@ -1,15 +0,0 @@
 # 02-02-nginx-control-ingressroute（占位）
 对应文档：[`docs/02-02-nginx-control-ingressroute.md`](../../docs/02-02-nginx-control-ingressroute.md)
 ## 真源清单
 - 复用清单目录：`ansible/files/02-05-nginx-matrix/`
 - 对应文件：`02-control-ingressroute.yaml`
 应用示例：
 ```bash
 kubectl apply -f ansible/files/02-05-nginx-matrix/02-control-ingressroute.yaml
 ```
--- a/ansible/files/02-03-nginx-worker-ingress/README.md
+++ b/ansible/files/02-03-nginx-worker-ingress/README.md
@@ -1,15 +0,0 @@
 # 02-03-nginx-worker-ingress（占位）
 对应文档：[`docs/02-03-nginx-worker-ingress.md`](../../docs/02-03-nginx-worker-ingress.md)
 ## 真源清单
 - 复用清单目录：`ansible/files/02-05-nginx-matrix/`
 - 对应文件：`03-worker-ingress.yaml`
 应用示例：
 ```bash
 kubectl apply -f ansible/files/02-05-nginx-matrix/03-worker-ingress.yaml
 ```
--- a/ansible/files/02-04-nginx-worker-ingressroute/README.md
+++ b/ansible/files/02-04-nginx-worker-ingressroute/README.md
@@ -1,15 +0,0 @@
 # 02-04-nginx-worker-ingressroute（占位）
 对应文档：[`docs/02-04-nginx-worker-ingressroute.md`](../../docs/02-04-nginx-worker-ingressroute.md)
 ## 真源清单
 - 复用清单目录：`ansible/files/02-05-nginx-matrix/`
 - 对应文件：`04-worker-ingressroute.yaml`
 应用示例：
 ```bash
 kubectl apply -f ansible/files/02-05-nginx-matrix/04-worker-ingressroute.yaml
 ```
--- a/ansible/files/02-05-nginx-matrix/README.md
+++ b/ansible/files/02-05-nginx-matrix/README.md
@@ -1,13 +0,0 @@
 # Nginx 矩阵 manifests
 用于 `ansible/playbooks/nginx-matrix-deploy.yml` 一键部署。
 | 文件 | 场景 | 路径 | 节点 |
 |------|------|------|------|
 | 01-control-ingress.yaml | M1 控制+Ingress | /demo-m1 | 无 nodeSelector |
 | 02-control-ingressroute.yaml | M2 控制+IngressRoute | /demo-m2 | 无 nodeSelector |
 | 03-worker-ingress.yaml | M3 工作+Ingress | /demo-m3 | nodeSelector=worker（随机） |
 | 04-worker-ingressroute.yaml | M4 工作+IngressRoute | /demo-m4 | nodeSelector=ylc64 |
 M4 默认指定 ylc64，M3 随机工作节点；按实际修改。
--- a/ansible/files/02-05-nginx-matrix/01-control-ingress.yaml
+++ b/ansible/files/02-05-nginx-matrix/01-control-ingress.yaml
--- a/ansible/files/02-05-nginx-matrix/02-control-ingressroute.yaml
+++ b/ansible/files/02-05-nginx-matrix/02-control-ingressroute.yaml
--- a/ansible/files/02-05-nginx-matrix/03-worker-ingress.yaml
+++ b/ansible/files/02-05-nginx-matrix/03-worker-ingress.yaml
--- a/ansible/files/02-05-nginx-matrix/04-worker-ingressroute.yaml
+++ b/ansible/files/02-05-nginx-matrix/04-worker-ingressroute.yaml
--- a/ansible/files/03-01-traefik-dashboard/traefik-dashboard.yaml
+++ b/ansible/files/03-01-traefik-dashboard/traefik-dashboard.yaml
--- a/ansible/files/03-02-nginx-matrix-tls/01-control-ingress.yaml
+++ b/ansible/files/03-02-nginx-matrix-tls/01-control-ingress.yaml
--- a/ansible/files/03-02-nginx-matrix-tls/02-control-ingressroute.yaml
+++ b/ansible/files/03-02-nginx-matrix-tls/02-control-ingressroute.yaml
--- a/ansible/files/03-02-nginx-matrix-tls/03-worker-ingress.yaml
+++ b/ansible/files/03-02-nginx-matrix-tls/03-worker-ingress.yaml
--- a/ansible/files/03-02-nginx-matrix-tls/04-worker-ingressroute.yaml
+++ b/ansible/files/03-02-nginx-matrix-tls/04-worker-ingressroute.yaml
--- a/ansible/files/03-02-traefik-acme/traefik-acme.yaml
+++ b/ansible/files/03-02-traefik-acme/traefik-acme.yaml
--- a/ansible/files/03-03-traefik-dashboard-acme/tomcat-acme.yaml
+++ b/ansible/files/03-03-traefik-dashboard-acme/tomcat-acme.yaml
--- a/ansible/files/03-03-traefik-dashboard-acme/traefik-dashboard-acme.yaml
+++ b/ansible/files/03-03-traefik-dashboard-acme/traefik-dashboard-acme.yaml
--- a/ansible/files/03-04-cloudflare-tunnel/cloudflared.yaml
+++ b/ansible/files/03-04-cloudflare-tunnel/cloudflared.yaml
--- a/ansible/files/03-05-local-path-config/local-path-config-lab.json
+++ b/ansible/files/03-05-local-path-config/local-path-config-lab.json
--- a/ansible/files/03-05-local-path-demo/local-path-pvc-demo.yaml
+++ b/ansible/files/03-05-local-path-demo/local-path-pvc-demo.yaml
--- a/ansible/files/03-05/nginx-hostpath-demo.yaml
+++ b/ansible/files/03-05/nginx-hostpath-demo.yaml
@@ -0,0 +1,43 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nginx-hostpath-demo
  namespace: default
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-hostpath-demo
  template:
    metadata:
      labels:
        app: nginx-hostpath-demo
    spec:
      nodeSelector:
        kubernetes.io/hostname: ylc61
      containers:
        - name: nginx
          image: nginx:1.27-alpine
          ports:
            - containerPort: 80
          volumeMounts:
            - name: app-data
              mountPath: /usr/share/nginx/html
      volumes:
        - name: app-data
          hostPath:
            path: /data/nginx-hostpath-demo
            type: DirectoryOrCreate
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: nginx-hostpath-demo
  namespace: default
 spec:
  selector:
    app: nginx-hostpath-demo
  ports:
    - port: 80
      targetPort: 80
  type: ClusterIP
--- a/ansible/files/03-06/nfs-direct-demo.yaml
+++ b/ansible/files/03-06/nfs-direct-demo.yaml
@@ -0,0 +1,26 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nfs-direct-demo
  namespace: default
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nfs-direct-demo
  template:
    metadata:
      labels:
        app: nfs-direct-demo
    spec:
      containers:
        - name: app
          image: nginx:alpine
          volumeMounts:
            - name: nfs-data
              mountPath: /usr/share/nginx/html
      volumes:
        - name: nfs-data
          nfs:
            server: <NFS_SERVER_IP>
            path: <NFS_EXPORT_PATH_OR_SUBDIR>
--- a/ansible/files/03-06/nfs-dynamic-pvc-demo.yaml
+++ b/ansible/files/03-06/nfs-dynamic-pvc-demo.yaml
@@ -0,0 +1,12 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: nfs-dynamic-pvc-demo
  namespace: default
 spec:
  accessModes:
    - ReadWriteMany
  storageClassName: nfs-client
  resources:
    requests:
      storage: 5Gi
--- a/ansible/files/03-06-nfs-demo/nfs-pv-pvc-demo.yaml
+++ b/ansible/files/03-06-nfs-demo/nfs-pv-pvc-demo.yaml
--- a/ansible/files/03-07-longhorn/values-lab.yaml
+++ b/ansible/files/03-07-longhorn/values-lab.yaml
--- a/ansible/files/03-08-k3s-ha-集群配置与切换/README.md
+++ b/ansible/files/03-08-k3s-ha-集群配置与切换/README.md
@@ -1,9 +0,0 @@
 # 03-08-k3s-ha-集群配置与切换（占位）
 对应文档：[`docs/03-08-k3s-ha-集群配置与切换.md`](../../docs/03-08-k3s-ha-集群配置与切换.md)
 ## 说明
 - 本篇偏架构/流程与配置项梳理，具体落地会涉及多节点与外部组件（如 LB/DNS/证书）。
 - 本目录仅用于 doc_id 对齐占位；暂无独立可复用 manifests。
--- a/ansible/files/03-09-k3s-gitops-集群配置管理/README.md
+++ b/ansible/files/03-09-k3s-gitops-集群配置管理/README.md
@@ -1,9 +0,0 @@
 # 03-09-k3s-gitops-集群配置管理（占位）
 对应文档：[`docs/03-09-k3s-gitops-集群配置管理.md`](../../docs/03-09-k3s-gitops-集群配置管理.md)
 ## 说明
 - 本篇为 GitOps 框架草案（Argo CD / Flux 等），最终 manifests 取决于选型与版本。
 - 本目录仅用于 doc_id 对齐占位；暂无固定清单。
--- a/ansible/files/03-10-traefik-custom-ports/traefik-custom-ports.yaml
+++ b/ansible/files/03-10-traefik-custom-ports/traefik-custom-ports.yaml
--- a/ansible/files/04-01-nodejs-demo/README.md
+++ b/ansible/files/04-01-nodejs-demo/README.md
@@ -1,43 +0,0 @@
 # Node.js demo 清单（与 docs/04-01～04-14 对齐）
 **唯一真源**：本目录下 YAML 与 `docs/` 中说明一致；文档内不重复贴全文，避免漂移。
 ## 累积规则
 - `04-0N-nodejs-demo.yaml` 表示：从 `04-01` 起顺序做完 **04-01～04-0N** 各篇能力后的 **一份** 可 `kubectl apply -f` 的完整状态（多资源用 `---` 分隔）。
 - **可直接跳到最后一份** 做实验，不必逐文件 apply；若要理解每步增量，可按编号顺序阅读文档并对照相邻两个 YAML 的差异。
 - **04-14**（GitOps/CI）无独立清单，见 `docs/04-14-nodejs-GitOps与CI流水线.md` 与 `docs/05-04-k3s-配置gitlab-cicd.md`、`docs/03-09-k3s-gitops-集群配置管理.md`。
 ## 文件与文档对照
 | 文件 | 文档 | 备注 |
 |------|------|------|
 | `04-01-nodejs-demo.yaml` | `docs/04-01-k3s-nodejs-高级部署.md` | 基线：3000、`/node`、无 host |
 | `04-02-nodejs-demo.yaml` | `docs/04-02-nodejs-镜像与运行命令.md` | 固定镜像 tag、`imagePullPolicy` |
 | `04-03-nodejs-demo.yaml` | `docs/04-03-nodejs-环境变量与配置注入.md` | + ConfigMap；Secret 示例见文末 `nodejs-demo-secret.example.yaml` |
 | `04-04-nodejs-demo.yaml` | `docs/04-04-nodejs-端口与Service.md` | 监听改 **8080**（自 04-04 起探针与后续均用 8080） |
 | `04-05-nodejs-demo.yaml` | `docs/04-05-nodejs-资源请求与限制.md` | + resources |
 | `04-06-nodejs-demo.yaml` | `docs/04-06-nodejs-探针与健康检查.md` | + 探针 |
 | `04-07-nodejs-demo.yaml` | `docs/04-07-nodejs-调度与亲和.md` | + `nodeSelector`（默认 **ylc62**，请改为本机节点名） |
 | `04-08-nodejs-demo.yaml` | `docs/04-08-nodejs-安全上下文.md` | + 非 root、只读根、`/tmp` emptyDir |
 | `04-09-nodejs-demo.yaml` | `docs/04-09-nodejs-存储与卷.md` | + PVC `nodejs-demo-data`（默认 **local-path**） |
 | `04-10-nodejs-demo.yaml` | `docs/04-10-nodejs-Ingress与Traefik.md` | Ingress：`host` + `/api`，curl 需 **Host** |
 | `04-11-nodejs-demo.yaml` | `docs/04-11-nodejs-副本与滚动发布.md` | replicas=3 + RollingUpdate |
 | `04-12-nodejs-demo.yaml` | `docs/04-12-nodejs-TLS与证书.md` | **websecure** + TLS；须先创建 `nodejs-demo-tls` Secret |
 | `04-13-nodejs-demo.yaml` | `docs/04-13-nodejs-HPA.md` | + HPA（需 metrics-server） |
 ## 应用方式
 ```bash
 # 仓库根目录
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-01-nodejs-demo.yaml
 ```
 或使用 Ansible：`ansible/playbooks/nodejs-demo-apply.yml`，变量 `nodejs_demo_manifest` 指定文件名。
 ## dry-run
 ```bash
 kubectl apply --dry-run=client -f ansible/files/04-01-nodejs-demo/04-01-nodejs-demo.yaml
 ```
--- a/ansible/files/04-01-nodejs-demo/04-01-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-01-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-02-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-02-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-03-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-03-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-04-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-04-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-05-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-05-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-06-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-06-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-07-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-07-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-08-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-08-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-09-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-09-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-10-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-10-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-11-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-11-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-12-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-12-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/04-13-nodejs-demo.yaml
+++ b/ansible/files/04-01-nodejs-demo/04-13-nodejs-demo.yaml
--- a/ansible/files/04-01-nodejs-demo/nodejs-demo-secret.example.yaml
+++ b/ansible/files/04-01-nodejs-demo/nodejs-demo-secret.example.yaml
--- a/ansible/files/04-02-nodejs-镜像与运行命令/README.md
+++ b/ansible/files/04-02-nodejs-镜像与运行命令/README.md
@@ -1,13 +0,0 @@
 # 04-02-nodejs-镜像与运行命令（占位）
 对应文档：[`docs/04-02-nodejs-镜像与运行命令.md`](../../docs/04-02-nodejs-镜像与运行命令.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-02-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-02-nodejs-demo.yaml
 ```
--- a/ansible/files/04-03-nodejs-环境变量与配置注入/README.md
+++ b/ansible/files/04-03-nodejs-环境变量与配置注入/README.md
@@ -1,13 +0,0 @@
 # 04-03-nodejs-环境变量与配置注入（占位）
 对应文档：[`docs/04-03-nodejs-环境变量与配置注入.md`](../../docs/04-03-nodejs-环境变量与配置注入.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-03-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-03-nodejs-demo.yaml
 ```
--- a/ansible/files/04-04-nodejs-端口与Service/README.md
+++ b/ansible/files/04-04-nodejs-端口与Service/README.md
@@ -1,13 +0,0 @@
 # 04-04-nodejs-端口与Service（占位）
 对应文档：[`docs/04-04-nodejs-端口与Service.md`](../../docs/04-04-nodejs-端口与Service.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-04-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-04-nodejs-demo.yaml
 ```
--- a/ansible/files/04-05-nodejs-资源请求与限制/README.md
+++ b/ansible/files/04-05-nodejs-资源请求与限制/README.md
@@ -1,13 +0,0 @@
 # 04-05-nodejs-资源请求与限制（占位）
 对应文档：[`docs/04-05-nodejs-资源请求与限制.md`](../../docs/04-05-nodejs-资源请求与限制.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-05-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-05-nodejs-demo.yaml
 ```
--- a/ansible/files/04-06-nodejs-探针与健康检查/README.md
+++ b/ansible/files/04-06-nodejs-探针与健康检查/README.md
@@ -1,13 +0,0 @@
 # 04-06-nodejs-探针与健康检查（占位）
 对应文档：[`docs/04-06-nodejs-探针与健康检查.md`](../../docs/04-06-nodejs-探针与健康检查.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-06-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-06-nodejs-demo.yaml
 ```
--- a/ansible/files/04-07-nodejs-调度与亲和/README.md
+++ b/ansible/files/04-07-nodejs-调度与亲和/README.md
@@ -1,13 +0,0 @@
 # 04-07-nodejs-调度与亲和（占位）
 对应文档：[`docs/04-07-nodejs-调度与亲和.md`](../../docs/04-07-nodejs-调度与亲和.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-07-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-07-nodejs-demo.yaml
 ```
--- a/ansible/files/04-08-nodejs-安全上下文/README.md
+++ b/ansible/files/04-08-nodejs-安全上下文/README.md
@@ -1,13 +0,0 @@
 # 04-08-nodejs-安全上下文（占位）
 对应文档：[`docs/04-08-nodejs-安全上下文.md`](../../docs/04-08-nodejs-安全上下文.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-08-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-08-nodejs-demo.yaml
 ```
--- a/ansible/files/04-09-nodejs-存储与卷/README.md
+++ b/ansible/files/04-09-nodejs-存储与卷/README.md
@@ -1,13 +0,0 @@
 # 04-09-nodejs-存储与卷（占位）
 对应文档：[`docs/04-09-nodejs-存储与卷.md`](../../docs/04-09-nodejs-存储与卷.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-09-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-09-nodejs-demo.yaml
 ```
--- a/ansible/files/04-10-nodejs-Ingress与Traefik/README.md
+++ b/ansible/files/04-10-nodejs-Ingress与Traefik/README.md
@@ -1,13 +0,0 @@
 # 04-10-nodejs-Ingress与Traefik（占位）
 对应文档：[`docs/04-10-nodejs-Ingress与Traefik.md`](../../docs/04-10-nodejs-Ingress与Traefik.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-10-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-10-nodejs-demo.yaml
 ```
--- a/ansible/files/04-11-nodejs-副本与滚动发布/README.md
+++ b/ansible/files/04-11-nodejs-副本与滚动发布/README.md
@@ -1,13 +0,0 @@
 # 04-11-nodejs-副本与滚动发布（占位）
 对应文档：[`docs/04-11-nodejs-副本与滚动发布.md`](../../docs/04-11-nodejs-副本与滚动发布.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-11-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-11-nodejs-demo.yaml
 ```
--- a/ansible/files/04-12-nodejs-TLS与证书/README.md
+++ b/ansible/files/04-12-nodejs-TLS与证书/README.md
@@ -1,13 +0,0 @@
 # 04-12-nodejs-TLS与证书（占位）
 对应文档：[`docs/04-12-nodejs-TLS与证书.md`](../../docs/04-12-nodejs-TLS与证书.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-12-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-12-nodejs-demo.yaml
 ```
--- a/ansible/files/04-13-nodejs-HPA/README.md
+++ b/ansible/files/04-13-nodejs-HPA/README.md
@@ -1,13 +0,0 @@
 # 04-13-nodejs-HPA（占位）
 对应文档：[`docs/04-13-nodejs-HPA.md`](../../docs/04-13-nodejs-HPA.md)
 ## 真源清单（复用 04-01 累积目录）
 - 真源目录：`ansible/files/04-01-nodejs-demo/`
 - 对应累积清单：`04-13-nodejs-demo.yaml`
 ```bash
 kubectl apply -f ansible/files/04-01-nodejs-demo/04-13-nodejs-demo.yaml
 ```
--- a/ansible/files/04-14-nodejs-GitOps与CI流水线/README.md
+++ b/ansible/files/04-14-nodejs-GitOps与CI流水线/README.md
@@ -1,9 +0,0 @@
 # 04-14-nodejs-GitOps与CI流水线（占位）
 对应文档：[`docs/04-14-nodejs-GitOps与CI流水线.md`](../../docs/04-14-nodejs-GitOps与CI流水线.md)
 ## 说明
 - 本篇为流程/方法论文档，通常不会提供一份固定可复用的 K8s 清单。
 - 如需参考示例清单，可从 `ansible/files/04-01-nodejs-demo/` 选择对应阶段的累积 YAML。
--- a/ansible/files/05-01/glances-docker-compose.example.yaml
+++ b/ansible/files/05-01/glances-docker-compose.example.yaml
@@ -0,0 +1,10 @@
 services:
  glances:
    image: nicolargo/glances:latest
    container_name: glances
    environment:
      - TZ=Asia/Shanghai
      - GLANCES_OPT=-w
    ports:
      - "61208:61208"
    restart: unless-stopped
--- a/ansible/files/05-01/homer-glances-item.example.yaml
+++ b/ansible/files/05-01/homer-glances-item.example.yaml
@@ -0,0 +1,6 @@
 # Homer config.yml fragment example
 - name: "System Metrics"
  type: "Glances"
  icon: "fa-solid fa-heart-pulse"
  url: "https://glances.example.com"
  stats: [cpu, mem]
--- a/ansible/files/05-01-homer/homer.yaml
+++ b/ansible/files/05-01-homer/homer.yaml
--- a/ansible/files/05-02-onenav/onenav-proxy.yaml
+++ b/ansible/files/05-02-onenav/onenav-proxy.yaml
--- a/ansible/files/05-03-gitlab-runner/gitlab-ci-runner-tags.example.yml
+++ b/ansible/files/05-03-gitlab-runner/gitlab-ci-runner-tags.example.yml
--- a/ansible/files/05-04-gitlab-cicd/README.md
+++ b/ansible/files/05-04-gitlab-cicd/README.md
@@ -1,10 +0,0 @@
 # GitLab CI 示例（与 docs 对照）
 | 文件 | 文档 |
 |------|------|
 | `gitlab-ci-minimal.example.yml` | `docs/05-04-k3s-配置gitlab-cicd.md` |
 | `gitlab-ci-multi-arch-deploy.example.yml` | `docs/05-04-k3s-配置gitlab-cicd.md` |
 | `../05-03-gitlab-runner/gitlab-ci-runner-tags.example.yml` | `docs/05-03-k3s-安装gitlab-含runner.md` |
 复制为 `.gitlab-ci.yml` 或 `include` 引用；变量与 Runner 以文档为准。
--- a/ansible/files/05-04-gitlab-cicd/gitlab-ci-minimal.example.yml
+++ b/ansible/files/05-04-gitlab-cicd/gitlab-ci-minimal.example.yml
--- a/ansible/files/05-04-gitlab-cicd/gitlab-ci-multi-arch-deploy.example.yml
+++ b/ansible/files/05-04-gitlab-cicd/gitlab-ci-multi-arch-deploy.example.yml
--- a/ansible/files/05-05-prometheus与grafana/README.md
+++ b/ansible/files/05-05-prometheus与grafana/README.md
@@ -1,9 +0,0 @@
 # 05-05-prometheus与grafana（占位）
 对应文档：[`docs/05-05-prometheus与grafana.md`](../../docs/05-05-prometheus与grafana.md)
 ## 说明
 - 监控栈通常通过 Helm Chart（如 kube-prometheus-stack）安装，清单会随版本变化。
 - 本目录仅用于 doc_id 对齐占位；后续若固化 values/Chart 版本，可在此补齐 manifests/values。
--- a/ansible/files/05-06-openlist/openlist-backup-cronjob.yaml
+++ b/ansible/files/05-06-openlist/openlist-backup-cronjob.yaml
--- a/ansible/files/05-07-openclaw/openclaw-proxy.yaml
+++ b/ansible/files/05-07-openclaw/openclaw-proxy.yaml
--- a/ansible/files/05-07-openclaw/openclaw-server.yml
+++ b/ansible/files/05-07-openclaw/openclaw-server.yml
--- a/ansible/files/05-08-openclaw/openclaw-k3s-experimental.yaml
+++ b/ansible/files/05-08-openclaw/openclaw-k3s-experimental.yaml
--- a/ansible/files/05-09-openclaw-web-小游戏网页平台/openclaw-web.yml
+++ b/ansible/files/05-09-openclaw-web-小游戏网页平台/openclaw-web.yml
--- a/ansible/files/06-01-k3s-networkpolicy-故障排查/README.md
+++ b/ansible/files/06-01-k3s-networkpolicy-故障排查/README.md
@@ -1,9 +0,0 @@
 # 06-01-k3s-networkpolicy-故障排查（占位）
 对应文档：[`docs/06-01-k3s-networkpolicy-故障排查.md`](../../docs/06-01-k3s-networkpolicy-故障排查.md)
 ## 说明
 - 本篇为排障手册/命令集合，**不提供固定可部署清单**。
 - 本目录仅用于 doc_id 对齐占位。
--- a/ansible/files/06-02-运维小结/README.md
+++ b/ansible/files/06-02-运维小结/README.md
@@ -1,9 +0,0 @@
 # 06-02-运维小结（占位）
 对应文档：[`docs/06-02-运维小结.md`](../../docs/06-02-运维小结.md)
 ## 说明
 - 本篇为运维建议/巡检要点总结，通常不对应单一可部署清单。
 - 本目录仅用于 doc_id 对齐占位。
--- a/ansible/files/06-03-k3s-自动备份与恢复-openlist-webdav/README.md
+++ b/ansible/files/06-03-k3s-自动备份与恢复-openlist-webdav/README.md
@@ -1,12 +0,0 @@
 # 06-03-k3s-自动备份与恢复-openlist-webdav（对齐 README）
 对应文档：[`docs/06-03-k3s-自动备份与恢复-openlist-webdav.md`](../../docs/06-03-k3s-自动备份与恢复-openlist-webdav.md)
 ## 真源清单目录
 本篇可部署清单当前收敛在：
 - `ansible/files/06-03-openlist-webdav/`
 说明：该目录名未镜像 docs 文件名；为满足“doc_id 目录对齐”口径，本目录仅作为桥接与入口。
--- a/ansible/files/06-03-openlist-webdav/app-data-backup-cronjob.yaml
+++ b/ansible/files/06-03-openlist-webdav/app-data-backup-cronjob.yaml
--- a/ansible/files/06-03-openlist-webdav/app-data-restore-job.yaml
+++ b/ansible/files/06-03-openlist-webdav/app-data-restore-job.yaml
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -12,14 +12,16 @@ k3s_server_ip: "192.168.2.61"
 # 安装 k3s 前校验：/storage 为挂载点且与 / 不同设备（实验室 10G+32G 建议 true；「目录式假 /storage」旧环境可 false）
 k3s_verify_storage_mount: true
-# 可选：由 playbooks/k3s-prepare-storage.yml 对第二块整盘分区、格式化并挂载到 k3s_data_dir（会清空该盘，见 01-06）
+# 可选：由 playbooks/verify/01-06.yml（-e k3s_do_prepare_storage=true）对第二块整盘分区、格式化并挂载到 k3s_data_dir（会清空该盘，见 01-06）
 k3s_prepare_storage: false
 # k3s_data_disk_device: "/dev/vdb"
 # NVMe 整盘一般为 /dev/nvme0n1，首分区为 /dev/nvme0n1p1，playbook 会按设备名自动加 1 或 p1
-# Longhorn Helm（playbooks/longhorn-install.yml）
+# Longhorn Helm（playbooks/verify/03-07.yml）
 longhorn_chart_version: "1.7.2"
 longhorn_install_node_packages: true
 # 仅在 Helm 与残留 CRD 严重冲突时设 true；默认 false。装前删光 CRD 可能导致 helm install 报 CRD not found
 longhorn_force_crd_reset: false
 # 是否在 longhorn-install 末尾应用本仓库 local-path 实验室 ConfigMap
 longhorn_apply_local_path_lab: false
--- a/ansible/playbooks/apply-local-path-config-lab.yml
+++ b/ansible/playbooks/apply-local-path-config-lab.yml
@@ -1,38 +0,0 @@
 ---
 # 部署：docs/00-05 §2 步骤 3——local-path ConfigMap；PVC 演示验收见 scripts/verify.sh run 03-05。
 # 仅应用本仓库 local-path 实验室 ConfigMap（不安装 Longhorn）。在 k3s_server 上执行。
 # 与 docs/03-05 中「方法一」一致，真源：ansible/files/03-05-local-path-config/local-path-config-lab.json
 - name: Apply local-path-config lab JSON
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    local_path_json_src: "{{ playbook_dir }}/../files/03-05-local-path-config/local-path-config-lab.json"
    local_path_json_dest: /root/local-path-config-lab.json
  tasks:
    - name: Copy local-path lab json
      ansible.builtin.copy:
        src: "{{ local_path_json_src }}"
        dest: "{{ local_path_json_dest }}"
        mode: "0644"
    - name: Apply local-path-config ConfigMap
      ansible.builtin.shell: |
        set -e
        KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system create configmap local-path-config \
          --from-file=config.json={{ local_path_json_dest }} \
          --dry-run=client -o yaml | KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f -
      args:
        executable: /bin/bash
      changed_when: true
    - name: Restart local-path-provisioner if present
      ansible.builtin.shell: |
        KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system rollout restart deploy/local-path-provisioner
      args:
        executable: /bin/bash
      register: lp_restart
      failed_when: false
      changed_when: lp_restart.rc == 0
--- a/ansible/playbooks/k3s-init-and-install.yml
+++ b/ansible/playbooks/k3s-init-and-install.yml
@@ -1,270 +0,0 @@
 ---
 # 部署：docs/00-05 §2 步骤 3「正式安装类」——全集群 K3s + 节点准备（非 verify.sh 单条 teardown）。
 # 前置：§2 步骤 1 接入（inventory/SSH）；步骤 2 可选 scripts/deploy-lab.sh 在 K3S_PREPARE_STORAGE=true 时先跑 k3s-prepare-storage.yml。
 # 入口：仓库根 ./scripts/deploy-lab.sh k3s，或 ansible-playbook -i ansible/inventory.ini ansible/playbooks/k3s-init-and-install.yml
 - name: Verify /storage is a separate mount (optional)
  hosts: k3s_nodes
  become: true
  tasks:
    - name: Check / and /storage mount sources
      when: k3s_verify_storage_mount | default(false) | bool
      block:
        - name: Get mount source for /
          ansible.builtin.command: findmnt -n -o SOURCE /
          register: mnt_root
          changed_when: false
        - name: Get mount source for /storage
          ansible.builtin.command: findmnt -n -o SOURCE /storage
          register: mnt_storage
          changed_when: false
          failed_when: false
        - name: Assert /storage is mounted on a different device than /
          ansible.builtin.assert:
            that:
              - mnt_storage.rc == 0
              - (mnt_root.stdout | trim | length) > 0
              - (mnt_storage.stdout | trim | length) > 0
              - (mnt_root.stdout | trim) != (mnt_storage.stdout | trim)
            fail_msg: >-
              /storage must be a mount point on a block device different from /.
              See docs/00-04-部署环境说明.md and docs/01-06-节点初始化-ansible-实践.md
 - name: Init base system
  hosts: k3s_nodes
  become: true
  tasks:
    # 检查当前节点上 firewalld 的运行状态，供后续条件判断使用
    - name: Check if firewalld is running
      ansible.builtin.command: firewall-cmd --state
      register: firewalld_state
      changed_when: false
      failed_when: false
    # 根据全局 timezone 变量设置系统时区（可选）
    - name: Set timezone
      ansible.builtin.command: timedatectl set-timezone {{ timezone }}
      when: timezone is defined and timezone != ""
    # 安装 k3s 所需的基础工具包（curl、git 等）
    - name: Install basic packages
      ansible.builtin.package:
        name:
          - curl
          - git
        state: present
    # 确保 /etc/hosts 中包含所有 k3s 节点的主机名解析（可选）
    - name: Ensure /etc/hosts has entries for all k3s nodes
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: '^\S+\s+{{ item }}\s*$'
        line: "{{ hostvars[item]['ansible_host'] }} {{ item }}"
        state: present
      loop: "{{ groups['k3s_nodes'] }}"
      when:
        - k3s_manage_hosts | default(true) | bool
        - hostvars[item]['ansible_host'] is defined
    # k3s 所需端口：8472/udp（flannel VXLAN）全部节点；6443/tcp（API）仅 server
    # 必须在安装 k3s 前开放，否则 worker 无法连接、flannel 无法建立 overlay
    # 在所有 k3s 节点上开放 flannel VXLAN 所需的 8472/udp 端口
    - name: Open flannel VXLAN port (8472/udp) on all k3s nodes
      ansible.builtin.command: firewall-cmd --permanent --add-port=8472/udp
      when:
        - k3s_manage_firewalld | default(true) | bool
        - firewalld_state.stdout | default('') == 'running'
    # 在 server 节点上开放 k3s API 端口 6443/tcp
    - name: Open k3s API port (6443/tcp) on server
      ansible.builtin.command: firewall-cmd --permanent --add-port=6443/tcp
      when:
        - k3s_manage_firewalld | default(true) | bool
        - inventory_hostname in groups['k3s_server']
        - firewalld_state.stdout | default('') == 'running'
    # 在完成端口放行后重新加载 firewalld 规则
    - name: Reload firewalld after opening k3s ports
      ansible.builtin.command: firewall-cmd --reload
      when:
        - k3s_manage_firewalld | default(true) | bool
        - firewalld_state.stdout | default('') == 'running'
 - name: Install k3s server
  hosts: k3s_server
  become: true
  tasks:
    # 在 server 节点上下载安装并启动 k3s server 进程
    - name: Download and install k3s server
      ansible.builtin.shell: |
        curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --data-dir={{ k3s_data_dir }}" sh -
      args:
        creates: "{{ k3s_data_dir }}/server"
 - name: Install k3s agent (workers)
  hosts: k3s_worker
  become: true
  serial: 1   # 逐台安装，减轻并行下载对网络的压力
  tasks:
    # 从首个 server 节点读取集群 token（仅执行一次）
    - name: Read k3s token from first server
      ansible.builtin.slurp:
        src: "{{ k3s_data_dir }}/server/token"
      delegate_to: "{{ groups['k3s_server'][0] }}"
      run_once: true
      register: k3s_token_from_server
    # 在各 worker 节点上保存解码后的 token 供后续安装使用
    - name: Set fact for k3s token on workers
      ansible.builtin.set_fact:
        k3s_token: "{{ k3s_token_from_server.content | b64decode | trim }}"
    # 在每个 worker 节点上下载安装并启动 k3s agent 进程
    - name: Install k3s agent
      ansible.builtin.shell: |
        curl -sfL https://get.k3s.io | K3S_URL=https://{{ k3s_server_ip }}:6443 K3S_TOKEN={{ k3s_token }} INSTALL_K3S_EXEC="agent --data-dir={{ k3s_data_dir }}" sh -
      args:
        creates: "{{ k3s_data_dir }}/agent"
      async: 600
      poll: 15
 - name: Configure firewalld baseline for k3s (flannel.1 / cni0 -> trusted)
  hosts: k3s_nodes
  become: true
  tasks:
    # 为 k3s 配置 firewalld 基线：将 flannel.1 / cni0 加入 trusted 区域
    - block:
        # 检查节点上 firewalld 是否可用
        - name: Check if firewalld is available
          ansible.builtin.command: firewall-cmd --state
          register: firewalld_check
          changed_when: false
          failed_when: false
        # 等待 CNI 接口 flannel.1 和 cni0 出现（k3s 启动并创建完成）
        - name: Wait for CNI interfaces (flannel.1, cni0) to appear
          ansible.builtin.shell: |
            for i in $(seq 1 120); do
              ip link show flannel.1 >/dev/null 2>&1 && ip link show cni0 >/dev/null 2>&1 && exit 0
              sleep 1
            done
            exit 1
          when: firewalld_check.stdout == 'running'
        # 将 flannel.1 / cni0 接口加入 firewalld trusted 区域（运行时和永久）
        - name: Add flannel.1 and cni0 to firewalld trusted zone (runtime + permanent)
          ansible.builtin.shell: |
            firewall-cmd --zone=trusted --add-interface={{ item }}
            firewall-cmd --permanent --zone=trusted --add-interface={{ item }}
          loop:
            - flannel.1
            - cni0
          when: firewalld_check.stdout == 'running'
        # 更新 firewalld 配置使新接口规则立即生效
        - name: Reload firewalld
          ansible.builtin.command: firewall-cmd --reload
          when: firewalld_check.stdout == 'running'
      when: k3s_manage_firewalld | default(true) | bool
 - name: Configure CoreDNS (IPv4 upstream for ACME)
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
  tasks:
    - name: Wait for CoreDNS deployment to be ready
      ansible.builtin.shell: |
        KUBECONFIG={{ k3s_kubeconfig }} kubectl rollout status deployment/coredns -n kube-system --timeout=120s
      when: k3s_manage_coredns | default(true) | bool
    - name: Extract CoreDNS Corefile from ConfigMap
      ansible.builtin.shell: |
        KUBECONFIG={{ k3s_kubeconfig }} kubectl get configmap coredns -n kube-system -o jsonpath='{.data.Corefile}' > /tmp/coredns-corefile.txt
      when: k3s_manage_coredns | default(true) | bool
    - name: Patch Corefile forward to IPv4 (avoid IPv6 upstream in Pod network)
      ansible.builtin.replace:
        path: /tmp/coredns-corefile.txt
        regexp: 'forward \. /etc/resolv\.conf'
        replace: 'forward . {{ coredns_forward_servers }}'
      register: coredns_patched
      when: k3s_manage_coredns | default(true) | bool
    - name: Apply patched CoreDNS ConfigMap and restart
      ansible.builtin.shell: |
        KUBECONFIG={{ k3s_kubeconfig }} kubectl create configmap coredns --from-file=Corefile=/tmp/coredns-corefile.txt -n kube-system --dry-run=client -o yaml | KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f -
        KUBECONFIG={{ k3s_kubeconfig }} kubectl rollout restart deployment/coredns -n kube-system
        KUBECONFIG={{ k3s_kubeconfig }} kubectl rollout status deployment/coredns -n kube-system --timeout=60s
      when:
        - k3s_manage_coredns | default(true) | bool
        - coredns_patched is changed
    - name: Remove temp Corefile
      ansible.builtin.file:
        path: /tmp/coredns-corefile.txt
        state: absent
      when: k3s_manage_coredns | default(true) | bool
 - name: 安装后验证 - traefik / nodes / curl
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
  tasks:
    # 安装后为控制节点打 control-plane 标签（02-05 矩阵 M1 需此标签才能调度），节点名与 inventory 短主机名一致（ylc61～ylc64）
    - name: Label control-plane nodes (k3s 不默认打标，M1 需此标签)
      ansible.builtin.shell: |
        KUBECONFIG={{ k3s_kubeconfig }} kubectl label node {{ item }} node-role.kubernetes.io/control-plane= --overwrite
      loop: "{{ groups['k3s_server'] | default([]) }}"
    # 可选：为工作节点打 worker 标签（02-05 矩阵 M3 需要）
    - name: 可选 - 为工作节点打 worker 标签（02-05 矩阵 M3 需要）
      ansible.builtin.shell: |
        KUBECONFIG={{ k3s_kubeconfig }} kubectl label node {{ item }} node-role.kubernetes.io/worker= --overwrite
      loop: "{{ groups['k3s_worker'] | default([]) }}"
      when: k3s_manage_role_labels | default(true) | bool
    # 查看 kube-system 命名空间中与 Traefik / svclb 相关的 Pod 列表
    - name: kubectl get pods -n kube-system（traefik / svclb）
      ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl get pods -n kube-system -o wide | grep -E 'NAME|traefik|svclb'
      register: verify_traefik
      changed_when: false
    # 打印上一步查询到的 Traefik 相关 Pod 信息
    - name: ">>> Traefik 相关 Pods"
      ansible.builtin.debug:
        msg: "{{ item }}"
      loop: "{{ verify_traefik.stdout_lines }}"
    # 查询当前集群中的节点列表
    - name: kubectl get nodes
      ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl get nodes
      register: verify_nodes
      changed_when: false
    # 打印节点列表结果，方便确认节点状态与角色
    - name: ">>> kubectl get nodes"
      ansible.builtin.debug:
        msg: "{{ item }}"
      loop: "{{ verify_nodes.stdout_lines }}"
    # 通过 curl 测试每个节点 80 与 443 入口连通性
    - name: curl 测试各节点 80/443 可达性
      ansible.builtin.shell: |
        for ip in {{ groups['k3s_nodes'] | map('extract', hostvars) | map(attribute='ansible_host') | join(' ') }}; do
          c80=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 2 http://$ip 2>/dev/null) || c80="fail"
          c443=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 2 https://$ip 2>/dev/null) || c443="fail"
          echo "$ip: 80=$c80 443=$c443"
        done
      register: verify_curl
      changed_when: false
    - name: ">>> curl 结果"
      ansible.builtin.debug:
        msg: "{{ item }}"
      loop: "{{ verify_curl.stdout_lines }}"
--- a/ansible/playbooks/k3s-prepare-storage.yml
+++ b/ansible/playbooks/k3s-prepare-storage.yml
@@ -1,108 +0,0 @@
 ---
 # 部署：docs/00-05 §2 步骤 2～3 可选前置——数据盘 → /storage（非矩阵验收）。
 # 推荐经 scripts/deploy-lab.sh k3s 在 K3S_PREPARE_STORAGE=true 时自动串行；勿与 verify.sh run-all 混为同一含义。
 # 可选：在空白数据盘上创建单分区、ext4、fstab 并挂载到 k3s_data_dir（默认 /storage）。
 # 启用前在 group_vars/all.yml 设置 k3s_prepare_storage: true 与 k3s_data_disk_device（如 /dev/vdb）。
 # 会清空该磁盘上的数据。若 /storage 已是挂载点则跳过。
 - name: Prepare data disk and mount to k3s_data_dir
  hosts: k3s_nodes
  become: true
  tasks:
    - name: Skip notice when storage prep disabled
      ansible.builtin.debug:
        msg: "k3s_prepare_storage is false — skipping (see group_vars/all.yml)"
      when: not (k3s_prepare_storage | default(false) | bool)
    - name: Prepare block storage for k3s_data_dir
      when: k3s_prepare_storage | default(false) | bool
      block:
        - name: Require k3s_data_disk_device when k3s_prepare_storage is true
          ansible.builtin.assert:
            that:
              - k3s_data_disk_device is defined
              - (k3s_data_disk_device | string | length) > 0
            fail_msg: "Set k3s_data_disk_device (e.g. /dev/vdb) in group_vars or host_vars"
        - name: Verify k3s_data_disk_device is a block device
          ansible.builtin.command: test -b {{ k3s_data_disk_device }}
          changed_when: false
        - name: Check whether k3s_data_dir is already a mountpoint
          ansible.builtin.command: mountpoint -q {{ k3s_data_dir }}
          register: mp_k3s
          changed_when: false
          failed_when: false
        - name: Skip when k3s_data_dir already mounted
          ansible.builtin.debug:
            msg: "{{ k3s_data_dir }} already mounted — skipping partitioning on {{ inventory_hostname }}"
          when: mp_k3s.rc == 0
        - name: Install partitioning and filesystem tools
          ansible.builtin.package:
            name:
              - parted
              - e2fsprogs
            state: present
          when: mp_k3s.rc != 0
        - name: Compute first partition path (nvme*n* -> p1, else 1)
          ansible.builtin.set_fact:
            k3s_data_partition: >-
              {{ k3s_data_disk_device }}{{ 'p1' if (k3s_data_disk_device | regex_search('nvme[0-9]+n[0-9]+$')) else '1' }}
          when: mp_k3s.rc != 0
        - name: Create GPT and single ext4 partition
          ansible.builtin.command: >-
            parted -s {{ k3s_data_disk_device }} mklabel gpt mkpart primary ext4 0% 100%
          args:
            creates: "{{ k3s_data_partition }}"
          when: mp_k3s.rc != 0
        - name: Wait for partition node in /dev
          ansible.builtin.wait_for:
            path: "{{ k3s_data_partition }}"
            state: present
            timeout: 60
          when: mp_k3s.rc != 0
        - name: Detect existing filesystem on partition
          ansible.builtin.command: blkid -s TYPE -o value {{ k3s_data_partition }}
          register: fs_type
          changed_when: false
          failed_when: false
          when: mp_k3s.rc != 0
        - name: Create ext4 on partition
          ansible.builtin.command: mkfs.ext4 -F {{ k3s_data_partition }}
          when:
            - mp_k3s.rc != 0
            - (fs_type.stdout | default('') | trim | length) == 0
        - name: Read UUID of partition
          ansible.builtin.command: blkid -s UUID -o value {{ k3s_data_partition }}
          register: blk_uuid
          changed_when: false
          when: mp_k3s.rc != 0
        - name: Ensure mount directory exists
          ansible.builtin.file:
            path: "{{ k3s_data_dir }}"
            state: directory
            mode: "0755"
          when: mp_k3s.rc != 0
        - name: Add fstab entry for k3s_data_dir
          ansible.builtin.lineinfile:
            path: /etc/fstab
            regexp: "^UUID={{ blk_uuid.stdout | trim }}\\s"
            line: "UUID={{ blk_uuid.stdout | trim }}  {{ k3s_data_dir }}  ext4  defaults,nofail  0 2"
            create: true
            mode: "0644"
          when: mp_k3s.rc != 0
        - name: Mount all from fstab
          ansible.builtin.command: mount -a
          changed_when: true
          when: mp_k3s.rc != 0
--- a/ansible/playbooks/longhorn-install.yml
+++ b/ansible/playbooks/longhorn-install.yml
@@ -1,252 +0,0 @@
 ---
 # 部署：docs/00-05 §2 步骤 3——Helm 铺栈；验收见 scripts/verify.sh run 03-07。
 # Helm 安装 Longhorn（与 docs/03-07 一致）。在控制节点执行，依赖 KUBECONFIG=/etc/rancher/k3s/k3s.yaml
 # 变量：group_vars/all.yml 中 longhorn_chart_version、longhorn_install_node_packages、longhorn_apply_local_path_lab
 - name: Longhorn node packages (iSCSI, NFS client)
  hosts: k3s_nodes
  become: true
  tasks:
    - name: Install Longhorn OS dependencies
      when: longhorn_install_node_packages | default(true) | bool
      block:
        - name: Install iscsi + nfs (dnf/yum)
          ansible.builtin.package:
            name:
              - iscsi-initiator-utils
              - nfs-utils
            state: present
        - name: Enable iscsid
          ansible.builtin.systemd:
            name: iscsid
            enabled: true
            state: started
    - name: Ensure Longhorn data subdirectory exists on all nodes
      ansible.builtin.file:
        path: "{{ k3s_data_dir }}/longhorn"
        state: directory
        mode: "0700"
    - name: Pre-pull Longhorn images on all nodes (optional, avoid DockerHub EOF/ImagePullBackOff)
      when: longhorn_prepull_images | default(true) | bool
      ansible.builtin.shell: |
        set -e
        CTR="ctr --address /run/k3s/containerd/containerd.sock -n k8s.io"
        imgs=(
          "docker.io/longhornio/longhorn-manager:v{{ longhorn_chart_version }}"
          "docker.io/longhornio/longhorn-ui:v{{ longhorn_chart_version }}"
          "docker.io/longhornio/longhorn-share-manager:v{{ longhorn_chart_version }}"
          "docker.io/longhornio/longhorn-engine:v{{ longhorn_chart_version }}"
          "docker.io/longhornio/longhorn-instance-manager:v{{ longhorn_chart_version }}"
          "docker.io/longhornio/backing-image-manager:v{{ longhorn_chart_version }}"
          "docker.io/longhornio/support-bundle-kit:v0.0.45"
        )
        for img in "${imgs[@]}"; do
          ok=0
          for i in 1 2 3 4 5; do
            echo "[pull] $img (try $i/5)"
            if $CTR images pull "$img"; then
              ok=1
              break
            fi
            sleep $((i * 3))
          done
          if [ "$ok" -ne 1 ]; then
            echo "[ERR] failed pulling $img after retries"
            exit 1
          fi
        done
      args:
        executable: /bin/bash
      changed_when: true
 - name: Install Longhorn with Helm on first server
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    longhorn_values_src: "{{ playbook_dir }}/../files/03-07-longhorn/values-lab.yaml"
    longhorn_values_dest: /root/longhorn-values-lab.yaml
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
  tasks:
    - name: Install helm package (Fedora/RHEL family)
      ansible.builtin.package:
        name: helm
        state: present
      ignore_errors: true
      register: helm_pkg
    - name: Hint if helm package install failed (install Helm 3 manually if needed)
      ansible.builtin.debug:
        msg: "dnf/yum 未装上 helm 时，请见 https://helm.sh/docs/intro/install/"
      when: helm_pkg.failed | default(false)
    - name: Fail if helm binary still unavailable
      ansible.builtin.command: which helm
      register: helm_which
      changed_when: false
      failed_when: helm_which.rc != 0
    - name: Copy lab values to server
      ansible.builtin.copy:
        src: "{{ longhorn_values_src }}"
        dest: "{{ longhorn_values_dest }}"
        mode: "0600"
    - name: Ensure longhorn-system namespace is not stuck Terminating (force finalize if needed)
      ansible.builtin.shell: |
        set -e
        export KUBECONFIG={{ k3s_kubeconfig }}
        ns="longhorn-system"
        phase="$(kubectl get ns "$ns" -o jsonpath='{.status.phase}' 2>/dev/null || true)"
        if [ "$phase" = "Terminating" ]; then
          echo "[WARN] namespace $ns is Terminating; force finalize to unblock install"
          kubectl get ns "$ns" -o json > /tmp/ns.json
          python3 -c "import json; obj=json.load(open('/tmp/ns.json')); obj.setdefault('spec',{}); obj['spec']['finalizers']=[]; json.dump(obj, open('/tmp/ns-finalize.json','w'))"
          kubectl replace --raw "/api/v1/namespaces/$ns/finalize" -f /tmp/ns-finalize.json >/dev/null
        fi
      args:
        executable: /bin/bash
      changed_when: true
      failed_when: false
    - name: Ensure longhorn Helm repo
      ansible.builtin.shell: |
        set -e
        if ! helm repo list 2>/dev/null | grep -q '^longhorn'; then
          helm repo add longhorn https://charts.longhorn.io
        fi
        helm repo update
      environment:
        KUBECONFIG: "{{ k3s_kubeconfig }}"
      args:
        executable: /bin/bash
      changed_when: true
    - name: Delete leftover longhorn PriorityClass (cluster-scoped) to avoid Helm ownership conflicts
      ansible.builtin.shell: |
        set -e
        KUBECONFIG={{ k3s_kubeconfig }} kubectl delete priorityclass longhorn-critical --ignore-not-found=true
      args:
        executable: /bin/bash
      changed_when: true
      failed_when: false
    - name: Delete leftover Longhorn CRDs (cluster-scoped) to avoid Helm ownership conflicts
      ansible.builtin.shell: |
        set -e
        export KUBECONFIG={{ k3s_kubeconfig }}
        crd_list="$(kubectl get crd -o name 2>/dev/null | grep 'longhorn.io' || true)"
        if [ -n "$crd_list" ]; then
          echo "$crd_list" | while read -r crd; do
            [ -z "$crd" ] && continue
            timeout 20s kubectl delete "$crd" --ignore-not-found=true || true
          done
        fi
      args:
        executable: /bin/bash
      changed_when: true
      failed_when: false
    - name: Delete leftover Longhorn ClusterRole/ClusterRoleBinding (cluster-scoped)
      ansible.builtin.shell: |
        set -e
        export KUBECONFIG={{ k3s_kubeconfig }}
        role_list="$(kubectl get clusterrole -o name 2>/dev/null | grep 'longhorn' || true)"
        if [ -n "$role_list" ]; then
          echo "$role_list" | while read -r role; do
            [ -z "$role" ] && continue
            timeout 20s kubectl delete "$role" --ignore-not-found=true || true
          done
        fi
        binding_list="$(kubectl get clusterrolebinding -o name 2>/dev/null | grep 'longhorn' || true)"
        if [ -n "$binding_list" ]; then
          echo "$binding_list" | while read -r binding; do
            [ -z "$binding" ] && continue
            timeout 20s kubectl delete "$binding" --ignore-not-found=true || true
          done
        fi
      args:
        executable: /bin/bash
      changed_when: true
      failed_when: false
    - name: Cleanup leftover Helm release records for Longhorn (default + longhorn-system)
      ansible.builtin.shell: |
        set -e
        export KUBECONFIG={{ k3s_kubeconfig }}
        # 有些失败/中断的安装会把 release secret 留在 default 或 longhorn-system，导致后续：
        # - "cannot re-use a name that is still in use"
        # - cluster-scoped 资源的 meta.helm.sh/release-namespace 注解冲突
        for ns in longhorn-system default; do
          if helm -n "$ns" list --all 2>/dev/null | grep -q '^longhorn'; then
            # uninstall 可能卡住（例如 uninstall job / hook），避免阻塞整个自动化流程
            timeout 120s helm -n "$ns" uninstall longhorn --no-hooks || true
          fi
          sec_list="$(kubectl -n "$ns" get secret -o name 2>/dev/null | grep '^secret/sh\\.helm\\.release\\.v1\\.longhorn\\.' || true)"
          if [ -n "$sec_list" ]; then
            echo "$sec_list" | xargs -n1 kubectl -n "$ns" delete --ignore-not-found=true
          fi
        done
      environment:
        KUBECONFIG: "{{ k3s_kubeconfig }}"
      args:
        executable: /bin/bash
      changed_when: true
      failed_when: false
    - name: Helm upgrade/install Longhorn（失败兜底：install --replace）
      ansible.builtin.shell: |
        set -e
        helm upgrade --install longhorn longhorn/longhorn --namespace longhorn-system --create-namespace -f {{ longhorn_values_dest }} --version {{ longhorn_chart_version }} --wait --timeout 15m || helm install --replace longhorn longhorn/longhorn --namespace longhorn-system --create-namespace -f {{ longhorn_values_dest }} --version {{ longhorn_chart_version }} --wait --timeout 15m
      environment:
        KUBECONFIG: "{{ k3s_kubeconfig }}"
      args:
        executable: /bin/bash
      register: helm_longhorn
      changed_when: true
 - name: Apply local-path-config lab defaults (optional)
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    local_path_json_src: "{{ playbook_dir }}/../files/03-05-local-path-config/local-path-config-lab.json"
    local_path_json_dest: /root/local-path-config-lab.json
  tasks:
    - name: Apply local-path-config lab defaults (optional)
      when: longhorn_apply_local_path_lab | default(false) | bool
      block:
        - name: Copy local-path lab json
          ansible.builtin.copy:
            src: "{{ local_path_json_src }}"
            dest: "{{ local_path_json_dest }}"
            mode: "0644"
        - name: Apply local-path-config ConfigMap
          ansible.builtin.shell: |
            set -e
            KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system create configmap local-path-config \
              --from-file=config.json={{ local_path_json_dest }} \
              --dry-run=client -o yaml | KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f -
          args:
            executable: /bin/bash
          changed_when: true
        - name: Restart local-path-provisioner if present
          ansible.builtin.shell: |
            KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system rollout restart deploy/local-path-provisioner
          args:
            executable: /bin/bash
          register: lp_restart
          failed_when: false
          changed_when: lp_restart.rc == 0
--- a/ansible/playbooks/nginx-matrix-deploy.yml
+++ b/ansible/playbooks/nginx-matrix-deploy.yml
@@ -1,168 +0,0 @@
 ---
 # 部署：docs/00-05 §2 步骤 3——铺栈（无按 doc_id 的断言/teardown）。
 # 矩阵级验收请用 scripts/verify.sh run 02-01…02-05 或 run-all。
 # Ansible 一键部署 nginx 矩阵（M1～M4）
 # 对应文档：docs/02-05-nginx-验证矩阵-一键部署.md（02-01～02-04 分篇已整合）
 #
 # 说明：复制 manifests → kubectl apply → 等待 Pod 就绪 → 验证 Pod 节点分布 → curl 16 目标
 # manifests：ansible/files/02-05-nginx-matrix/，M1 control-plane / M2 ylc61 / M3 worker / M4 ylc64，按实际修改 02/04 hostname
 #
 # 执行（在 ansible/ 目录下）：
 #   ansible-playbook -i inventory.ini playbooks/nginx-matrix-deploy.yml
 # 或在仓库根目录：
 #   ansible-playbook -i ansible/inventory.ini ansible/playbooks/nginx-matrix-deploy.yml
 - name: Deploy nginx matrix (M1~M4)
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    # manifests 在 ansible/files/02-05-nginx-matrix/，与 playbook 同项目
    manifests_path: "{{ playbook_dir }}/../files/02-05-nginx-matrix"
  tasks:
    - name: Ensure manifests path exists
      ansible.builtin.stat:
        path: "{{ manifests_path }}"
      register: manifests_stat
    - name: Fail if manifests not found
      ansible.builtin.fail:
        msg: "manifests 未找到: {{ manifests_path }}，请从仓库根目录或 ansible 同级执行"
      when: not manifests_stat.stat.exists
    # 部署前确保 control-plane/worker 标签存在（M1/M3 需此才能调度），节点名为短主机名（ylc61～ylc64）
    - name: Ensure control-plane label on k3s_server nodes (for M1)
      ansible.builtin.shell: |
        KUBECONFIG={{ k3s_kubeconfig }} kubectl label node {{ item }} node-role.kubernetes.io/control-plane= --overwrite
      loop: "{{ groups['k3s_server'] | default([]) }}"
    - name: Ensure worker label on k3s_worker nodes (for M3)
      ansible.builtin.shell: |
        KUBECONFIG={{ k3s_kubeconfig }} kubectl label node {{ item }} node-role.kubernetes.io/worker= --overwrite
      loop: "{{ groups['k3s_worker'] | default([]) }}"
    - name: Copy nginx matrix manifests to server
      ansible.builtin.copy:
        src: "{{ manifests_path }}/"
        dest: /tmp/nginx-matrix/
        mode: '0644'
    # 先删全部 nginx 矩阵 Deployment 再 apply，避免旧 ReplicaSet 导致任一 Mx 仍显示默认页
    - name: Delete all nginx matrix deployments before apply
      ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl delete deployment nginx-m1 nginx-m2 nginx-m3 nginx-m4 -n default --ignore-not-found=true
      register: del_nginx
      changed_when: "'deleted' in del_nginx.stdout"
    - name: kubectl apply nginx matrix
      ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f /tmp/nginx-matrix/ -R
      register: k8s_apply
      changed_when: "'configured' in k8s_apply.stdout or 'created' in k8s_apply.stdout"
    - name: Restart nginx deployments so pods pick up ConfigMap (M1～M4 标识)
      ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl rollout restart deployment nginx-m1 nginx-m2 nginx-m3 nginx-m4 -n default
      register: restart_out
      changed_when: true
    - name: Wait for nginx pods to be ready
      ansible.builtin.shell: |
        KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
          -l app=nginx-m1 --timeout=60s
        KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
          -l app=nginx-m2 --timeout=60s
        KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
          -l app=nginx-m3 --timeout=120s
        KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
          -l app=nginx-m4 --timeout=120s
      register: wait_result
      changed_when: false
    - name: Verify nginx matrix
      ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl get pod,svc,ing,ingressroute -n default -o wide
      register: verify
      changed_when: false
    - name: ">>> nginx matrix 资源"
      ansible.builtin.debug:
        msg: "{{ item }}"
      loop: "{{ verify.stdout_lines }}"
    - name: 验证 Pod 节点分布（M1/M2 应在控制节点，M3/M4 应在工作节点）
      ansible.builtin.shell: |
        KUBECONFIG={{ k3s_kubeconfig }} kubectl get pod -n default -o custom-columns='NAME:.metadata.name,APP:.metadata.labels.app,NODE:.spec.nodeName' | grep -E '^(NAME|nginx-m)'
      register: pod_placement
      changed_when: false
    - name: ">>> Pod 节点分布"
      ansible.builtin.debug:
        msg: "{{ item }}"
      loop: "{{ pod_placement.stdout_lines }}"
    - name: M1 容器内诊断（排查为何仍为 nginx 欢迎页）
      ansible.builtin.shell: |
        echo "========== 1. M1 容器内 /usr/share/nginx/html/ 目录 =========="
        KUBECONFIG={{ k3s_kubeconfig }} kubectl exec -n default deployment/nginx-m1 -- ls -la /usr/share/nginx/html/ 2>/dev/null || echo "(exec 失败)"
        echo ""
        echo "========== 2. M1 容器内 index.html 内容（前 5 行）=========="
        KUBECONFIG={{ k3s_kubeconfig }} kubectl exec -n default deployment/nginx-m1 -- cat /usr/share/nginx/html/index.html 2>/dev/null | head -5 || echo "(exec 失败)"
        echo ""
        echo "========== 3. M1 容器内 /etc/nginx/conf.d/ 目录 =========="
        KUBECONFIG={{ k3s_kubeconfig }} kubectl exec -n default deployment/nginx-m1 -- ls -la /etc/nginx/conf.d/ 2>/dev/null || echo "(exec 失败)"
        echo ""
        echo "========== 4. M1 容器内 default.conf 内容 =========="
        KUBECONFIG={{ k3s_kubeconfig }} kubectl exec -n default deployment/nginx-m1 -- cat /etc/nginx/conf.d/default.conf 2>/dev/null || echo "(exec 失败)"
        echo ""
        echo "========== 5. M1 容器内 nginx 生效配置中的 server 块（前 40 行）=========="
        KUBECONFIG={{ k3s_kubeconfig }} kubectl exec -n default deployment/nginx-m1 -- nginx -T 2>/dev/null | grep -A 200 "server {" | head -40 || echo "(exec 失败)"
      register: m1_diag
      changed_when: false
      failed_when: false
    - name: ">>> M1 容器内诊断结果（若 M1 仍为欢迎页，请根据此处输出排查）"
      ansible.builtin.debug:
        msg: "{{ item }}"
      loop: "{{ m1_diag.stdout_lines }}"
    - name: 验证 M1～M4 标识（Pod 内 index.html 含 Mx、响应头 X-Backend）
      ansible.builtin.shell: |
        base="{{ groups['k3s_nodes'] | map('extract', hostvars) | map(attribute='ansible_host') | first }}"
        for id in 1 2 3 4; do
          echo "=== M$id Pod 内 index.html 前 2 行 ==="
          KUBECONFIG={{ k3s_kubeconfig }} kubectl exec -n default deployment/nginx-m$id -- cat /usr/share/nginx/html/index.html 2>/dev/null | head -2 || echo "(exec 失败)"
          echo "=== M$id 响应头 X-Backend ==="
          curl -sI "http://$base/demo-m$id/" 2>/dev/null | grep -i x-backend || echo "(未看到 X-Backend)"
          echo ""
        done
      register: m_check
      changed_when: false
      failed_when: false
    - name: ">>> M1～M4 验证"
      ansible.builtin.debug:
        msg: "{{ item }}"
      loop: "{{ m_check.stdout_lines }}"
    - name: curl 验证（16 个目标：4 节点 × 4 路径）
      ansible.builtin.shell: |
        bases="{{ groups['k3s_nodes'] | map('extract', hostvars) | map(attribute='ansible_host') | join(' ') }}"
        paths="/demo-m1 /demo-m2 /demo-m3 /demo-m4"
        count=0
        ok=0
        echo "=== 16 个目标 (4 节点 × 4 路径) ==="
        echo "节点         M1(控制+Ingress)  M2(控制+IR)  M3(工作+Ingress)  M4(工作+IR)"
        for base in $bases; do
          m1=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 2 http://$base/demo-m1 2>/dev/null) || m1="fail"
          m2=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 2 http://$base/demo-m2 2>/dev/null) || m2="fail"
          m3=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 2 http://$base/demo-m3 2>/dev/null) || m3="fail"
          m4=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 2 http://$base/demo-m4 2>/dev/null) || m4="fail"
          printf "%-12s %-16s %-11s %-16s %s\n" "$base" "$m1" "$m2" "$m3" "$m4"
          for c in $m1 $m2 $m3 $m4; do count=$((count+1)); [ "$c" = "200" ] && ok=$((ok+1)); done
        done
        echo "---"
        echo "共验证 $count 个目标，$ok 个返回 200"
      register: curl_result
      changed_when: false
    - name: ">>> curl 矩阵"
      ansible.builtin.debug:
        msg: "{{ item }}"
      loop: "{{ curl_result.stdout_lines }}"
--- a/ansible/playbooks/nginx-matrix-tls-deploy.yml
+++ b/ansible/playbooks/nginx-matrix-tls-deploy.yml
@@ -1,189 +0,0 @@
 ---
 # 部署：docs/00-05 §2 步骤 3——TLS 铺栈；验收见 scripts/verify.sh run 03-02 等。
 # Ansible 一键部署 nginx 矩阵 TLS 版（M1～M4，HTTPS）
 # 对应文档：docs/03-02-k3s-traefik-acme.md
 #
 # 说明：复制 TLS + HTTP-only manifests → 自动删除已存在的不含 TLS 的 nginx 矩阵（02-05）→ kubectl apply（含 TLS 与 HTTP-only 共 8 个路由）→ 等待 Pod 就绪 → HTTP-only / HTTPS curl 矩阵验证（test01～test04.jackadam.top）
 # manifests：ansible/files/03-02-nginx-matrix-tls/，域名为 test01～test04.jackadam.top，M2/M4 hostname 按实际修改；Ingress/IngressRoute 中 TLS 路由仅绑定 websecure，HTTP-only 路由仅绑定 web
 # 前置：已按 03-02 配置 ACME（Secret + traefik-acme.yaml），且 test01～test04.jackadam.top 已解析到入口 IP
 #
 # 执行（在 ansible/ 目录下）：
 #   ansible-playbook -i inventory.ini playbooks/nginx-matrix-tls-deploy.yml
 # 或在仓库根目录：
 #   ansible-playbook -i ansible/inventory.ini ansible/playbooks/nginx-matrix-tls-deploy.yml
 # 验证时对所有 k3s_nodes 做 HTTPS 请求（所有节点均为入口点，与 02-05 HTTP 矩阵一致）
 - name: Deploy or cleanup nginx matrix TLS (M1~M4, HTTPS)
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    # mode 由 -e mode=cleanup 传入，未传时默认为 deploy（勿在 vars 中写 mode: "{{ mode | default('deploy') }}" 会递归）
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    manifests_path: "{{ playbook_dir }}/../files/03-02-nginx-matrix-tls"
    tls_domains:
      - test01.jackadam.top
      - test02.jackadam.top
      - test03.jackadam.top
      - test04.jackadam.top
  tasks:
    - name: Deploy nginx matrix TLS (mode=deploy)
      when: (mode | default('deploy')) == 'deploy'
      block:
        - name: Ensure manifests path exists
          ansible.builtin.stat:
            path: "{{ manifests_path }}"
          register: manifests_stat
        - name: Fail if manifests not found
          ansible.builtin.fail:
            msg: "manifests 未找到: {{ manifests_path }}，请从仓库根目录或 ansible 同级执行"
          when: not manifests_stat.stat.exists
        # 部署前确保 control-plane/worker 标签存在（M1/M3 需此才能调度），节点名为短主机名（ylc61～ylc64）
        - name: Ensure control-plane label on k3s_server nodes (for M1)
          ansible.builtin.shell: |
            KUBECONFIG={{ k3s_kubeconfig }} kubectl label node {{ item }} node-role.kubernetes.io/control-plane= --overwrite
          loop: "{{ groups['k3s_server'] | default([]) }}"
        - name: Ensure worker label on k3s_worker nodes (for M3)
          ansible.builtin.shell: |
            KUBECONFIG={{ k3s_kubeconfig }} kubectl label node {{ item }} node-role.kubernetes.io/worker= --overwrite
          loop: "{{ groups['k3s_worker'] | default([]) }}"
        - name: Copy nginx matrix TLS manifests to server
          ansible.builtin.copy:
            src: "{{ manifests_path }}/"
            dest: /tmp/nginx-matrix-tls/
            mode: '0644'
        # 若存在不含 TLS 的 nginx 矩阵（02-05），先删掉，避免与 TLS 版 Ingress 冲突或残留
        - name: Delete non-TLS nginx matrix if present (deployments, ingress, ingressroute, middleware, configmaps)
          ansible.builtin.shell: |
            KUBECONFIG={{ k3s_kubeconfig }} kubectl delete deployment,svc -n default nginx-m1 nginx-m2 nginx-m3 nginx-m4 --ignore-not-found=true
            KUBECONFIG={{ k3s_kubeconfig }} kubectl delete ingress -n default nginx-m1 nginx-m3 --ignore-not-found=true
            KUBECONFIG={{ k3s_kubeconfig }} kubectl delete ingressroute -n default nginx-m2 nginx-m4 --ignore-not-found=true
            KUBECONFIG={{ k3s_kubeconfig }} kubectl delete middleware -n default stripprefix-m1 stripprefix-m2 stripprefix-m3 stripprefix-m4 --ignore-not-found=true
            KUBECONFIG={{ k3s_kubeconfig }} kubectl delete configmap -n default nginx-m1-html nginx-m2-html nginx-m3-html nginx-m4-html --ignore-not-found=true
          register: del_non_tls
          changed_when: "'deleted' in del_non_tls.stdout"
        - name: kubectl apply nginx matrix TLS + HTTP-only
          ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f /tmp/nginx-matrix-tls/ -R
          register: k8s_apply
          changed_when: "'configured' in k8s_apply.stdout or 'created' in k8s_apply.stdout"
        - name: Restart nginx deployments so pods pick up ConfigMap (M1～M4 标识)
          ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl rollout restart deployment nginx-m1 nginx-m2 nginx-m3 nginx-m4 -n default
          register: restart_out
          changed_when: true
        - name: Wait for nginx pods to be ready
          ansible.builtin.shell: |
            KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
              -l app=nginx-m1 --timeout=60s
            KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
              -l app=nginx-m2 --timeout=60s
            KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
              -l app=nginx-m3 --timeout=120s
            KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
              -l app=nginx-m4 --timeout=120s
          register: wait_result
          changed_when: false
        - name: Verify nginx matrix TLS resources
          ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl get pod,svc,ing,ingressroute -n default -o wide
          register: verify
          changed_when: false
        - name: ">>> nginx matrix TLS 资源"
          ansible.builtin.debug:
            msg: "{{ item }}"
          loop: "{{ verify.stdout_lines }}"
        - name: 验证 M1～M4 标识（Pod 内 index.html 含 Mx、响应头 X-Backend，取首个入口节点）
          ansible.builtin.shell: |
            first_ip="{{ groups['k3s_nodes'] | map('extract', hostvars) | map(attribute='ansible_host') | first }}"
            for id in 1 2 3 4; do
              echo "=== M$id Pod 内 index.html 前 2 行 ==="
              KUBECONFIG={{ k3s_kubeconfig }} kubectl exec -n default deployment/nginx-m$id -- cat /usr/share/nginx/html/index.html 2>/dev/null | head -2 || echo "(exec 失败)"
              echo "=== M$id 响应头 X-Backend (入口 $first_ip) ==="
              curl -sI "https://test0$id.jackadam.top/" --resolve "test0$id.jackadam.top:443:$first_ip" -k 2>/dev/null | grep -i x-backend || echo "(未看到 X-Backend)"
              echo ""
            done
          register: m_check
          changed_when: false
          failed_when: false
        - name: ">>> M1～M4 验证"
          ansible.builtin.debug:
            msg: "{{ item }}"
          loop: "{{ m_check.stdout_lines }}"
        - name: HTTP curl 验证（HTTP-only：16 个目标，所有节点 × 4 域名）
          ansible.builtin.shell: |
            bases="{{ groups['k3s_nodes'] | map('extract', hostvars) | map(attribute='ansible_host') | join(' ') }}"
            count=0
            ok=0
            echo "=== 16 个目标 (4 节点 × 4 域名) HTTP ==="
            echo "节点         M1(test01)      M2(test02)      M3(test03)      M4(test04)"
            for base in $bases; do
              m1=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 http://test01.jackadam.top/ --resolve "test01.jackadam.top:80:$base" 2>/dev/null) || m1="fail"
              m2=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 http://test02.jackadam.top/ --resolve "test02.jackadam.top:80:$base" 2>/dev/null) || m2="fail"
              m3=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 http://test03.jackadam.top/ --resolve "test03.jackadam.top:80:$base" 2>/dev/null) || m3="fail"
              m4=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 http://test04.jackadam.top/ --resolve "test04.jackadam.top:80:$base" 2>/dev/null) || m4="fail"
              printf "%-12s %-14s %-14s %-14s %s\n" "$base" "$m1" "$m2" "$m3" "$m4"
              for c in $m1 $m2 $m3 $m4; do count=$((count+1)); [ "$c" = "200" ] && ok=$((ok+1)); done
            done
            echo "---"
            echo "共验证 $count 个目标，$ok 个返回 200"
          register: curl_http_result
          changed_when: false
          failed_when: false
        - name: ">>> HTTP curl 矩阵（HTTP-only）"
          ansible.builtin.debug:
            msg: "{{ item }}"
          loop: "{{ curl_http_result.stdout_lines }}"
        - name: HTTPS curl 验证（16 个目标：所有节点 × 4 域名，所有节点均为入口点）
          ansible.builtin.shell: |
            bases="{{ groups['k3s_nodes'] | map('extract', hostvars) | map(attribute='ansible_host') | join(' ') }}"
            count=0
            ok=0
            echo "=== 16 个目标 (4 节点 × 4 域名) HTTPS ==="
            echo "节点         M1(test01)      M2(test02)      M3(test03)      M4(test04)"
            for base in $bases; do
              m1=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 5 https://test01.jackadam.top/ --resolve "test01.jackadam.top:443:$base" 2>/dev/null) || m1="fail"
              m2=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 5 https://test02.jackadam.top/ --resolve "test02.jackadam.top:443:$base" 2>/dev/null) || m2="fail"
              m3=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 5 https://test03.jackadam.top/ --resolve "test03.jackadam.top:443:$base" 2>/dev/null) || m3="fail"
              m4=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 5 https://test04.jackadam.top/ --resolve "test04.jackadam.top:443:$base" 2>/dev/null) || m4="fail"
              printf "%-12s %-14s %-14s %-14s %s\n" "$base" "$m1" "$m2" "$m3" "$m4"
              for c in $m1 $m2 $m3 $m4; do count=$((count+1)); [ "$c" = "200" ] && ok=$((ok+1)); done
            done
            echo "---"
            echo "共验证 $count 个目标，$ok 个返回 200"
          register: curl_result
          changed_when: false
          failed_when: false
        - name: ">>> HTTPS curl 矩阵"
          ansible.builtin.debug:
            msg: "{{ item }}"
          loop: "{{ curl_result.stdout_lines }}"
    - name: Cleanup nginx matrix TLS (mode=cleanup)
      when: (mode | default('deploy')) == 'cleanup'
      block:
        - name: Delete nginx matrix TLS + HTTP-only resources (deployments, ingress, ingressroute, configmaps)
          ansible.builtin.shell: |
            KUBECONFIG={{ k3s_kubeconfig }} kubectl delete deployment,svc -n default nginx-m1 nginx-m2 nginx-m3 nginx-m4 --ignore-not-found=true
            KUBECONFIG={{ k3s_kubeconfig }} kubectl delete ingress -n default nginx-m1 nginx-m3 nginx-m1-http nginx-m3-http --ignore-not-found=true
            KUBECONFIG={{ k3s_kubeconfig }} kubectl delete ingressroute -n default nginx-m2 nginx-m4 nginx-m2-http nginx-m4-http --ignore-not-found=true
            KUBECONFIG={{ k3s_kubeconfig }} kubectl delete configmap -n default nginx-m1-html nginx-m2-html nginx-m3-html nginx-m4-html --ignore-not-found=true
          register: del_tls
          changed_when: "'deleted' in del_tls.stdout"
        - name: Remove copied nginx matrix TLS manifests directory
          ansible.builtin.file:
            path: /tmp/nginx-matrix-tls
            state: absent
--- a/ansible/playbooks/nodejs-demo-apply.yml
+++ b/ansible/playbooks/nodejs-demo-apply.yml
@@ -1,48 +0,0 @@
 ---
 # 部署：docs/00-05 §2 步骤 3——应用单文件 demo；整链验收优先 scripts/verify.sh run 04-01。
 # 一键应用 Node.js demo 清单（与 docs/04-01～04-13 + ansible/files/04-01-nodejs-demo 对齐）
 #
 # 执行（在仓库根目录）：
 #   ansible-playbook -i ansible/inventory.ini ansible/playbooks/nodejs-demo-apply.yml \
 #     -e nodejs_demo_manifest=04-01-nodejs-demo.yaml
 #
 # 默认清单：04-01-nodejs-demo.yaml
 - name: Apply nodejs-demo Kubernetes manifests
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    nodejs_demo_manifest: "04-01-nodejs-demo.yaml"
    manifests_dir: "{{ playbook_dir }}/../files/04-01-nodejs-demo"
  tasks:
    - name: Ensure manifest file exists
      ansible.builtin.stat:
        path: "{{ manifests_dir }}/{{ nodejs_demo_manifest }}"
      register: nodejs_manifest_stat
      delegate_to: localhost
      become: false
    - name: Fail if manifest not found
      ansible.builtin.fail:
        msg: "未找到 {{ manifests_dir }}/{{ nodejs_demo_manifest }}，请从仓库根检查文件名"
      when: not nodejs_manifest_stat.stat.exists
      delegate_to: localhost
      become: false
    - name: Copy manifest to control plane
      ansible.builtin.copy:
        src: "{{ manifests_dir }}/{{ nodejs_demo_manifest }}"
        dest: "/tmp/{{ nodejs_demo_manifest }}"
        mode: "0644"
    - name: kubectl apply nodejs-demo manifest
      ansible.builtin.shell: |
        set -e
        KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f /tmp/{{ nodejs_demo_manifest }}
      register: nodejs_apply
      changed_when: "'configured' in nodejs_apply.stdout or 'created' in nodejs_apply.stdout"
    - name: Show kubectl apply output
      ansible.builtin.debug:
        var: nodejs_apply.stdout_lines
--- a/Show More
+++ b/Show More