feat(tags): add allowed-tag vocabulary (tests/tags.yml)
This commit is contained in:
parent
04bfc26422
commit
24397fa280
1 changed files with 37 additions and 0 deletions
37
tests/tags.yml
Normal file
37
tests/tags.yml
Normal file
|
|
@ -0,0 +1,37 @@
|
||||||
|
---
|
||||||
|
# Allowed Ansible tag vocabulary — single source of truth for scripts/check-tags.py.
|
||||||
|
# Authoritative reference & rationale: docs/decisions/019-tagging.md.
|
||||||
|
#
|
||||||
|
# The full allowed set the linter enforces is:
|
||||||
|
# {role directory names under roles/} ∪ everything listed below.
|
||||||
|
#
|
||||||
|
# To add a CONCERN tag: add it here AND add a row to the ADR-019 table with a
|
||||||
|
# one-line justification (cross-cutting, used in 2+ roles, distinct).
|
||||||
|
|
||||||
|
# Cross-cutting concern tags, applied per-task/block where a task belongs to the
|
||||||
|
# concern. Targeted one at a time (tags are union/OR, never intersected).
|
||||||
|
concerns:
|
||||||
|
- packages # apt package install/management
|
||||||
|
- users # accounts, groups, sudo
|
||||||
|
- firewall # nftables rulesets & port definitions (ADR-002)
|
||||||
|
- hardening # security baseline — sshd config, fail2ban, auditd, sysctl
|
||||||
|
- logging # Alloy / log-shipping config (ADR-018)
|
||||||
|
- monitoring # metric exporters / health checks
|
||||||
|
- config # render templated config/compose files to disk — no restart
|
||||||
|
- deploy # bring services up / restart (compose up -d)
|
||||||
|
- proxy # reverse-proxy + TLS registration (Traefik routes, Authentik)
|
||||||
|
|
||||||
|
# Ansible built-in special tags. Narrow use only:
|
||||||
|
# always — cheap preflight assertions (run regardless of --tags)
|
||||||
|
# never — destructive/expensive tasks, paired with an opt-in tag below
|
||||||
|
special:
|
||||||
|
- always
|
||||||
|
- never
|
||||||
|
|
||||||
|
# `never`-paired opt-in tags: destructive/expensive tasks that only run when
|
||||||
|
# named explicitly (e.g. `tags: [never, force_pull]`). Empty until a role adds one.
|
||||||
|
opt_ins: []
|
||||||
|
|
||||||
|
# Playbook-level identity tags for role-less lifecycle plays (e.g. bootstrap.yml).
|
||||||
|
playbooks:
|
||||||
|
- bootstrap
|
||||||
Loading…
Add table
Reference in a new issue