boma/playbooks/README.md

# playbooks/

Top-level orchestration playbooks. No inline vars — configuration comes from
`group_vars/` / `host_vars/` (see CLAUDE.md).

- `site.yml` — full standard state: applies `base` to all hosts and `docker_host`
  to docker hosts. **Note:** `base` is only partially built (its `firewall` +
  `hardening` concerns) and the cluster has no docker hosts yet, so this is
  incomplete — see `STATUS.md`.
- `workstation.yml` — applies the `dev_env` role (interactive developer environment)
  to the `control` group; built and applied to `ubongo` (see `STATUS.md`).
- `dns.yml` — manages the public DNS zone (wingu.me) at Gandi LiveDNS via the
  `public_dns` role; runs from the control node against an external API.
- `offsite.yml` — off-site hosts (`askari`): `docker_host` (Docker engine) +
  `reverse_proxy` (Caddy). NetBird coordinator appended in M4b.
- `bootstrap.yml` — first-run setup for a host that may not have Python yet;
  self-contained (does not depend on the roles).

Run via `make check PLAYBOOK=<name>` then `make deploy PLAYBOOK=<name>`.
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`# playbooks/`

			`Top-level orchestration playbooks. No inline vars — configuration comes from`
			`group_vars/` / `host_vars/` (see CLAUDE.md).

			- `site.yml` — full standard state: applies `base` to all hosts and `docker_host`
docs(review): 2026-06-14 repo audit — M4a doc drift + Traefik→Caddy lag 11 safe auto-fixes (docs/comments only): reverse_proxy meta stale DNS-01 description, base/playbooks/scripts/terraform/public_dns README build-state, CAPABILITIES reverse-proxy Traefik→Caddy, README ADR list → 024, TF cax11→cx23 stamps, public_dns wildcard DNS-01→HTTP-01 comment. 29 open findings reported. make lint green. No stale-deferred (ADR-011 open questions still open). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-14 18:37:54 +02:00			to docker hosts. Note: `base` is only partially built (its `firewall` +
			`hardening` concerns) and the cluster has no docker hosts yet, so this is
			incomplete — see `STATUS.md`.
docs(review): 2026-06-11 repo audit — fix build-wave doc drift /review-repo run at 67f2aba. Auto-fixed 5 safe doc-drift items left by the base(firewall)+dev_env build wave: README/playbook/role notes that still called the roles "empty/not built", plus README tree gaps and the reciprocal ADR-021 cross-links in ADR-016/020. 18 open findings reported (not fixed). Headline: `make lint` is red on `main` (site.yml imports the non-existent docker_host role) and an ADR-004 <-> ADR-022 backup-scope contradiction. Deferral checklist clean (0 stale-deferred); 7 of 12 prior findings confirmed resolved. See docs/reviews/2026-06-11-review.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-11 14:48:00 +02:00			- `workstation.yml` — applies the `dev_env` role (interactive developer environment)
			to the `control` group; built and applied to `ubongo` (see `STATUS.md`).
docs(review): 2026-06-14 repo audit — M4a doc drift + Traefik→Caddy lag 11 safe auto-fixes (docs/comments only): reverse_proxy meta stale DNS-01 description, base/playbooks/scripts/terraform/public_dns README build-state, CAPABILITIES reverse-proxy Traefik→Caddy, README ADR list → 024, TF cax11→cx23 stamps, public_dns wildcard DNS-01→HTTP-01 comment. 29 open findings reported. make lint green. No stale-deferred (ADR-011 open questions still open). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-14 18:37:54 +02:00			- `dns.yml` — manages the public DNS zone (wingu.me) at Gandi LiveDNS via the
			`public_dns` role; runs from the control node against an external API.
			- `offsite.yml` — off-site hosts (`askari`): `docker_host` (Docker engine) +
			`reverse_proxy` (Caddy). NetBird coordinator appended in M4b.
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			- `bootstrap.yml` — first-run setup for a host that may not have Python yet;
			`self-contained (does not depend on the roles).`

			Run via `make check PLAYBOOK=<name>` then `make deploy PLAYBOOK=<name>`.