From 24397fa2803ea4befc3ddf04c7af5e07aa085004 Mon Sep 17 00:00:00 2001 From: sjat Date: Sat, 6 Jun 2026 09:26:20 +0200 Subject: [PATCH] feat(tags): add allowed-tag vocabulary (tests/tags.yml) --- tests/tags.yml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 tests/tags.yml diff --git a/tests/tags.yml b/tests/tags.yml new file mode 100644 index 0000000..987b114 --- /dev/null +++ b/tests/tags.yml @@ -0,0 +1,37 @@ +--- +# Allowed Ansible tag vocabulary — single source of truth for scripts/check-tags.py. +# Authoritative reference & rationale: docs/decisions/019-tagging.md. +# +# The full allowed set the linter enforces is: +# {role directory names under roles/} ∪ everything listed below. +# +# To add a CONCERN tag: add it here AND add a row to the ADR-019 table with a +# one-line justification (cross-cutting, used in 2+ roles, distinct). + +# Cross-cutting concern tags, applied per-task/block where a task belongs to the +# concern. Targeted one at a time (tags are union/OR, never intersected). +concerns: + - packages # apt package install/management + - users # accounts, groups, sudo + - firewall # nftables rulesets & port definitions (ADR-002) + - hardening # security baseline — sshd config, fail2ban, auditd, sysctl + - logging # Alloy / log-shipping config (ADR-018) + - monitoring # metric exporters / health checks + - config # render templated config/compose files to disk — no restart + - deploy # bring services up / restart (compose up -d) + - proxy # reverse-proxy + TLS registration (Traefik routes, Authentik) + +# Ansible built-in special tags. Narrow use only: +# always — cheap preflight assertions (run regardless of --tags) +# never — destructive/expensive tasks, paired with an opt-in tag below +special: + - always + - never + +# `never`-paired opt-in tags: destructive/expensive tasks that only run when +# named explicitly (e.g. `tags: [never, force_pull]`). Empty until a role adds one. +opt_ins: [] + +# Playbook-level identity tags for role-less lifecycle plays (e.g. bootstrap.yml). +playbooks: + - bootstrap