Reconcile CI to trunk-based; mark base/docker_host not-built (R6-R8,R15-R16)

R6/R7: ADR-003 & ADR-008 CI pipelines rewritten trunk-based (push to main ->
test -> staging -> [manual gate] production); CLAUDE.md no longer forbids pushing
to main. R8: STATUS/roles-README/site.yml now say base & docker_host are not built
(not in git), so a clean clone errors. R15/R16: ADR-001 table flagged as intended
design; dropped the unbuilt 'monitoring agent' from the baseline.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-05-30 19:32:37 +02:00
parent bb2179a288
commit 93f2a847c7
7 changed files with 24 additions and 23 deletions

View file

@ -147,7 +147,7 @@ Single-contributor, trunk-based (no merge requests / approval gates):
- Run `make tf-apply` — always run `make tf-plan` first and show output - Run `make tf-apply` — always run `make tf-plan` first and show output
- Modify `inventories/<env>/hosts.yml` directly — regenerate via `make tf-inventory` - Modify `inventories/<env>/hosts.yml` directly — regenerate via `make tf-inventory`
- Edit vault-encrypted files directly — decrypt first, re-encrypt after - Edit vault-encrypted files directly — decrypt first, re-encrypt after
- Push to `main` branch - Force-push or rewrite already-pushed history on `main`
- Add a collection to `requirements.yml` without a specific module need in existing role tasks - Add a collection to `requirements.yml` without a specific module need in existing role tasks
--- ---

View file

@ -26,13 +26,13 @@ _Last reviewed: 2026-05-30._
| Thing | State | | Thing | State |
|---|---| |---|---|
| `roles/base/` | Empty directory. `site.yml` references it, but it applies nothing. | | `roles/base/` | Not in git — only an empty dir on disk (untracked). `site.yml` references it, so a clean clone errors on `make deploy PLAYBOOK=site` until it is built. |
| `roles/docker_host/` | Empty directory. Same. | | `roles/docker_host/` | Not in git. Same. |
| `inventories/*/hosts.yml` | Structured stubs with empty host maps (`hosts: {}`); regenerated by `make tf-inventory` once Terraform has hosts | | `inventories/*/hosts.yml` | Structured stubs with empty host maps (`hosts: {}`); regenerated by `make tf-inventory` once Terraform has hosts |
| `inventories/production/group_vars/{docker_hosts,proxmox_hosts}/` | Empty dirs | | `inventories/production/group_vars/{docker_hosts,proxmox_hosts}/` | Empty dirs |
So `make deploy PLAYBOOK=site` currently does effectively nothing — the roles it So `make deploy PLAYBOOK=site` currently **fails** on a clean clone — the `base` and
calls are empty. `docker_host` roles it calls do not exist yet.
## Designed but not built ## Designed but not built

View file

@ -25,7 +25,8 @@ and the boundaries of what this Ansible monorepo manages.
| Service deployment | Ansible per-service roles | Compose rendered from templates | | Service deployment | Ansible per-service roles | Compose rendered from templates |
| Secrets | Ansible Vault | Encrypted `vault.yml` files in repo | | Secrets | Ansible Vault | Encrypted `vault.yml` files in repo |
The Terraform↔Ansible boundary and handoff are defined in ADR-009. The Terraform↔Ansible boundary and handoff are defined in ADR-009. This table
describes the *intended* design — see STATUS.md for what is actually built.
## Host groups ## Host groups
@ -38,8 +39,8 @@ all
The `control` group holds the single manually-provisioned control node; it is The `control` group holds the single manually-provisioned control node; it is
managed for baseline config (SSH, firewall, updates) but never runs the managed for baseline config (SSH, firewall, updates) but never runs the
`docker_host` role. Proxmox nodes are managed only for basic baseline tasks (SSH, `docker_host` role. Proxmox nodes are managed only for basic baseline tasks (SSH).
monitoring agent). Proxmox configuration itself (storage, clustering, networking) Proxmox configuration itself (storage, clustering, networking)
is out of scope. is out of scope.
## Service interaction model ## Service interaction model

View file

@ -77,10 +77,10 @@ Config files: `.ansible-lint`, `.yamllint` in repo root.
**Not chosen**: GitHub Actions (external), Jenkins (heavy) **Not chosen**: GitHub Actions (external), Jenkins (heavy)
**Pipeline**: **Pipeline** (trunk-based — no pull requests; see CLAUDE.md git conventions):
1. Push to any branch → lint + Molecule tests 1. Push to `main` → lint + Molecule tests
2. Merge to `main` → lint + Molecule tests + manual approval gate 2. On green → deploy to staging
3. After approval → deploy to staging, then production 3. [manual promote gate] → deploy to production
`act_runner` runs as a Docker container on the control node or a dedicated runner VM. `act_runner` runs as a Docker container on the control node or a dedicated runner VM.

View file

@ -141,18 +141,15 @@ Behavioural correctness is confirmed on staging.
## CI pipeline ## CI pipeline
``` ```
push to any branch push to main
├── yamllint + ansible-lint (fast gate, ~1 min) ├── yamllint + ansible-lint (fast gate, ~1 min)
└── molecule test (changed roles) (parallel, ~5 min per role) └── molecule test (all roles) (parallel, ~5 min per role)
pull request to main on green (main)
├── yamllint + ansible-lint ├── review tf-plan if infra changed; make check on staging
├── molecule test (all roles) (parallel) └── [manual approval] make deploy PLAYBOOK=site on staging
└── [manual gate] review tf-plan and make check on staging
merge to main promote to production
├── yamllint + ansible-lint + molecule test (final gate)
├── [manual approval] make deploy PLAYBOOK=site on staging
└── [manual approval] make deploy PLAYBOOK=site on production └── [manual approval] make deploy PLAYBOOK=site on production
``` ```

View file

@ -1,6 +1,8 @@
--- ---
# site.yml — apply full standard state to all hosts # site.yml — apply full standard state to all hosts
# Run via: make deploy PLAYBOOK=site # Run via: make deploy PLAYBOOK=site
# NOTE: the `base` and `docker_host` roles are not built yet (see STATUS.md), so this
# playbook fails on a clean clone until they exist.
- name: Apply base configuration to all hosts - name: Apply base configuration to all hosts
hosts: all hosts: all

View file

@ -8,5 +8,6 @@ Each role must have: a `molecule/default/` scenario (Debian 13), a populated
`README.md`, and a filled-in `meta/main.yml`. Conventions: CLAUDE.md and `README.md`, and a filled-in `meta/main.yml`. Conventions: CLAUDE.md and
`docs/runbooks/new-role.md`. `docs/runbooks/new-role.md`.
Current state: `base/` and `docker_host/` are scaffolded directories but **empty / Current state: `base` and `docker_host` are **not built yet** — they exist only as
not implemented** — see `STATUS.md`. empty, untracked dirs, so `site.yml` would fail on a clean clone. Build them with
`make new-role` when defining the baseline. See `STATUS.md`.