sjat/boma

History

sjat 79f2315eee feat(make): add edit-vault + check-vault targets `make edit-vault` runs `ansible-vault edit` (decrypt → nvim → re-encrypt on :wq, abort on :cq) so editing the vault is one step with no plaintext left in the work tree, then validates structure. `make check-vault` runs scripts/check-vault.py: decrypts in-memory, asserts valid YAML with secrets under the nested `vault:` map and no empty leaves, and prints a values-masked structure view (comments visible, secrets never printed). Both default to the production all-vault; override VAULT=. Update the vault header comment, CLAUDE.md (command table + Secrets section), and scripts/README to point at edit-vault (note check-vault.py is the one venv- dependent helper, by design). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>		2026-06-14 09:36:15 +02:00
..
production	feat(make): add edit-vault + check-vault targets	2026-06-14 09:36:15 +02:00
staging	feat(base): shared firewall catalog/zones + firewall defaults	2026-06-06 18:49:40 +02:00
README.md	Add core Ansible scaffold, tooling, and pre-commit guards	2026-05-30 14:10:01 +02:00

README.md

inventories/

Ansible inventories, one directory per environment (staging/, production/). Defines which hosts exist and their group membership; group_vars/ and host_vars/ hold per-group and per-host configuration.

hosts.yml is generated from Terraform outputs by make tf-inventory — do not hand-edit. The control node is the one manual exception.
Terraform→inventory data flow and the data contract: ADR-009.
Addressing conventions (subnets, ranges): ADR-007.
Layout and host groups: see CLAUDE.md ("Inventory structure").