feat: 按 doc_id 重组 ansible/files 与验证框架

- ansible/files 改为与文档 XX-YY 对齐的目录结构，更新相关 playbook 路径 - 新增 scripts/verify.sh 与 ansible/playbooks/verify/*.yml，移除单体 verify-matrix.yml - 补充 docs/00-02 矩阵状态、00-05 验证框架与流程、00-04 环境与 ylc65 工作机说明 - 增加 k3s 存储准备、Longhorn、local-path 等 playbook 与辅助脚本 Made-with: Cursor
2026-03-26 07:01:14 +08:00
parent a67788de56
commit 8c43761962
192 changed files with 4006 additions and 320 deletions
--- a/ansible/files/03-03-traefik-dashboard-acme/traefik-dashboard-acme.yaml
+++ b/ansible/files/03-03-traefik-dashboard-acme/traefik-dashboard-acme.yaml
@@ -0,0 +1,74 @@
+# 03-03 Traefik Dashboard + ACME（合并版 HelmChartConfig）
+# 说明：同一 chart 只能有一份 HelmChartConfig（name: traefik），所以 Dashboard 与 ACME 必须合并。
+# 使用前：替换 <YOUR_REAL_EMAIL>；创建 cloudflare-api-token Secret；按实际修改 nodeSelector/trustedIPs/hosts。
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    ports:
+      web:
+        expose: true
+      websecure:
+        expose: true
+      traefik:
+        expose: true
+
+    additionalArguments:
+      # Dashboard
+      - "--api.dashboard=true"
+      - "--api.insecure=true"
+
+      # ACME（Cloudflare DNS-01）
+      - "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
+      - "--certificatesresolvers.cloudflare.acme.email=<YOUR_REAL_EMAIL>"
+      - "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json"
+      # - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
+      - "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600"
+
+      # 健康检查：/ping 走 443（给 HAProxy https httpchk 用）
+      - "--ping=true"
+      - "--ping.entryPoint=websecure"
+
+      # PROXY protocol（HAProxy 前置时需要）
+      - "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24"
+      - "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24"
+
+    env:
+      - name: CF_DNS_API_TOKEN
+        valueFrom:
+          secretKeyRef:
+            name: cloudflare-api-token
+            key: api-token
+
+    nodeSelector:
+      kubernetes.io/hostname: ylc61
+
+    # persistence：将 /data 持久化（local-path PVC），保证 acme.json 落盘
+    persistence:
+      enabled: true
+      name: data
+      accessMode: ReadWriteOnce
+      size: 128Mi
+      path: /data
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: kube-system
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+