sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/scripts
History
sjat 8ca42c389c fix(integration): fix VM boot: hostname, netplan, known_hosts handling 
Three fixes found during askari_inputonly integration-test development:

1. Hostname sanitization: cloud-init rejects underscores in local-hostname
   (silently skips network-config → VM never gets DHCP). Sanitize with
   name.replace("_", "-") for the meta-data hostname; paths/domain names
   keep the original (underscore is valid there).

2. Netplan explicit interface: match.name: en* with a named key produces a
   .network file that networkd never DHCPs. Use explicit enp1s0 (all virtio
   NICs in these KVM VMs) + renderer: networkd to bypass the bug.

3. ansible_ssh_common_args in the generated hosts.yml: integration VMs
   reuse IPs (different VMs at same 192.168.150.x lease). StrictHostKey
   accept-new from ansible.cfg blocks changed keys. Add StrictHostKeyChecking=no
   + UserKnownHostsFile=/dev/null per-host to the generated inventory so
   stale known_hosts entries never block the apply step.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 19:15:07 +02:00
..
capacity-scan.py docs: reconcile lower-severity review findings (O9-O24) 2026-06-14 19:31:40 +02:00
check-tags.py fix(tags): recognize name: role key; only check roles: in plays 2026-06-06 15:20:09 +02:00
check-vault-encrypted.sh Add core Ansible scaffold, tooling, and pre-commit guards 2026-05-30 14:10:01 +02:00
check-vault.py feat(vault): CHANGEME placeholder convention + check-vault flags them 2026-06-14 15:40:37 +02:00
friction-scan.py fix(kaizen): scope still_exists to repo paths; test age nudge; tidy --today 2026-06-14 21:25:03 +02:00
integration-vm.py fix(integration): fix VM boot: hostname, netplan, known_hosts handling 2026-06-19 19:15:07 +02:00
README.md docs(review): 2026-06-14 repo audit — M4a doc drift + Traefik→Caddy lag 2026-06-14 18:37:54 +02:00
registry-login.sh feat(make): registry-login via vaulted Forgejo token (kaizen) 2026-06-17 17:50:07 +02:00
repo-scan.py feat(scan): repo-scan rename-incomplete check (kaizen) 2026-06-17 17:49:41 +02:00
tf_to_inventory.py docs: reconcile lower-severity review findings (O9-O24) 2026-06-14 19:31:40 +02:00
vault-pass-client.sh Source vault password from Vaultwarden via rbw; nest vault structure 2026-05-30 18:16:35 +02:00

README.md

scripts/

Small helper scripts. Python standard library only — no third-party dependencies (keeps them runnable anywhere without a venv). One deliberate exception: check-vault.py is a vault tool that needs the ansible venv (PyYAML + ansible-vault) and rbw, so it is not run-anywhere by design.

  • tf_to_inventory.py — reads terraform output -json on stdin and writes an Ansible hosts.yml. Invoked by make tf-inventory. Data contract: ADR-009.
  • check-vault.py — validates a vault file's structure (decrypts in-memory; valid YAML; secrets under the nested vault: map; no empty leaves) and prints a values-masked view. Invoked by make check-vault and after make edit-vault.
  • vault-pass-client.sh — fetches the master vault password from Vaultwarden via rbw. Wired as vault_password_file (ADR-002).
  • check-vault-encrypted.sh — pre-commit guard: fails if a vault.yml holds plaintext secrets.
  • check-tags.py — enforces the closed tag vocabulary (tests/tags.yml) and that each role import in a play carries its role-name tag. Invoked by make lint. See ADR-019.
  • repo-scan.py — Phase-0 deterministic scan for /review-repo (markers, broken refs, unencrypted vaults, inventory).
  • capacity-scan.py — deterministic capacity facts for /capacity-review: parses the machine-readable tables in docs/hardware/reference.md, computes per-node allocated-vs-physical rollups, and cross-checks workload hostnames against Terraform output / Ansible inventory for drift. Emits JSON. See ADR-012.