Kaizen 2026-06-10 fixes:
- ansible-lint pre-commit hook now `always_run: false` + a files filter for
roles/playbooks/inventories YAML, so docs-/config-only commits skip it and no
longer need `rbw unlock` (root cause was ansible-lint auto-decrypting the
group_vars vault, not the syntax-check).
- `make test`/`test-all` prepend $(CURDIR)/.venv/bin to PATH so non-activated
agent runs find ansible-config/ansible-playbook.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The mkdir used shell brace expansion {tasks,handlers,...}, which /bin/sh (dash)
does not support, so new-role created one literally-named dir and then errored.
make new-role had never worked on this host. Use explicit mkdir paths.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
R9: pass vlan_tag (default 20 = srv VLAN, ADR-007) from both envs to the
proxmox_vm module so VMs are tagged, not on untagged vmbr0. R11: make new-role
now sed-substitutes ROLE_NAME_PLACEHOLDER so scaffolded molecule converge works
out of the box.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Master vault password is fetched from Vaultwarden via the rbw agent
(scripts/vault-pass-client.sh, wired as vault_password_file) instead of a
plaintext .vault_pass. Vault secrets use a nested vault.<service>.<key> map.
Encrypted vault.yml files are excluded from lint. Includes the host rename in
Makefile and STATUS.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
