daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
72e74635cf7bfc37cae8cdc0550d09ff46f5870b
microdao-daarion/ops/patch_node2_P0P1_20260227.md
Apple 7b8499dd8a node2: P0 vision restore + P1 security hardening + node-specific router config 
P0 — Vision:
- swapper_config_node2.yaml: add llava-13b as vision model (vision:true)
  /vision/models now returns non-empty list; inference verified ~3.5s
- ollama.url fixed to host.docker.internal:11434 (was localhost, broken in Docker)

P1 — Security:
- Remove NODES_NODA1_SSH_PASSWORD from .env and docker-compose.node2-sofiia.yml
- SSH ED25519 key generated, authorized on NODA1, mounted as /run/secrets/noda1_ssh_key
- sofiia-console reads key via NODES_NODA1_SSH_PRIVATE_KEY env var
- secrets/noda1_id_ed25519 added to .gitignore

P1 — Router:
- services/router/router-config.node2.yml: new node2-specific config
  replaces all 172.17.0.1:11434 → host.docker.internal:11434
- docker-compose.node2-sofiia.yml: mount router-config.node2.yml (not root config)

P1 — Ports:
- router (9102), swapper (8890), sofiia-console (8002): bind to 127.0.0.1
- gateway (9300): keep 0.0.0.0 (Telegram webhook requires public access)

Artifacts:
- ops/patch_node2_P0P1_20260227.md — change log
- ops/validation_node2_P0P1_20260227.md — all checks PASS
- ops/node2.env.example — safe env template (no secrets)
- ops/security_hardening_node2.md — SSH key migration guide + firewall
- ops/node2_models_pull.sh — model pull script for P0/P1

Made-with: Cursor
2026-02-27 01:27:38 -08:00

110 lines
4.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# NODA2 P0+P1 Patch Report
**Date:** 2026-02-27
**Node:** NODA2 (MacBook Pro M4 Max)
**Commit tag:** `node2: P0 vision restore + P1 security hardening + node-specific router config`
---
## Зміни
### P0 — Vision Repair
| Файл | Що змінено |
|------|-----------|
| `services/swapper-service/config/swapper_config_node2.yaml` | Додано `llava-13b` як vision model (`type: vision`, `vision: true`). Виправлено `ollama.url` з `localhost:11434` на `host.docker.internal:11434`. Додано секцію `vision.default_model`. |
**Деталі:**
- `llava:13b` вже присутня в Ollama на NODA2 → P0 без pull
- `/vision/models` тепер поверне непорожній список
- `qwen3-vl:8b` залишена закоментована — увімкнути після `ollama pull qwen3-vl:8b`
**Deploy команди (після git pull на NODA2):**
```bash
docker compose -f docker-compose.node2-sofiia.yml up -d --no-deps swapper-service
# або якщо swapper вже running — достатньо restart (конфіг читається при старті):
docker restart swapper-service-node2
```
---
### P1 — Security: SSH Key замість пароля
| Зміна | Деталі |
|-------|--------|
| SSH ED25519 key згенерований | `~/.ssh/noda1_ed25519` (на NODA2 MacBook) |
| Public key доданий на NODA1 | `/root/.ssh/authorized_keys` на `144.76.224.179` |
| Private key скопійований | `secrets/noda1_id_ed25519` (chmod 600) |
| `.env` | `NODES_NODA1_SSH_PASSWORD` замінено на коментар |
| `docker-compose.node2-sofiia.yml` | `NODES_NODA1_SSH_PASSWORD` видалено з env; додано `NODES_NODA1_SSH_PRIVATE_KEY=/run/secrets/noda1_ssh_key` + volume mount `secrets/noda1_id_ed25519:/run/secrets/noda1_ssh_key:ro` |
| `.gitignore` | Додано `secrets/noda1_id_ed25519` та `secrets/*.key` |
**Deploy команди:**
```bash
docker compose -f docker-compose.node2-sofiia.yml up -d --no-deps sofiia-console
```
---
### P1 — Router: node2-specific config (без 172.17.0.1)
| Файл | Що змінено |
|------|-----------|
| `services/router/router-config.node2.yml` | Новий файл: копія `router-config.yml` з заміною `172.17.0.1:11434``host.docker.internal:11434`. `node.id` = `noda2-macbook-pro-m4max`. |
| `docker-compose.node2-sofiia.yml` (router volume) | Змінено mount з `./router-config.yml` на `./services/router/router-config.node2.yml` |
**Deploy команди:**
```bash
docker compose -f docker-compose.node2-sofiia.yml up -d --no-deps router
```
---
### P1 — Port Binding: 127.0.0.1 для внутрішніх сервісів
| Сервіс | До | Після |
|--------|-----|-------|
| `dagi-router-node2` port 9102 | `0.0.0.0:9102:8000` | `127.0.0.1:9102:8000` |
| `swapper-service-node2` port 8890 | `0.0.0.0:8890:8890` | `127.0.0.1:8890:8890` |
| `sofiia-console` port 8002 | `0.0.0.0:8002:8002` | `127.0.0.1:8002:8002` |
| `dagi-gateway-node2` port 9300 | `0.0.0.0:9300:9300` | `0.0.0.0:9300:9300` (Telegram webhook — потрібен зовні) |
**Deploy команди:**
```bash
docker compose -f docker-compose.node2-sofiia.yml up -d
```
---
## Файли змінені
```
services/swapper-service/config/swapper_config_node2.yaml — vision model added
services/router/router-config.node2.yml — NEW: node2-specific config
docker-compose.node2-sofiia.yml — security + port binding
docker-compose.node2.yml — port binding
.env — SSH password removed
.gitignore — secrets/ added
ops/node2_models_pull.sh — NEW: model pull script
ops/node2.env.example — NEW: safe env template
ops/security_hardening_node2.md — NEW: security guide
```
---
## Одна команда "apply all" (після git pull)
```bash
cd /Users/apple/github-projects/microdao-daarion
# 1. Restart swapper (P0 vision)
docker restart swapper-service-node2
# 2. Recreate sofiia-console (P1 security) і router (P1 config)
docker compose -f docker-compose.node2-sofiia.yml up -d --no-deps sofiia-console router
# 3. Verify
curl -s http://localhost:8890/vision/models | jq .
curl -s http://localhost:8890/health | jq .status
docker inspect sofiia-console --format '{{range .Config.Env}}{{println .}}{{end}}' | grep -v SSH_PASSWORD
```
Reference in New Issue View Git Blame Copy Permalink