feat(tags): add allowed-tag vocabulary (tests/tags.yml)

This commit is contained in:
sjat 2026-06-06 09:26:20 +02:00
parent 04bfc26422
commit 24397fa280

37
tests/tags.yml Normal file
View file

@ -0,0 +1,37 @@
---
# Allowed Ansible tag vocabulary — single source of truth for scripts/check-tags.py.
# Authoritative reference & rationale: docs/decisions/019-tagging.md.
#
# The full allowed set the linter enforces is:
# {role directory names under roles/} everything listed below.
#
# To add a CONCERN tag: add it here AND add a row to the ADR-019 table with a
# one-line justification (cross-cutting, used in 2+ roles, distinct).
# Cross-cutting concern tags, applied per-task/block where a task belongs to the
# concern. Targeted one at a time (tags are union/OR, never intersected).
concerns:
- packages # apt package install/management
- users # accounts, groups, sudo
- firewall # nftables rulesets & port definitions (ADR-002)
- hardening # security baseline — sshd config, fail2ban, auditd, sysctl
- logging # Alloy / log-shipping config (ADR-018)
- monitoring # metric exporters / health checks
- config # render templated config/compose files to disk — no restart
- deploy # bring services up / restart (compose up -d)
- proxy # reverse-proxy + TLS registration (Traefik routes, Authentik)
# Ansible built-in special tags. Narrow use only:
# always — cheap preflight assertions (run regardless of --tags)
# never — destructive/expensive tasks, paired with an opt-in tag below
special:
- always
- never
# `never`-paired opt-in tags: destructive/expensive tasks that only run when
# named explicitly (e.g. `tags: [never, force_pull]`). Empty until a role adds one.
opt_ins: []
# Playbook-level identity tags for role-less lifecycle plays (e.g. bootstrap.yml).
playbooks:
- bootstrap