最近拿到一台 Mac mini M4 32GB/1TB ,之前很習慣用 Notes 貼一下快速安裝的指令,想著想著自己十多年前都在用 ansible 管理百台 Ubuntu servers ,這個年代一直貼指令微遜 XD 就 vibe coding 一下,請 AI 小弟幫忙實現工具,於是乎就長出個 macstrap 工具,其特色就是讓不熟悉 ansible 的人也能快速上手,而安裝途徑是透過 ssh remote command ,這樣搞定一台後,未來有多台 mac mini 要初始化,也可以快速搞定。
首先,先把 Mac mini 開箱後,設定好登入的帳號密碼,接著在 System Settings -> General -> Sharing -> Remote login 打開,這樣就完成很基本的 ssh 可登入機制,然而 macstrap 是基於 python 的工具,所以 Mac mini 本地需要故意打一下 python 指令觸發系統去下載安裝 Python3
接下來就是 macstrap 領域了:
```% cd /tmp% python3 -m venv venv% source /tmp/venv/bin/activate% pip install macstrap...% macstrap --versionmacstrap, version 1.1.0```
初始化一些範例來用:
```% macstrap init --exmaples% tree -L 1 examplesexamples├── ai-cli├── openclaw├── php8.3-dev└── utilities-dev5 directories, 0 files```
設置連上 Mac mini 的帳密,假設 Mac mini IP 是 192.168.1.100 (或 mac-mini.local) 登入帳號是 macuser 且擁有 sudo 權限:
```% macstrap ssh-auth mac-mini.local --user macuser```
替 192.168.1.100 (或 mac-mini.local) 安裝 AI CLI:
```% macstrap run --config examples/ai-cli mac-mini.local...TASK [nvm : Install global npm packages] *****ok: [mac-mini.local] => (item=@github/copilot)ok: [mac-mini.local] => (item=@anthropic-ai/claude-code)ok: [mac-mini.local] => (item=@openai/codex)ok: [mac-mini.local] => (item=@google/gemini-cli)...```
安裝 OpenClaw:
```% macstrap run --config examples/openclaw mac-mini.local...TASK [nvm : Install global npm packages] *****ok: [user-macmini.local] => (item=openclaw)...```
接著登入 mac-mini.local 後,就可以用 openclaw onboard 啟動他來做設定:
```% ssh macuser@mac-mini.localNow using node v22.22.1 (npm v10.9.4)[env] node: v22.22.1 | npm: 10.9.4 | Python 3.9.6% openclaw onboard🦞 OpenClaw 2026.3.8 (3caab92)Runs on a Raspberry Pi. Dreams of a rack in Iceland.▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄██░▄▄▄░██░▄▄░██░▄▄▄██░▀██░██░▄▄▀██░████░▄▄▀██░███░████░███░██░▀▀░██░▄▄▄██░█░█░██░█████░████░▀▀░██░█░█░████░▀▀▀░██░█████░▀▀▀██░██▄░██░▀▀▄██░▀▀░█░██░██▄▀▄▀▄██▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀🦞 OPENCLAW 🦞┌ OpenClaw onboarding│◇ Security ─────────────────────────────────────────────────────────────╮│ ││ Security warning — please read. ││ ││ OpenClaw is a hobby project and still in beta. Expect sharp edges. ││ By default, OpenClaw is a personal agent: one trusted operator ││ boundary. ││ This bot can read files and run actions if tools are enabled. ││ A bad prompt can trick it into doing unsafe things. ││ ││ OpenClaw is not a hostile multi-tenant boundary by default. ││ If multiple users can message one tool-enabled agent, they share ││ that delegated tool authority. ││ ││ If you’re not comfortable with security hardening and access ││ control, don’t run OpenClaw. ││ Ask someone experienced to help before enabling tools or exposing it ││ to the internet. ││ ││ Recommended baseline: ││ - Pairing/allowlists + mention gating. ││ - Multi-user/shared inbox: split trust boundaries (separate ││ gateway/credentials, ideally separate OS users/hosts). ││ - Sandbox + least-privilege tools. ││ - Shared inboxes: isolate DM sessions (`session.dmScope: ││ per-channel-peer`) and keep tool access minimal. ││ - Keep secrets out of the agent’s reachable filesystem. ││ - Use the strongest available model for any bot with tools or ││ untrusted inboxes. ││ ││ Run regularly: ││ openclaw security audit --deep ││ openclaw security audit --fix ││ ││ Must read: https://docs.openclaw.ai/gateway/security ││ │├────────────────────────────────────────────────────────────────────────╯│◆ I understand this is personal-by-default and shared/multi-user use requireslock-down. Continue?│ ○ Yes / ● No└```
沒有留言:
張貼留言