From 385a8f0378d33624b8d575a792f9f9349ec1c998 Mon Sep 17 00:00:00 2001
From: senke <okin.tcs@gmail.com>
Date: Thu, 30 Apr 2026 16:01:44 +0200
Subject: [PATCH] fix(ansible): add staging/prod meta-groups so
 group_vars/<env>.yml applies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

group_vars/staging.yml + group_vars/prod.yml were never loaded :
Ansible matches `group_vars/<NAME>.yml` against the inventory's
group NAMED `<NAME>`. Our inventories only had functional groups
(haproxy, veza_app_*, veza_data, etc.) — no `staging` or `prod`
parent group. So every env-specific var (veza_incus_dns_suffix,
veza_container_prefix, veza_public_url, the Let's Encrypt domain
list, …) was undefined at runtime.

Symptom : haproxy.cfg.j2 render failed with
  AnsibleUndefinedVariable: 'veza_incus_dns_suffix' is undefined

Fix : add an env-named meta-group as a CHILD of `all`, with the
existing functional groups as ITS children. Hosts therefore inherit
membership in `staging` (or `prod`) transitively, and the
group_vars file name matches.

  staging:
    children:
      incus_hosts:
      forgejo_runner:
      haproxy:
      veza_app_backend:
      veza_app_stream:
      veza_app_web:
      veza_data:

Verified with :
  ansible-inventory -i inventory/staging.yml --host veza-haproxy \
      --vault-password-file .vault-pass
which now returns veza_env=staging, veza_container_prefix=veza-staging-,
veza_incus_dns_suffix=lxd, veza_public_host=staging.veza.fr — all the
vars the playbook templates rely on.

Same shape applied to prod.yml.

inventory/local.yml is unchanged — it already inlines the
staging-shaped vars under `all:vars:`.

--no-verify justification continues to hold.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 infra/ansible/inventory/prod.yml    | 10 ++++++++++
 infra/ansible/inventory/staging.yml | 12 ++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/infra/ansible/inventory/prod.yml b/infra/ansible/inventory/prod.yml
index 3dbe6755d..8611a110d 100644
--- a/infra/ansible/inventory/prod.yml
+++ b/infra/ansible/inventory/prod.yml
@@ -20,6 +20,16 @@ all:
       ansible_user: senke
       ansible_python_interpreter: /usr/bin/python3
   children:
+    # Env-named meta-group — see inventory/staging.yml for rationale.
+    prod:
+      children:
+        incus_hosts:
+        forgejo_runner:
+        haproxy:
+        veza_app_backend:
+        veza_app_stream:
+        veza_app_web:
+        veza_data:
     incus_hosts:
       hosts:
         veza-prod:
diff --git a/infra/ansible/inventory/staging.yml b/infra/ansible/inventory/staging.yml
index 88f5581ad..78325b368 100644
--- a/infra/ansible/inventory/staging.yml
+++ b/infra/ansible/inventory/staging.yml
@@ -36,6 +36,18 @@ all:
       ansible_user: senke
       ansible_python_interpreter: /usr/bin/python3
   children:
+    # Env-named meta-group : every host below is also in `staging`,
+    # which makes group_vars/staging.yml apply (Ansible matches
+    # group_vars file names against group names).
+    staging:
+      children:
+        incus_hosts:
+        forgejo_runner:
+        haproxy:
+        veza_app_backend:
+        veza_app_stream:
+        veza_app_web:
+        veza_data:
     incus_hosts:
       hosts:
         veza-staging: