feat(make): offsite TF token injection + directory inventory + tf-inventory-offsite

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Makefile

@@ -13,18 +13,26 @@ MOLECULE    := $(VENV)/bin/molecule
 VAULT_ARGS  :=
 # Default vault file for edit-vault / check-vault (override with VAULT=<path>).
 VAULT       ?= inventories/production/group_vars/all/vault.yml
-INVENTORY   := -i inventories/production/hosts.yml
+INVENTORY   := -i inventories/production/
 
 TF              := terraform
 TF_ENV          ?= staging
 MOLECULE_IMAGE  := forgejo.nyumbani.baobab.band/sjat/molecule-debian13:latest
 MOLECULE_DOCKERFILE := .docker/molecule-debian13/Dockerfile
 
+# For TF_ENV=offsite, source the Hetzner token from the vault into the environment
+# (rbw must be unlocked). Read in-memory; never written to a tfvars file (CLAUDE.md).
+ifeq ($(TF_ENV),offsite)
+TF_TOKEN_ENV := TF_VAR_hcloud_token="$$($(ANSIBLE)-vault view inventories/production/group_vars/all/vault.yml | $(PYTHON) -c 'import sys, yaml; print(yaml.safe_load(sys.stdin)["vault"]["hetzner"]["token"])')"
+else
+TF_TOKEN_ENV :=
+endif
+
 .DEFAULT_GOAL := help
 
 .PHONY: help setup collections lint test test-all check deploy encrypt decrypt \
         edit-vault check-vault new-role \
-        tf-init tf-plan tf-apply tf-output tf-inventory \
+        tf-init tf-plan tf-apply tf-output tf-inventory tf-inventory-offsite \
         molecule-image molecule-image-push
 
 help:
@@ -49,6 +57,7 @@ help:
 	@echo "  make tf-apply [TF_ENV=staging]     Apply Terraform changes"
 	@echo "  make tf-output [TF_ENV=staging]    Print Terraform outputs as JSON"
 	@echo "  make tf-inventory [TF_ENV=staging] Regenerate Ansible inventory from Terraform outputs"
+	@echo "  make tf-inventory-offsite          Generate offsite_hosts inventory (askari) into inventories/production/"
 	@echo ""
 	@echo "  TF_ENV defaults to 'staging'. Use TF_ENV=production for production."
 	@echo ""
@@ -137,16 +146,16 @@ molecule-image-push: molecule-image
 # ── Terraform ─────────────────────────────────────────────────────────────────
 
 tf-init:
-	$(TF) -chdir=terraform/environments/$(TF_ENV) init
+	$(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) init
 
 tf-plan:
-	$(TF) -chdir=terraform/environments/$(TF_ENV) plan
+	$(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) plan
 
 tf-apply:
-	$(TF) -chdir=terraform/environments/$(TF_ENV) apply
+	$(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) apply
 
 tf-output:
-	$(TF) -chdir=terraform/environments/$(TF_ENV) output -json
+	$(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) output -json
 
 tf-inventory:
 ifndef TF_ENV
@@ -156,6 +165,11 @@ endif
 	  | $(PYTHON) scripts/tf_to_inventory.py > inventories/$(TF_ENV)/hosts.yml
 	@echo "Inventory written to inventories/$(TF_ENV)/hosts.yml"
 
+tf-inventory-offsite:
+	$(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/offsite output -json \
+	  | $(PYTHON) scripts/tf_to_inventory.py > inventories/production/offsite.yml
+	@echo "Offsite inventory written to inventories/production/offsite.yml"
+
 # ── Role scaffolding ──────────────────────────────────────────────────────────
 
 new-role:

ansible.cfg

@@ -1,5 +1,5 @@
 [defaults]
-inventory           = inventories/production/hosts.yml
+inventory           = inventories/production/
 roles_path          = roles
 collections_path    = .collections
 vault_password_file = scripts/vault-pass-client.sh