feat(tags): add allowed-tag vocabulary (tests/tags.yml)

tests/tags.yml

@@ -0,0 +1,37 @@
+---
+# Allowed Ansible tag vocabulary — single source of truth for scripts/check-tags.py.
+# Authoritative reference & rationale: docs/decisions/019-tagging.md.
+#
+# The full allowed set the linter enforces is:
+#   {role directory names under roles/} ∪ everything listed below.
+#
+# To add a CONCERN tag: add it here AND add a row to the ADR-019 table with a
+# one-line justification (cross-cutting, used in 2+ roles, distinct).
+
+# Cross-cutting concern tags, applied per-task/block where a task belongs to the
+# concern. Targeted one at a time (tags are union/OR, never intersected).
+concerns:
+  - packages     # apt package install/management
+  - users        # accounts, groups, sudo
+  - firewall     # nftables rulesets & port definitions (ADR-002)
+  - hardening    # security baseline — sshd config, fail2ban, auditd, sysctl
+  - logging      # Alloy / log-shipping config (ADR-018)
+  - monitoring   # metric exporters / health checks
+  - config       # render templated config/compose files to disk — no restart
+  - deploy       # bring services up / restart (compose up -d)
+  - proxy        # reverse-proxy + TLS registration (Traefik routes, Authentik)
+
+# Ansible built-in special tags. Narrow use only:
+#   always — cheap preflight assertions (run regardless of --tags)
+#   never  — destructive/expensive tasks, paired with an opt-in tag below
+special:
+  - always
+  - never
+
+# `never`-paired opt-in tags: destructive/expensive tasks that only run when
+# named explicitly (e.g. `tags: [never, force_pull]`). Empty until a role adds one.
+opt_ins: []
+
+# Playbook-level identity tags for role-less lifecycle plays (e.g. bootstrap.yml).
+playbooks:
+  - bootstrap