sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/scripts
History
sjat 79f2315eee feat(make): add edit-vault + check-vault targets 
`make edit-vault` runs `ansible-vault edit` (decrypt → nvim → re-encrypt on :wq,
abort on :cq) so editing the vault is one step with no plaintext left in the work
tree, then validates structure. `make check-vault` runs scripts/check-vault.py:
decrypts in-memory, asserts valid YAML with secrets under the nested `vault:` map
and no empty leaves, and prints a values-masked structure view (comments visible,
secrets never printed). Both default to the production all-vault; override VAULT=.

Update the vault header comment, CLAUDE.md (command table + Secrets section), and
scripts/README to point at edit-vault (note check-vault.py is the one venv-
dependent helper, by design).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 09:36:15 +02:00
..
capacity-scan.py Complete capacity-scan.py: usage stub, subprocess glue, main() 2026-06-01 10:30:45 +02:00
check-tags.py fix(tags): recognize name: role key; only check roles: in plays 2026-06-06 15:20:09 +02:00
check-vault-encrypted.sh Add core Ansible scaffold, tooling, and pre-commit guards 2026-05-30 14:10:01 +02:00
check-vault.py feat(make): add edit-vault + check-vault targets 2026-06-14 09:36:15 +02:00
README.md feat(make): add edit-vault + check-vault targets 2026-06-14 09:36:15 +02:00
repo-scan.py docs(adr): fix 007/008 heading nesting; require date in Superseded status 2026-06-10 15:00:58 +02:00
tf_to_inventory.py Name and propagate the offsite_hosts inventory group (askari) 2026-06-05 18:54:54 +02:00
vault-pass-client.sh Source vault password from Vaultwarden via rbw; nest vault structure 2026-05-30 18:16:35 +02:00

README.md

scripts/

Small helper scripts. Python standard library only — no third-party dependencies (keeps them runnable anywhere without a venv). One deliberate exception: check-vault.py is a vault tool that needs the ansible venv (PyYAML + ansible-vault) and rbw, so it is not run-anywhere by design.

  • tf_to_inventory.py — reads terraform output -json on stdin and writes an Ansible hosts.yml. Invoked by make tf-inventory. Data contract: ADR-009.
  • check-vault.py — validates a vault file's structure (decrypts in-memory; valid YAML; secrets under the nested vault: map; no empty leaves) and prints a values-masked view. Invoked by make check-vault and after make edit-vault.
  • vault-pass-client.sh — fetches the master vault password from Vaultwarden via rbw. Wired as vault_password_file (ADR-002).
  • check-vault-encrypted.sh — pre-commit guard: fails if a vault.yml holds plaintext secrets.
  • repo-scan.py — Phase-0 deterministic scan for /review-repo (markers, broken refs, unencrypted vaults, inventory).
  • capacity-scan.py — deterministic capacity facts for /capacity-review: parses the machine-readable tables in docs/hardware/reference.md, computes per-node allocated-vs-physical rollups, and cross-checks workload hostnames against Terraform output / Ansible inventory for drift. Emits JSON. See ADR-012.