From 93f2a847c750419bc75be9edb7bb76ad21335ee0 Mon Sep 17 00:00:00 2001 From: sjat Date: Sat, 30 May 2026 19:32:37 +0200 Subject: [PATCH] Reconcile CI to trunk-based; mark base/docker_host not-built (R6-R8,R15-R16) R6/R7: ADR-003 & ADR-008 CI pipelines rewritten trunk-based (push to main -> test -> staging -> [manual gate] production); CLAUDE.md no longer forbids pushing to main. R8: STATUS/roles-README/site.yml now say base & docker_host are not built (not in git), so a clean clone errors. R15/R16: ADR-001 table flagged as intended design; dropped the unbuilt 'monitoring agent' from the baseline. Co-Authored-By: Claude Opus 4.8 (1M context) --- CLAUDE.md | 2 +- STATUS.md | 8 ++++---- docs/decisions/001-architecture.md | 7 ++++--- docs/decisions/003-toolchain.md | 8 ++++---- docs/decisions/008-testing.md | 15 ++++++--------- playbooks/site.yml | 2 ++ roles/README.md | 5 +++-- 7 files changed, 24 insertions(+), 23 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 3a8efb9..0cc493f 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -147,7 +147,7 @@ Single-contributor, trunk-based (no merge requests / approval gates): - Run `make tf-apply` — always run `make tf-plan` first and show output - Modify `inventories//hosts.yml` directly — regenerate via `make tf-inventory` - Edit vault-encrypted files directly — decrypt first, re-encrypt after -- Push to `main` branch +- Force-push or rewrite already-pushed history on `main` - Add a collection to `requirements.yml` without a specific module need in existing role tasks --- diff --git a/STATUS.md b/STATUS.md index a8ef7be..3fc1c39 100644 --- a/STATUS.md +++ b/STATUS.md @@ -26,13 +26,13 @@ _Last reviewed: 2026-05-30._ | Thing | State | |---|---| -| `roles/base/` | Empty directory. `site.yml` references it, but it applies nothing. | -| `roles/docker_host/` | Empty directory. Same. | +| `roles/base/` | Not in git — only an empty dir on disk (untracked). `site.yml` references it, so a clean clone errors on `make deploy PLAYBOOK=site` until it is built. | +| `roles/docker_host/` | Not in git. Same. | | `inventories/*/hosts.yml` | Structured stubs with empty host maps (`hosts: {}`); regenerated by `make tf-inventory` once Terraform has hosts | | `inventories/production/group_vars/{docker_hosts,proxmox_hosts}/` | Empty dirs | -So `make deploy PLAYBOOK=site` currently does effectively nothing — the roles it -calls are empty. +So `make deploy PLAYBOOK=site` currently **fails** on a clean clone — the `base` and +`docker_host` roles it calls do not exist yet. ## Designed but not built diff --git a/docs/decisions/001-architecture.md b/docs/decisions/001-architecture.md index e670441..6763a14 100644 --- a/docs/decisions/001-architecture.md +++ b/docs/decisions/001-architecture.md @@ -25,7 +25,8 @@ and the boundaries of what this Ansible monorepo manages. | Service deployment | Ansible per-service roles | Compose rendered from templates | | Secrets | Ansible Vault | Encrypted `vault.yml` files in repo | -The Terraform↔Ansible boundary and handoff are defined in ADR-009. +The Terraform↔Ansible boundary and handoff are defined in ADR-009. This table +describes the *intended* design — see STATUS.md for what is actually built. ## Host groups @@ -38,8 +39,8 @@ all The `control` group holds the single manually-provisioned control node; it is managed for baseline config (SSH, firewall, updates) but never runs the -`docker_host` role. Proxmox nodes are managed only for basic baseline tasks (SSH, -monitoring agent). Proxmox configuration itself (storage, clustering, networking) +`docker_host` role. Proxmox nodes are managed only for basic baseline tasks (SSH). +Proxmox configuration itself (storage, clustering, networking) is out of scope. ## Service interaction model diff --git a/docs/decisions/003-toolchain.md b/docs/decisions/003-toolchain.md index ce0e15b..93cf1b7 100644 --- a/docs/decisions/003-toolchain.md +++ b/docs/decisions/003-toolchain.md @@ -77,10 +77,10 @@ Config files: `.ansible-lint`, `.yamllint` in repo root. **Not chosen**: GitHub Actions (external), Jenkins (heavy) -**Pipeline**: -1. Push to any branch → lint + Molecule tests -2. Merge to `main` → lint + Molecule tests + manual approval gate -3. After approval → deploy to staging, then production +**Pipeline** (trunk-based — no pull requests; see CLAUDE.md git conventions): +1. Push to `main` → lint + Molecule tests +2. On green → deploy to staging +3. [manual promote gate] → deploy to production `act_runner` runs as a Docker container on the control node or a dedicated runner VM. diff --git a/docs/decisions/008-testing.md b/docs/decisions/008-testing.md index c86977e..b99df23 100644 --- a/docs/decisions/008-testing.md +++ b/docs/decisions/008-testing.md @@ -141,18 +141,15 @@ Behavioural correctness is confirmed on staging. ## CI pipeline ``` -push to any branch +push to main ├── yamllint + ansible-lint (fast gate, ~1 min) - └── molecule test (changed roles) (parallel, ~5 min per role) + └── molecule test (all roles) (parallel, ~5 min per role) -pull request to main - ├── yamllint + ansible-lint - ├── molecule test (all roles) (parallel) - └── [manual gate] review tf-plan and make check on staging +on green (main) + ├── review tf-plan if infra changed; make check on staging + └── [manual approval] make deploy PLAYBOOK=site on staging -merge to main - ├── yamllint + ansible-lint + molecule test (final gate) - ├── [manual approval] make deploy PLAYBOOK=site on staging +promote to production └── [manual approval] make deploy PLAYBOOK=site on production ``` diff --git a/playbooks/site.yml b/playbooks/site.yml index 8001f1e..ac6931a 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -1,6 +1,8 @@ --- # site.yml — apply full standard state to all hosts # Run via: make deploy PLAYBOOK=site +# NOTE: the `base` and `docker_host` roles are not built yet (see STATUS.md), so this +# playbook fails on a clean clone until they exist. - name: Apply base configuration to all hosts hosts: all diff --git a/roles/README.md b/roles/README.md index e78f864..6692f1d 100644 --- a/roles/README.md +++ b/roles/README.md @@ -8,5 +8,6 @@ Each role must have: a `molecule/default/` scenario (Debian 13), a populated `README.md`, and a filled-in `meta/main.yml`. Conventions: CLAUDE.md and `docs/runbooks/new-role.md`. -Current state: `base/` and `docker_host/` are scaffolded directories but **empty / -not implemented** — see `STATUS.md`. +Current state: `base` and `docker_host` are **not built yet** — they exist only as +empty, untracked dirs, so `site.yml` would fail on a clean clone. Build them with +`make new-role` when defining the baseline. See `STATUS.md`.