boma/Makefile

# Ansible + Terraform homelab monorepo — Makefile
# All operations go through these targets. Never run ansible-playbook or terraform directly.

VENV        := .venv
PYTHON      := $(VENV)/bin/python
PIP         := $(VENV)/bin/pip
ANSIBLE     := $(VENV)/bin/ansible
PLAYBOOK_BIN := $(VENV)/bin/ansible-playbook
GALAXY      := $(VENV)/bin/ansible-galaxy
LINT        := $(VENV)/bin/ansible-lint
MOLECULE    := $(VENV)/bin/molecule
# Vault password is resolved via ansible.cfg (vault_password_file); no flag needed.
VAULT_ARGS  :=
INVENTORY   := -i inventories/production/hosts.yml

TF              := terraform
TF_ENV          ?= staging
MOLECULE_IMAGE  := forgejo.nyumbani.baobab.band/sjat/molecule-debian13:latest
MOLECULE_DOCKERFILE := .docker/molecule-debian13/Dockerfile

.DEFAULT_GOAL := help

.PHONY: help setup collections lint test test-all check deploy encrypt decrypt new-role \
        tf-init tf-plan tf-apply tf-output tf-inventory \
        molecule-image molecule-image-push

help:
	@echo ""
	@echo "Ansible homelab — available targets:"
	@echo ""
	@echo "  make setup                         Create venv and install Python deps"
	@echo "  make collections                   Install Ansible collections"
	@echo "  make lint                          Run yamllint + ansible-lint"
	@echo "  make test ROLE=<name>              Run Molecule tests for a role"
	@echo "  make test-all                      Run Molecule tests for all roles"
	@echo "  make check PLAYBOOK=<name>         Dry-run a playbook (check mode)"
	@echo "  make deploy PLAYBOOK=<name>        Run a playbook against production"
	@echo "  make encrypt FILE=<path>           Encrypt a vault file"
	@echo "  make decrypt FILE=<path>           Decrypt a vault file"
	@echo "  make new-role NAME=<name>          Scaffold a new role"
	@echo ""
	@echo "  make tf-init [TF_ENV=staging]      Initialise Terraform providers"
	@echo "  make tf-plan [TF_ENV=staging]      Show Terraform plan"
	@echo "  make tf-apply [TF_ENV=staging]     Apply Terraform changes"
	@echo "  make tf-output [TF_ENV=staging]    Print Terraform outputs as JSON"
	@echo "  make tf-inventory [TF_ENV=staging] Regenerate Ansible inventory from Terraform outputs"
	@echo ""
	@echo "  TF_ENV defaults to 'staging'. Use TF_ENV=production for production."
	@echo ""
	@echo "  make molecule-image           Build the Molecule test image locally"
	@echo "  make molecule-image-push      Push the test image to the Forgejo registry"
	@echo ""

# ── Environment setup ─────────────────────────────────────────────────────────

setup:
	python3 -m venv $(VENV)
	$(PIP) install --upgrade pip
	$(PIP) install -r requirements.txt
	@echo "Venv ready. Activate with: source $(VENV)/bin/activate"

collections:
	$(GALAXY) collection install -r requirements.yml --upgrade

# ── Linting ───────────────────────────────────────────────────────────────────

lint:
	$(VENV)/bin/yamllint .
	$(LINT)
	$(PYTHON) scripts/check-tags.py

# ── Testing ───────────────────────────────────────────────────────────────────

test:
ifndef ROLE
	$(error ROLE is required: make test ROLE=<rolename>)
endif
	cd roles/$(ROLE) && PATH="$(CURDIR)/$(VENV)/bin:$$PATH" molecule test

test-all:
	@for role in roles/*/; do \
	  echo "── Testing $$role ──"; \
	  cd $$role && PATH="$(CURDIR)/$(VENV)/bin:$$PATH" molecule test; cd ../..; \
	done

# ── Playbook execution ────────────────────────────────────────────────────────

check:
ifndef PLAYBOOK
	$(error PLAYBOOK is required: make check PLAYBOOK=<name>)
endif
	$(PLAYBOOK_BIN) $(INVENTORY) $(VAULT_ARGS) --check --diff playbooks/$(PLAYBOOK).yml

deploy:
ifndef PLAYBOOK
	$(error PLAYBOOK is required: make deploy PLAYBOOK=<name>)
endif
	$(PLAYBOOK_BIN) $(INVENTORY) $(VAULT_ARGS) playbooks/$(PLAYBOOK).yml

# ── Vault ─────────────────────────────────────────────────────────────────────

encrypt:
ifndef FILE
	$(error FILE is required: make encrypt FILE=<path>)
endif
	$(ANSIBLE)-vault encrypt $(FILE)

decrypt:
ifndef FILE
	$(error FILE is required: make decrypt FILE=<path>)
endif
	$(ANSIBLE)-vault decrypt $(FILE)

# ── Molecule test image ───────────────────────────────────────────────────────

molecule-image:
	docker build -t $(MOLECULE_IMAGE) -f $(MOLECULE_DOCKERFILE) .

molecule-image-push: molecule-image
	docker push $(MOLECULE_IMAGE)

# ── Terraform ─────────────────────────────────────────────────────────────────

tf-init:
	$(TF) -chdir=terraform/environments/$(TF_ENV) init

tf-plan:
	$(TF) -chdir=terraform/environments/$(TF_ENV) plan

tf-apply:
	$(TF) -chdir=terraform/environments/$(TF_ENV) apply

tf-output:
	$(TF) -chdir=terraform/environments/$(TF_ENV) output -json

tf-inventory:
ifndef TF_ENV
	$(error TF_ENV is required: make tf-inventory TF_ENV=<staging|production>)
endif
	$(TF) -chdir=terraform/environments/$(TF_ENV) output -json \
	  | $(PYTHON) scripts/tf_to_inventory.py > inventories/$(TF_ENV)/hosts.yml
	@echo "Inventory written to inventories/$(TF_ENV)/hosts.yml"

# ── Role scaffolding ──────────────────────────────────────────────────────────

new-role:
ifndef NAME
	$(error NAME is required: make new-role NAME=<rolename>)
endif
	mkdir -p roles/$(NAME)/tasks roles/$(NAME)/handlers roles/$(NAME)/defaults \
	         roles/$(NAME)/templates roles/$(NAME)/files roles/$(NAME)/meta \
	         roles/$(NAME)/molecule/default
	echo "---" > roles/$(NAME)/tasks/main.yml
	echo "---" > roles/$(NAME)/handlers/main.yml
	echo "---" > roles/$(NAME)/defaults/main.yml
	echo "---" > roles/$(NAME)/meta/main.yml
	printf '# %s\n\nRole description here.\n' "$(NAME)" > roles/$(NAME)/README.md
	cp .scaffold/molecule.yml roles/$(NAME)/molecule/default/molecule.yml
	sed 's/ROLE_NAME_PLACEHOLDER/$(NAME)/g' .scaffold/converge.yml > roles/$(NAME)/molecule/default/converge.yml
	cp .scaffold/verify.yml   roles/$(NAME)/molecule/default/verify.yml
	@echo "Role $(NAME) scaffolded at roles/$(NAME)/"
	@echo "Next: fill in meta/main.yml, defaults/main.yml, tasks/main.yml, README.md"
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`# Ansible + Terraform homelab monorepo — Makefile`
			`# All operations go through these targets. Never run ansible-playbook or terraform directly.`

			`VENV := .venv`
			`PYTHON := $(VENV)/bin/python`
			`PIP := $(VENV)/bin/pip`
			`ANSIBLE := $(VENV)/bin/ansible`
fix(deploy): make check/deploy actually run Two latent bugs that blocked the documented deploy path (never exercised end-to-end before applying dev_env to ubongo): - Makefile: the PLAYBOOK variable was both the ansible-playbook BINARY path and the user-supplied playbook NAME, so `make check/deploy PLAYBOOK=<name>` overrode the binary. Renamed the binary var to PLAYBOOK_BIN. - ansible.cfg: stdout_callback=yaml and callbacks_enabled=timer were community.general plugins (not installed; boma only ships ansible.posix). Use the built-in default callback with callback_result_format=yaml and ansible.posix.profile_tasks — same intent, no new heavy collection. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-11 14:09:12 +02:00			`PLAYBOOK_BIN := $(VENV)/bin/ansible-playbook`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`GALAXY := $(VENV)/bin/ansible-galaxy`
			`LINT := $(VENV)/bin/ansible-lint`
			`MOLECULE := $(VENV)/bin/molecule`
Source vault password from Vaultwarden via rbw; nest vault structure Master vault password is fetched from Vaultwarden via the rbw agent (scripts/vault-pass-client.sh, wired as vault_password_file) instead of a plaintext .vault_pass. Vault secrets use a nested vault.<service>.<key> map. Encrypted vault.yml files are excluded from lint. Includes the host rename in Makefile and STATUS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 18:16:35 +02:00			`# Vault password is resolved via ansible.cfg (vault_password_file); no flag needed.`
			`VAULT_ARGS :=`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`INVENTORY := -i inventories/production/hosts.yml`

			`TF := terraform`
			`TF_ENV ?= staging`
Fix Forgejo registry path to owner/image format (review R10a) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 21:34:02 +02:00			`MOLECULE_IMAGE := forgejo.nyumbani.baobab.band/sjat/molecule-debian13:latest`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`MOLECULE_DOCKERFILE := .docker/molecule-debian13/Dockerfile`

			`.DEFAULT_GOAL := help`

			`.PHONY: help setup collections lint test test-all check deploy encrypt decrypt new-role \`
			`tf-init tf-plan tf-apply tf-output tf-inventory \`
			`molecule-image molecule-image-push`

			`help:`
			`@echo ""`
			`@echo "Ansible homelab — available targets:"`
			`@echo ""`
			`@echo " make setup Create venv and install Python deps"`
			`@echo " make collections Install Ansible collections"`
			`@echo " make lint Run yamllint + ansible-lint"`
			`@echo " make test ROLE=<name> Run Molecule tests for a role"`
			`@echo " make test-all Run Molecule tests for all roles"`
			`@echo " make check PLAYBOOK=<name> Dry-run a playbook (check mode)"`
			`@echo " make deploy PLAYBOOK=<name> Run a playbook against production"`
			`@echo " make encrypt FILE=<path> Encrypt a vault file"`
			`@echo " make decrypt FILE=<path> Decrypt a vault file"`
			`@echo " make new-role NAME=<name> Scaffold a new role"`
			`@echo ""`
			`@echo " make tf-init [TF_ENV=staging] Initialise Terraform providers"`
			`@echo " make tf-plan [TF_ENV=staging] Show Terraform plan"`
			`@echo " make tf-apply [TF_ENV=staging] Apply Terraform changes"`
			`@echo " make tf-output [TF_ENV=staging] Print Terraform outputs as JSON"`
			`@echo " make tf-inventory [TF_ENV=staging] Regenerate Ansible inventory from Terraform outputs"`
			`@echo ""`
			`@echo " TF_ENV defaults to 'staging'. Use TF_ENV=production for production."`
			`@echo ""`
			`@echo " make molecule-image Build the Molecule test image locally"`
			`@echo " make molecule-image-push Push the test image to the Forgejo registry"`
			`@echo ""`

			`# ── Environment setup ─────────────────────────────────────────────────────────`

			`setup:`
			`python3 -m venv $(VENV)`
			`$(PIP) install --upgrade pip`
			`$(PIP) install -r requirements.txt`
			`@echo "Venv ready. Activate with: source $(VENV)/bin/activate"`

			`collections:`
			`$(GALAXY) collection install -r requirements.yml --upgrade`

			`# ── Linting ───────────────────────────────────────────────────────────────────`

			`lint:`
			`$(VENV)/bin/yamllint .`
			`$(LINT)`
feat(tags): enforce tag vocabulary in make lint; fix docker_host tag Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-06 09:37:43 +02:00			`$(PYTHON) scripts/check-tags.py`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00
			`# ── Testing ───────────────────────────────────────────────────────────────────`

			`test:`
			`ifndef ROLE`
			`$(error ROLE is required: make test ROLE=<rolename>)`
			`endif`
chore(tooling): scope ansible-lint to ansible content; venv PATH in make test Kaizen 2026-06-10 fixes: - ansible-lint pre-commit hook now `always_run: false` + a files filter for roles/playbooks/inventories YAML, so docs-/config-only commits skip it and no longer need `rbw unlock` (root cause was ansible-lint auto-decrypting the group_vars vault, not the syntax-check). - `make test`/`test-all` prepend $(CURDIR)/.venv/bin to PATH so non-activated agent runs find ansible-config/ansible-playbook. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-10 12:51:30 +02:00			`cd roles/$(ROLE) && PATH="$(CURDIR)/$(VENV)/bin:$$PATH" molecule test`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00
			`test-all:`
			`@for role in roles/*/; do \`
			`echo "── Testing $$role ──"; \`
chore(tooling): scope ansible-lint to ansible content; venv PATH in make test Kaizen 2026-06-10 fixes: - ansible-lint pre-commit hook now `always_run: false` + a files filter for roles/playbooks/inventories YAML, so docs-/config-only commits skip it and no longer need `rbw unlock` (root cause was ansible-lint auto-decrypting the group_vars vault, not the syntax-check). - `make test`/`test-all` prepend $(CURDIR)/.venv/bin to PATH so non-activated agent runs find ansible-config/ansible-playbook. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-10 12:51:30 +02:00			`cd $$role && PATH="$(CURDIR)/$(VENV)/bin:$$PATH" molecule test; cd ../..; \`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`done`

			`# ── Playbook execution ────────────────────────────────────────────────────────`

			`check:`
			`ifndef PLAYBOOK`
			`$(error PLAYBOOK is required: make check PLAYBOOK=<name>)`
			`endif`
fix(deploy): make check/deploy actually run Two latent bugs that blocked the documented deploy path (never exercised end-to-end before applying dev_env to ubongo): - Makefile: the PLAYBOOK variable was both the ansible-playbook BINARY path and the user-supplied playbook NAME, so `make check/deploy PLAYBOOK=<name>` overrode the binary. Renamed the binary var to PLAYBOOK_BIN. - ansible.cfg: stdout_callback=yaml and callbacks_enabled=timer were community.general plugins (not installed; boma only ships ansible.posix). Use the built-in default callback with callback_result_format=yaml and ansible.posix.profile_tasks — same intent, no new heavy collection. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-11 14:09:12 +02:00			`$(PLAYBOOK_BIN) $(INVENTORY) $(VAULT_ARGS) --check --diff playbooks/$(PLAYBOOK).yml`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00
			`deploy:`
			`ifndef PLAYBOOK`
			`$(error PLAYBOOK is required: make deploy PLAYBOOK=<name>)`
			`endif`
fix(deploy): make check/deploy actually run Two latent bugs that blocked the documented deploy path (never exercised end-to-end before applying dev_env to ubongo): - Makefile: the PLAYBOOK variable was both the ansible-playbook BINARY path and the user-supplied playbook NAME, so `make check/deploy PLAYBOOK=<name>` overrode the binary. Renamed the binary var to PLAYBOOK_BIN. - ansible.cfg: stdout_callback=yaml and callbacks_enabled=timer were community.general plugins (not installed; boma only ships ansible.posix). Use the built-in default callback with callback_result_format=yaml and ansible.posix.profile_tasks — same intent, no new heavy collection. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-11 14:09:12 +02:00			`$(PLAYBOOK_BIN) $(INVENTORY) $(VAULT_ARGS) playbooks/$(PLAYBOOK).yml`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00
			`# ── Vault ─────────────────────────────────────────────────────────────────────`

			`encrypt:`
			`ifndef FILE`
			`$(error FILE is required: make encrypt FILE=<path>)`
			`endif`
Source vault password from Vaultwarden via rbw; nest vault structure Master vault password is fetched from Vaultwarden via the rbw agent (scripts/vault-pass-client.sh, wired as vault_password_file) instead of a plaintext .vault_pass. Vault secrets use a nested vault.<service>.<key> map. Encrypted vault.yml files are excluded from lint. Includes the host rename in Makefile and STATUS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 18:16:35 +02:00			`$(ANSIBLE)-vault encrypt $(FILE)`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00
			`decrypt:`
			`ifndef FILE`
			`$(error FILE is required: make decrypt FILE=<path>)`
			`endif`
Source vault password from Vaultwarden via rbw; nest vault structure Master vault password is fetched from Vaultwarden via the rbw agent (scripts/vault-pass-client.sh, wired as vault_password_file) instead of a plaintext .vault_pass. Vault secrets use a nested vault.<service>.<key> map. Encrypted vault.yml files are excluded from lint. Includes the host rename in Makefile and STATUS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 18:16:35 +02:00			`$(ANSIBLE)-vault decrypt $(FILE)`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00
			`# ── Molecule test image ───────────────────────────────────────────────────────`

			`molecule-image:`
			`docker build -t $(MOLECULE_IMAGE) -f $(MOLECULE_DOCKERFILE) .`

			`molecule-image-push: molecule-image`
			`docker push $(MOLECULE_IMAGE)`

			`# ── Terraform ─────────────────────────────────────────────────────────────────`

			`tf-init:`
			`$(TF) -chdir=terraform/environments/$(TF_ENV) init`

			`tf-plan:`
			`$(TF) -chdir=terraform/environments/$(TF_ENV) plan`

			`tf-apply:`
			`$(TF) -chdir=terraform/environments/$(TF_ENV) apply`

			`tf-output:`
			`$(TF) -chdir=terraform/environments/$(TF_ENV) output -json`

			`tf-inventory:`
			`ifndef TF_ENV`
			`$(error TF_ENV is required: make tf-inventory TF_ENV=<staging\|production>)`
			`endif`
			`$(TF) -chdir=terraform/environments/$(TF_ENV) output -json \`
			`\| $(PYTHON) scripts/tf_to_inventory.py > inventories/$(TF_ENV)/hosts.yml`
			`@echo "Inventory written to inventories/$(TF_ENV)/hosts.yml"`

			`# ── Role scaffolding ──────────────────────────────────────────────────────────`

			`new-role:`
			`ifndef NAME`
			`$(error NAME is required: make new-role NAME=<rolename>)`
			`endif`
Fix make new-role: brace expansion fails under dash The mkdir used shell brace expansion {tasks,handlers,...}, which /bin/sh (dash) does not support, so new-role created one literally-named dir and then errored. make new-role had never worked on this host. Use explicit mkdir paths. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 19:35:11 +02:00			`mkdir -p roles/$(NAME)/tasks roles/$(NAME)/handlers roles/$(NAME)/defaults \`
			`roles/$(NAME)/templates roles/$(NAME)/files roles/$(NAME)/meta \`
			`roles/$(NAME)/molecule/default`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`echo "---" > roles/$(NAME)/tasks/main.yml`
			`echo "---" > roles/$(NAME)/handlers/main.yml`
			`echo "---" > roles/$(NAME)/defaults/main.yml`
			`echo "---" > roles/$(NAME)/meta/main.yml`
Apply review fixes R12-R14: printf scaffold, phantom control/ dir, Galaxy wording Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 19:19:47 +02:00			`printf '# %s\n\nRole description here.\n' "$(NAME)" > roles/$(NAME)/README.md`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`cp .scaffold/molecule.yml roles/$(NAME)/molecule/default/molecule.yml`
Wire Terraform vlan_tag and fix scaffold placeholder (R9,R11) R9: pass vlan_tag (default 20 = srv VLAN, ADR-007) from both envs to the proxmox_vm module so VMs are tagged, not on untagged vmbr0. R11: make new-role now sed-substitutes ROLE_NAME_PLACEHOLDER so scaffolded molecule converge works out of the box. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 19:34:02 +02:00			`sed 's/ROLE_NAME_PLACEHOLDER/$(NAME)/g' .scaffold/converge.yml > roles/$(NAME)/molecule/default/converge.yml`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`cp .scaffold/verify.yml roles/$(NAME)/molecule/default/verify.yml`
			`@echo "Role $(NAME) scaffolded at roles/$(NAME)/"`
			`@echo "Next: fill in meta/main.yml, defaults/main.yml, tasks/main.yml, README.md"`