chore(roles): role/test hygiene from review (O16,O17,O25,O26)

- dev_env .zshrc: drop the rclone alias (not installed) and guard the direnv hook with `command -v direnv` so a missing direnv doesn't error every shell (O16) - dev_env oh-my-posh: tag the zen.toml theme deploy `config` (it renders config to disk like the per_user dotfiles); the include now carries packages+config so a `--tags config` run re-renders the theme while the binary install stays packages only (O17). Verified via `molecule converge -- --tags config`. - drop the non-vocabulary `tags: [verify]` from molecule verify playbooks across base/docker_host/public_dns/reverse_proxy (check-tags exempts molecule anyway) (O25) - reverse_proxy templates: add the `{{ ansible_managed }}` header (ADR-024 §1.2) (O26) make lint green; dev_env + reverse_proxy molecule green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 19:31:23 +02:00 · 2026-06-14 19:31:23 +02:00 · 9b5851ba4b
commit 9b5851ba4b
parent 175777e36a
9 changed files with 11 additions and 17 deletions
--- a/roles/base/molecule/default/verify.yml
+++ b/roles/base/molecule/default/verify.yml
@ -51,14 +51,9 @@
    - name: Sshd drop-in present and config valid
      ansible.builtin.command: sshd -t
      changed_when: false
-      tags: [verify]
-
    - name: PasswordAuthentication is disabled
      ansible.builtin.command: grep -q '^PasswordAuthentication no' /etc/ssh/sshd_config.d/10-boma.conf
      changed_when: false
-      tags: [verify]
-
    - name: Fail2ban sshd jail configured
      ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local
      changed_when: false
-      tags: [verify]
--- a/roles/dev_env/files/dotfiles/zsh/.zshrc
+++ b/roles/dev_env/files/dotfiles/zsh/.zshrc
@ -25,7 +25,6 @@ alias ll="ls -lh"
 alias la="ls -lha"
 alias ..="cd .."
 alias update="sudo apt update && sudo apt upgrade -y"
-alias rclone="/usr/bin/rclone"

 # Use neovim for vim/vi commands
 alias vim='nvim'
@ -50,6 +49,5 @@ export PATH="$HOME/.local/bin:$HOME/bin:$PATH"
 # Ensure USER is set (edge cases)
 export USER=$(whoami)

-# Extras from inventory
-# Enable direnv for automatic virtualenv activation
-eval "$(direnv hook zsh)"
+# Enable direnv for automatic virtualenv activation (guarded — direnv may not be installed)
+command -v direnv >/dev/null 2>&1 && eval "$(direnv hook zsh)"
--- a/roles/dev_env/tasks/main.yml
+++ b/roles/dev_env/tasks/main.yml
@ -17,12 +17,16 @@
      tags: [packages]
  tags: [packages]

+# Also reachable under `config`: oh_my_posh.yml renders /etc/oh-my-posh/zen.toml (a config
+# task, tagged `config` within the file) alongside the binary install (`packages`). apply
+# keeps `packages` on the untagged binary tasks; the include carries both so `--tags config`
+# enters it and re-renders just the theme.
 - name: Install oh-my-posh prompt (pinned release)
  ansible.builtin.include_tasks:
    file: oh_my_posh.yml
    apply:
      tags: [packages]
-  tags: [packages]
+  tags: [packages, config]

 - name: Install Node.js (pinned release)
  ansible.builtin.include_tasks:
--- a/roles/dev_env/tasks/oh_my_posh.yml
+++ b/roles/dev_env/tasks/oh_my_posh.yml
@ -17,9 +17,11 @@
    path: /etc/oh-my-posh
    state: directory
    mode: "0755"
+  tags: [config]

 - name: Oh-my-posh | Deploy zen.toml theme (system-wide)
  ansible.builtin.copy:
    src: oh-my-posh/zen.toml
    dest: /etc/oh-my-posh/zen.toml
    mode: "0644"
+  tags: [config]
--- a/roles/docker_host/molecule/default/verify.yml
+++ b/roles/docker_host/molecule/default/verify.yml
@ -8,10 +8,7 @@
      ansible.builtin.command: docker --version
      register: docker_version_output
      changed_when: false
-      tags: [verify]
-
    - name: Assert docker --version succeeded
      ansible.builtin.assert:
        that: docker_version_output.rc == 0
        msg: "docker --version failed — Docker was not installed correctly"
-      tags: [verify]
--- a/roles/public_dns/molecule/default/verify.yml
+++ b/roles/public_dns/molecule/default/verify.yml
@ -9,4 +9,3 @@
          - public_dns__domain == "example.test"
          - public_dns__apply | bool == false
        msg: "public_dns defaults/vars did not resolve as expected"
-      tags: [verify]
--- a/roles/reverse_proxy/molecule/default/verify.yml
+++ b/roles/reverse_proxy/molecule/default/verify.yml
@ -8,8 +8,6 @@
      ansible.builtin.slurp:
        src: /opt/services/reverse_proxy/Caddyfile
      register: _caddyfile
-      tags: [verify]
-
    - name: Assert Caddyfile exists and contains expected content
      ansible.builtin.assert:
        that:
@ -19,4 +17,3 @@
          - "'respond \"ok\" 200' in (_caddyfile.content | b64decode)"
        fail_msg: "Caddyfile is missing expected content"
        success_msg: "Caddyfile rendered correctly"
-      tags: [verify]
--- a/roles/reverse_proxy/templates/Caddyfile.j2
+++ b/roles/reverse_proxy/templates/Caddyfile.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 {
  email {{ reverse_proxy__acme_email }}
 }
--- a/roles/reverse_proxy/templates/docker-compose.yml.j2
+++ b/roles/reverse_proxy/templates/docker-compose.yml.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 services:
  caddy:
    image: caddy:2