sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/scripts/README.md
sjat 64f1e821d8 docs(review): 2026-06-14 repo audit — M4a doc drift + Traefik→Caddy lag 
11 safe auto-fixes (docs/comments only): reverse_proxy meta stale DNS-01
description, base/playbooks/scripts/terraform/public_dns README build-state,
CAPABILITIES reverse-proxy Traefik→Caddy, README ADR list → 024, TF cax11→cx23
stamps, public_dns wildcard DNS-01→HTTP-01 comment. 29 open findings reported.
make lint green. No stale-deferred (ADR-011 open questions still open).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 18:37:54 +02:00

25 lines
1.5 KiB
Markdown
Raw Permalink Blame History

# scripts/
Small helper scripts. **Python standard library only** — no third-party
dependencies (keeps them runnable anywhere without a venv). One deliberate
exception: `check-vault.py` is a vault tool that needs the ansible venv (PyYAML +
`ansible-vault`) and `rbw`, so it is not run-anywhere by design.
- `tf_to_inventory.py` — reads `terraform output -json` on stdin and writes an
Ansible `hosts.yml`. Invoked by `make tf-inventory`. Data contract: **ADR-009**.
- `check-vault.py` — validates a vault file's structure (decrypts in-memory; valid
YAML; secrets under the nested `vault:` map; no empty leaves) and prints a
values-masked view. Invoked by `make check-vault` and after `make edit-vault`.
- `vault-pass-client.sh` — fetches the master vault password from Vaultwarden via
`rbw`. Wired as `vault_password_file` (ADR-002).
- `check-vault-encrypted.sh` — pre-commit guard: fails if a `vault.yml` holds
plaintext secrets.
- `check-tags.py` — enforces the closed tag vocabulary (`tests/tags.yml`) and that
each role import in a play carries its role-name tag. Invoked by `make lint`. See
**ADR-019**.
- `repo-scan.py` — Phase-0 deterministic scan for `/review-repo` (markers, broken
refs, unencrypted vaults, inventory).
- `capacity-scan.py` — deterministic capacity facts for `/capacity-review`: parses
the machine-readable tables in `docs/hardware/reference.md`, computes per-node
allocated-vs-physical rollups, and cross-checks workload hostnames against
Terraform output / Ansible inventory for drift. Emits JSON. See **ADR-012**.
Reference in a new issue View git blame Copy permalink