From 07af037ff39bbaa3048ffe95c8183fe95e5bb775 Mon Sep 17 00:00:00 2001 From: sjat Date: Sun, 14 Jun 2026 12:05:41 +0200 Subject: [PATCH] feat(make): offsite TF token injection + directory inventory + tf-inventory-offsite Co-Authored-By: Claude Opus 4.8 (1M context) --- Makefile | 26 ++++++++++++++++++++------ ansible.cfg | 2 +- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index c1e9eb8..920ee1e 100644 --- a/Makefile +++ b/Makefile @@ -13,18 +13,26 @@ MOLECULE := $(VENV)/bin/molecule VAULT_ARGS := # Default vault file for edit-vault / check-vault (override with VAULT=). VAULT ?= inventories/production/group_vars/all/vault.yml -INVENTORY := -i inventories/production/hosts.yml +INVENTORY := -i inventories/production/ TF := terraform TF_ENV ?= staging MOLECULE_IMAGE := forgejo.nyumbani.baobab.band/sjat/molecule-debian13:latest MOLECULE_DOCKERFILE := .docker/molecule-debian13/Dockerfile +# For TF_ENV=offsite, source the Hetzner token from the vault into the environment +# (rbw must be unlocked). Read in-memory; never written to a tfvars file (CLAUDE.md). +ifeq ($(TF_ENV),offsite) +TF_TOKEN_ENV := TF_VAR_hcloud_token="$$($(ANSIBLE)-vault view inventories/production/group_vars/all/vault.yml | $(PYTHON) -c 'import sys, yaml; print(yaml.safe_load(sys.stdin)["vault"]["hetzner"]["token"])')" +else +TF_TOKEN_ENV := +endif + .DEFAULT_GOAL := help .PHONY: help setup collections lint test test-all check deploy encrypt decrypt \ edit-vault check-vault new-role \ - tf-init tf-plan tf-apply tf-output tf-inventory \ + tf-init tf-plan tf-apply tf-output tf-inventory tf-inventory-offsite \ molecule-image molecule-image-push help: @@ -49,6 +57,7 @@ help: @echo " make tf-apply [TF_ENV=staging] Apply Terraform changes" @echo " make tf-output [TF_ENV=staging] Print Terraform outputs as JSON" @echo " make tf-inventory [TF_ENV=staging] Regenerate Ansible inventory from Terraform outputs" + @echo " make tf-inventory-offsite Generate offsite_hosts inventory (askari) into inventories/production/" @echo "" @echo " TF_ENV defaults to 'staging'. Use TF_ENV=production for production." @echo "" @@ -137,16 +146,16 @@ molecule-image-push: molecule-image # ── Terraform ───────────────────────────────────────────────────────────────── tf-init: - $(TF) -chdir=terraform/environments/$(TF_ENV) init + $(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) init tf-plan: - $(TF) -chdir=terraform/environments/$(TF_ENV) plan + $(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) plan tf-apply: - $(TF) -chdir=terraform/environments/$(TF_ENV) apply + $(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) apply tf-output: - $(TF) -chdir=terraform/environments/$(TF_ENV) output -json + $(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) output -json tf-inventory: ifndef TF_ENV @@ -156,6 +165,11 @@ endif | $(PYTHON) scripts/tf_to_inventory.py > inventories/$(TF_ENV)/hosts.yml @echo "Inventory written to inventories/$(TF_ENV)/hosts.yml" +tf-inventory-offsite: + $(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/offsite output -json \ + | $(PYTHON) scripts/tf_to_inventory.py > inventories/production/offsite.yml + @echo "Offsite inventory written to inventories/production/offsite.yml" + # ── Role scaffolding ────────────────────────────────────────────────────────── new-role: diff --git a/ansible.cfg b/ansible.cfg index 157bc0c..eb79ff8 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,5 @@ [defaults] -inventory = inventories/production/hosts.yml +inventory = inventories/production/ roles_path = roles collections_path = .collections vault_password_file = scripts/vault-pass-client.sh