sjat
64f1e821d8
11 safe auto-fixes (docs/comments only): reverse_proxy meta stale DNS-01 description, base/playbooks/scripts/terraform/public_dns README build-state, CAPABILITIES reverse-proxy Traefik→Caddy, README ADR list → 024, TF cax11→cx23 stamps, public_dns wildcard DNS-01→HTTP-01 comment. 29 open findings reported. make lint green. No stale-deferred (ADR-011 open questions still open). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1.5 KiB
1.5 KiB
scripts/
Small helper scripts. Python standard library only — no third-party
dependencies (keeps them runnable anywhere without a venv). One deliberate
exception: check-vault.py is a vault tool that needs the ansible venv (PyYAML +
ansible-vault) and rbw, so it is not run-anywhere by design.
tf_to_inventory.py— readsterraform output -jsonon stdin and writes an Ansiblehosts.yml. Invoked bymake tf-inventory. Data contract: ADR-009.check-vault.py— validates a vault file's structure (decrypts in-memory; valid YAML; secrets under the nestedvault:map; no empty leaves) and prints a values-masked view. Invoked bymake check-vaultand aftermake edit-vault.vault-pass-client.sh— fetches the master vault password from Vaultwarden viarbw. Wired asvault_password_file(ADR-002).check-vault-encrypted.sh— pre-commit guard: fails if avault.ymlholds plaintext secrets.check-tags.py— enforces the closed tag vocabulary (tests/tags.yml) and that each role import in a play carries its role-name tag. Invoked bymake lint. See ADR-019.repo-scan.py— Phase-0 deterministic scan for/review-repo(markers, broken refs, unencrypted vaults, inventory).capacity-scan.py— deterministic capacity facts for/capacity-review: parses the machine-readable tables indocs/hardware/reference.md, computes per-node allocated-vs-physical rollups, and cross-checks workload hostnames against Terraform output / Ansible inventory for drift. Emits JSON. See ADR-012.