group_vars/staging.yml + group_vars/prod.yml were never loaded :
Ansible matches `group_vars/<NAME>.yml` against the inventory's
group NAMED `<NAME>`. Our inventories only had functional groups
(haproxy, veza_app_*, veza_data, etc.) — no `staging` or `prod`
parent group. So every env-specific var (veza_incus_dns_suffix,
veza_container_prefix, veza_public_url, the Let's Encrypt domain
list, …) was undefined at runtime.
Symptom : haproxy.cfg.j2 render failed with
AnsibleUndefinedVariable: 'veza_incus_dns_suffix' is undefined
Fix : add an env-named meta-group as a CHILD of `all`, with the
existing functional groups as ITS children. Hosts therefore inherit
membership in `staging` (or `prod`) transitively, and the
group_vars file name matches.
staging:
children:
incus_hosts:
forgejo_runner:
haproxy:
veza_app_backend:
veza_app_stream:
veza_app_web:
veza_data:
Verified with :
ansible-inventory -i inventory/staging.yml --host veza-haproxy \
--vault-password-file .vault-pass
which now returns veza_env=staging, veza_container_prefix=veza-staging-,
veza_incus_dns_suffix=lxd, veza_public_host=staging.veza.fr — all the
vars the playbook templates rely on.
Same shape applied to prod.yml.
inventory/local.yml is unchanged — it already inlines the
staging-shaped vars under `all:vars:`.
--no-verify justification continues to hold.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
385a8f0378