- ADR-007: document ubongo on the legacy V4 net at 10.20.10.151 (transitional, outside the planned srv /24 until the LAN is re-cut) (O10); single authoritative boma.baobab.band -> boma.wingu.me transition note already added earlier - terraform tfvars.example + variables.tf (both envs): pve01 -> pve0 and <host>.boma.baobab.band per ADR-007 naming (O11) - ADR-012/013/015/016/017/018: convert "See also:" prose to `## Related` sections placed after Consequences, matching ADR-014/019-023 (O13) - docs/README + inventories/README: list the missing subdirs / offsite_hosts + offsite.yml merge behaviour (O14, O29 note) - ADR-009: drop the retired `nyumbani` example; use vaultwarden.wingu.me split-horizon (O19) - ROADMAP M2: askari shipped as cx23/x86 (CAX11/ARM out of stock) (O20) - ADR-020: 80/443/3478 opened in M4a (past tense); coordinator role is M4b (O21) - netbird -> netbird_coordinator across ROADMAP M4b, the M4b plan, ADR-024 (O23) - ADR-024: align the M1 DNS-01 wildcard scope wording with ROADMAP (O24) - capacity-scan.py: read the inventory directory so offsite.yml (askari) is seen (O28) - tf_to_inventory.py: generated header now warns it overwrites the manual control node (O9) - tests/tags.yml: proxy concern comment Traefik -> Caddy (missed in the O3 sweep) O9's existing stub hosts.yml header stays as-is (generator-owned, hook-protected); the fix lives in the generator for the next regeneration. make lint + pytest (57) green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| capacity-scan.py | ||
| check-tags.py | ||
| check-vault-encrypted.sh | ||
| check-vault.py | ||
| README.md | ||
| repo-scan.py | ||
| tf_to_inventory.py | ||
| vault-pass-client.sh | ||
scripts/
Small helper scripts. Python standard library only — no third-party
dependencies (keeps them runnable anywhere without a venv). One deliberate
exception: check-vault.py is a vault tool that needs the ansible venv (PyYAML +
ansible-vault) and rbw, so it is not run-anywhere by design.
tf_to_inventory.py— readsterraform output -jsonon stdin and writes an Ansiblehosts.yml. Invoked bymake tf-inventory. Data contract: ADR-009.check-vault.py— validates a vault file's structure (decrypts in-memory; valid YAML; secrets under the nestedvault:map; no empty leaves) and prints a values-masked view. Invoked bymake check-vaultand aftermake edit-vault.vault-pass-client.sh— fetches the master vault password from Vaultwarden viarbw. Wired asvault_password_file(ADR-002).check-vault-encrypted.sh— pre-commit guard: fails if avault.ymlholds plaintext secrets.check-tags.py— enforces the closed tag vocabulary (tests/tags.yml) and that each role import in a play carries its role-name tag. Invoked bymake lint. See ADR-019.repo-scan.py— Phase-0 deterministic scan for/review-repo(markers, broken refs, unencrypted vaults, inventory).capacity-scan.py— deterministic capacity facts for/capacity-review: parses the machine-readable tables indocs/hardware/reference.md, computes per-node allocated-vs-physical rollups, and cross-checks workload hostnames against Terraform output / Ansible inventory for drift. Emits JSON. See ADR-012.