From 9b5851ba4b676c5d10c3619a70977a367f3af59e Mon Sep 17 00:00:00 2001
From: sjat <sjat@ziethen.dk>
Date: Sun, 14 Jun 2026 19:31:23 +0200
Subject: [PATCH] chore(roles): role/test hygiene from review (O16,O17,O25,O26)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- dev_env .zshrc: drop the rclone alias (not installed) and guard the direnv
  hook with `command -v direnv` so a missing direnv doesn't error every shell (O16)
- dev_env oh-my-posh: tag the zen.toml theme deploy `config` (it renders config to
  disk like the per_user dotfiles); the include now carries packages+config so a
  `--tags config` run re-renders the theme while the binary install stays packages
  only (O17). Verified via `molecule converge -- --tags config`.
- drop the non-vocabulary `tags: [verify]` from molecule verify playbooks across
  base/docker_host/public_dns/reverse_proxy (check-tags exempts molecule anyway) (O25)
- reverse_proxy templates: add the `{{ ansible_managed }}` header (ADR-024 §1.2) (O26)

make lint green; dev_env + reverse_proxy molecule green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 roles/base/molecule/default/verify.yml              | 5 -----
 roles/dev_env/files/dotfiles/zsh/.zshrc             | 6 ++----
 roles/dev_env/tasks/main.yml                        | 6 +++++-
 roles/dev_env/tasks/oh_my_posh.yml                  | 2 ++
 roles/docker_host/molecule/default/verify.yml       | 3 ---
 roles/public_dns/molecule/default/verify.yml        | 1 -
 roles/reverse_proxy/molecule/default/verify.yml     | 3 ---
 roles/reverse_proxy/templates/Caddyfile.j2          | 1 +
 roles/reverse_proxy/templates/docker-compose.yml.j2 | 1 +
 9 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/roles/base/molecule/default/verify.yml b/roles/base/molecule/default/verify.yml
index 25056d0..1b1fa30 100644
--- a/roles/base/molecule/default/verify.yml
+++ b/roles/base/molecule/default/verify.yml
@@ -51,14 +51,9 @@
     - name: Sshd drop-in present and config valid
       ansible.builtin.command: sshd -t
       changed_when: false
-      tags: [verify]
-
     - name: PasswordAuthentication is disabled
       ansible.builtin.command: grep -q '^PasswordAuthentication no' /etc/ssh/sshd_config.d/10-boma.conf
       changed_when: false
-      tags: [verify]
-
     - name: Fail2ban sshd jail configured
       ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local
       changed_when: false
-      tags: [verify]
diff --git a/roles/dev_env/files/dotfiles/zsh/.zshrc b/roles/dev_env/files/dotfiles/zsh/.zshrc
index 51566ff..6da928f 100644
--- a/roles/dev_env/files/dotfiles/zsh/.zshrc
+++ b/roles/dev_env/files/dotfiles/zsh/.zshrc
@@ -25,7 +25,6 @@ alias ll="ls -lh"
 alias la="ls -lha"
 alias ..="cd .."
 alias update="sudo apt update && sudo apt upgrade -y"
-alias rclone="/usr/bin/rclone"
 
 # Use neovim for vim/vi commands
 alias vim='nvim'
@@ -50,6 +49,5 @@ export PATH="$HOME/.local/bin:$HOME/bin:$PATH"
 # Ensure USER is set (edge cases)
 export USER=$(whoami)
 
-# Extras from inventory
-# Enable direnv for automatic virtualenv activation
-eval "$(direnv hook zsh)"
+# Enable direnv for automatic virtualenv activation (guarded — direnv may not be installed)
+command -v direnv >/dev/null 2>&1 && eval "$(direnv hook zsh)"
diff --git a/roles/dev_env/tasks/main.yml b/roles/dev_env/tasks/main.yml
index ce9b6eb..61f7892 100644
--- a/roles/dev_env/tasks/main.yml
+++ b/roles/dev_env/tasks/main.yml
@@ -17,12 +17,16 @@
       tags: [packages]
   tags: [packages]
 
+# Also reachable under `config`: oh_my_posh.yml renders /etc/oh-my-posh/zen.toml (a config
+# task, tagged `config` within the file) alongside the binary install (`packages`). apply
+# keeps `packages` on the untagged binary tasks; the include carries both so `--tags config`
+# enters it and re-renders just the theme.
 - name: Install oh-my-posh prompt (pinned release)
   ansible.builtin.include_tasks:
     file: oh_my_posh.yml
     apply:
       tags: [packages]
-  tags: [packages]
+  tags: [packages, config]
 
 - name: Install Node.js (pinned release)
   ansible.builtin.include_tasks:
diff --git a/roles/dev_env/tasks/oh_my_posh.yml b/roles/dev_env/tasks/oh_my_posh.yml
index 99b3f13..53bae5f 100644
--- a/roles/dev_env/tasks/oh_my_posh.yml
+++ b/roles/dev_env/tasks/oh_my_posh.yml
@@ -17,9 +17,11 @@
     path: /etc/oh-my-posh
     state: directory
     mode: "0755"
+  tags: [config]
 
 - name: Oh-my-posh | Deploy zen.toml theme (system-wide)
   ansible.builtin.copy:
     src: oh-my-posh/zen.toml
     dest: /etc/oh-my-posh/zen.toml
     mode: "0644"
+  tags: [config]
diff --git a/roles/docker_host/molecule/default/verify.yml b/roles/docker_host/molecule/default/verify.yml
index dd30601..a50b95d 100644
--- a/roles/docker_host/molecule/default/verify.yml
+++ b/roles/docker_host/molecule/default/verify.yml
@@ -8,10 +8,7 @@
       ansible.builtin.command: docker --version
       register: docker_version_output
       changed_when: false
-      tags: [verify]
-
     - name: Assert docker --version succeeded
       ansible.builtin.assert:
         that: docker_version_output.rc == 0
         msg: "docker --version failed — Docker was not installed correctly"
-      tags: [verify]
diff --git a/roles/public_dns/molecule/default/verify.yml b/roles/public_dns/molecule/default/verify.yml
index 5bbc05a..4816653 100644
--- a/roles/public_dns/molecule/default/verify.yml
+++ b/roles/public_dns/molecule/default/verify.yml
@@ -9,4 +9,3 @@
           - public_dns__domain == "example.test"
           - public_dns__apply | bool == false
         msg: "public_dns defaults/vars did not resolve as expected"
-      tags: [verify]
diff --git a/roles/reverse_proxy/molecule/default/verify.yml b/roles/reverse_proxy/molecule/default/verify.yml
index b239c56..6fbb7d0 100644
--- a/roles/reverse_proxy/molecule/default/verify.yml
+++ b/roles/reverse_proxy/molecule/default/verify.yml
@@ -8,8 +8,6 @@
       ansible.builtin.slurp:
         src: /opt/services/reverse_proxy/Caddyfile
       register: _caddyfile
-      tags: [verify]
-
     - name: Assert Caddyfile exists and contains expected content
       ansible.builtin.assert:
         that:
@@ -19,4 +17,3 @@
           - "'respond \"ok\" 200' in (_caddyfile.content | b64decode)"
         fail_msg: "Caddyfile is missing expected content"
         success_msg: "Caddyfile rendered correctly"
-      tags: [verify]
diff --git a/roles/reverse_proxy/templates/Caddyfile.j2 b/roles/reverse_proxy/templates/Caddyfile.j2
index 3981065..ac68d6d 100644
--- a/roles/reverse_proxy/templates/Caddyfile.j2
+++ b/roles/reverse_proxy/templates/Caddyfile.j2
@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 {
   email {{ reverse_proxy__acme_email }}
 }
diff --git a/roles/reverse_proxy/templates/docker-compose.yml.j2 b/roles/reverse_proxy/templates/docker-compose.yml.j2
index ae8f676..0310f23 100644
--- a/roles/reverse_proxy/templates/docker-compose.yml.j2
+++ b/roles/reverse_proxy/templates/docker-compose.yml.j2
@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 services:
   caddy:
     image: caddy:2