Wire Terraform vlan_tag and fix scaffold placeholder (R9,R11)

R9: pass vlan_tag (default 20 = srv VLAN, ADR-007) from both envs to the
proxmox_vm module so VMs are tagged, not on untagged vmbr0. R11: make new-role
now sed-substitutes ROLE_NAME_PLACEHOLDER so scaffolded molecule converge works
out of the box.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.claude/commands/new-role.md

@@ -5,7 +5,7 @@ Role name: $ARGUMENTS
 ## Steps
 
 1. Run `make new-role NAME=$ARGUMENTS` to create the directory structure
-2. Update `roles/$ARGUMENTS/molecule/default/converge.yml` — replace `ROLE_NAME_PLACEHOLDER` with `$ARGUMENTS`
+2. Verify `roles/$ARGUMENTS/molecule/default/converge.yml` references `$ARGUMENTS` (auto-substituted by `make new-role`)
 3. Fill in `roles/$ARGUMENTS/meta/main.yml` with role metadata (Debian 13 platform)
 4. Add well-commented placeholder variables to `roles/$ARGUMENTS/defaults/main.yml` using `$ARGUMENTS__varname` namespace
 5. Write initial tasks in `roles/$ARGUMENTS/tasks/main.yml`:

Makefile

@@ -153,7 +153,7 @@ endif
 	echo "---" > roles/$(NAME)/meta/main.yml
 	printf '# %s\n\nRole description here.\n' "$(NAME)" > roles/$(NAME)/README.md
 	cp .scaffold/molecule.yml roles/$(NAME)/molecule/default/molecule.yml
-	cp .scaffold/converge.yml roles/$(NAME)/molecule/default/converge.yml
+	sed 's/ROLE_NAME_PLACEHOLDER/$(NAME)/g' .scaffold/converge.yml > roles/$(NAME)/molecule/default/converge.yml
 	cp .scaffold/verify.yml   roles/$(NAME)/molecule/default/verify.yml
 	@echo "Role $(NAME) scaffolded at roles/$(NAME)/"
 	@echo "Next: fill in meta/main.yml, defaults/main.yml, tasks/main.yml, README.md"

terraform/environments/production/main.tf

@@ -29,6 +29,7 @@ module "vms" {
   datastore_id      = var.vm_datastore_id
   ip_address        = each.value.ip
   gateway           = var.gateway
+  vlan_tag          = var.vlan_tag
   dns_servers       = var.dns_servers
   dns_domain        = var.dns_domain
   ssh_public_keys   = var.ssh_public_keys

terraform/environments/production/variables.tf

@@ -38,6 +38,12 @@ variable "gateway" {
   type        = string
 }
 
+variable "vlan_tag" {
+  description = "802.1q VLAN tag for provisioned VMs — srv VLAN (ADR-007)"
+  type        = number
+  default     = 20
+}
+
 variable "dns_servers" {
   description = "DNS servers provided to VMs via cloud-init"
   type        = list(string)

terraform/environments/staging/main.tf

@@ -23,6 +23,7 @@ module "vms" {
   datastore_id      = var.vm_datastore_id
   ip_address        = each.value.ip
   gateway           = var.gateway
+  vlan_tag          = var.vlan_tag
   dns_servers       = var.dns_servers
   dns_domain        = var.dns_domain
   ssh_public_keys   = var.ssh_public_keys

terraform/environments/staging/variables.tf

@@ -38,6 +38,12 @@ variable "gateway" {
   type        = string
 }
 
+variable "vlan_tag" {
+  description = "802.1q VLAN tag for provisioned VMs — srv VLAN (ADR-007)"
+  type        = number
+  default     = 20
+}
+
 variable "dns_servers" {
   description = "DNS servers provided to VMs via cloud-init"
   type        = list(string)