sjat
703f1716e5
First /review-repo run on boma. Hardened repo-scan.py (no TODO.md/prose false positives). Applied 7 safe fixes (DNS staleness x2, STATUS factual correction, hosts.yml path generalisation, trunk-based wording x2, scripts/README). Recorded the run and 17 open findings in docs/reviews/2026-05-30-*. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
3.1 KiB
3.1 KiB
Project status — what's real vs planned
This repo is partly aspirational: the ADRs in docs/decisions/ describe the
intended design, and some of it is not built yet. This file is the ground
truth. Before relying on a role, provider, or pipeline existing, check here.
If something is listed as "designed, not built", do not assume it works.
Last reviewed: 2026-05-30.
Real and working today
| Thing | State |
|---|---|
playbooks/bootstrap.yml |
Works — self-contained (installs Python, creates the ansible user + sudoers) |
scripts/tf_to_inventory.py |
Works — stdlib only; terraform output -json → hosts.yml |
.docker/molecule-debian13/Dockerfile |
Present — custom Molecule test image (ADR-008) |
docs/decisions/*, docs/runbooks/* |
Current and mutually reconciled |
Makefile, lint config (.ansible-lint, .yamllint), .gitignore |
Present and used |
git |
Initialized, trunk-based on main, pushed to origin (forgejo.nyumbani.baobab.band:7577). |
| Pre-commit hooks | Configured: lint, gitleaks, vault-encryption guard. Activate with pre-commit install after make setup. |
| Vault password client | scripts/vault-pass-client.sh fetches the master password from Vaultwarden via rbw (wired as vault_password_file). Requires rbw installed + rbw unlock. |
/review-repo |
Repo audit: scripts/repo-scan.py (Phase 0) + .claude/commands/review-repo.md, reports to docs/reviews/. On-demand only; cron + email deferred (docs/TODO.md). |
Terraform HCL (terraform/) |
Written (proxmox VM module + envs) — but never run; see below |
Scaffolded but empty — NOT implemented
| Thing | State |
|---|---|
roles/base/ |
Empty directory. site.yml references it, but it applies nothing. |
roles/docker_host/ |
Empty directory. Same. |
inventories/*/hosts.yml |
Structured stubs with empty host maps (hosts: {}); regenerated by make tf-inventory once Terraform has hosts |
inventories/production/group_vars/{docker_hosts,proxmox_hosts}/ |
Empty dirs |
So make deploy PLAYBOOK=site currently does effectively nothing — the roles it
calls are empty.
Designed but not built
| Thing | Designed in | Notes |
|---|---|---|
dns role (renders the internal zone) |
ADR-007 / ADR-009 | Does not exist. Internal DNS ownership is assigned to it by design. |
| Terraform actually provisioning | ADR-006 / ADR-009 | Never terraform inited: no .terraform.lock.hcl, no state, no real local.vms entries |
| CI (Forgejo Actions) | ADR-003 / ADR-008 | Pipeline described; not implemented |
Level 2 / 3 testing (staging, askari smoke) |
ADR-008 | Depends on real VMs / askari, which don't exist yet |
| Per-service roles | ADR-004 | Model defined; no service roles built |
| Forgejo Actions CI | ADR-003 / ADR-008 | Remote is live (pushed); Actions/act_runner pipeline not yet built |
Keeping this honest
Update this file whenever you build, stub, or remove something. It is the first place an AI tool or new contributor should look to learn what they can actually rely on. When a row moves from "designed" to "working", move it up — don't leave stale optimism here.