--- # `apply: tags:` propagates the concern tag to the INCLUDED tasks — without it a tag on # a dynamic include_tasks only selects the include itself, not its contents, so # `--tags ` would run nothing (Ansible gotcha). - name: Configure host firewall (nftables) ansible.builtin.include_tasks: file: firewall.yml apply: tags: [firewall] tags: [firewall] - name: SSH hardening ansible.builtin.include_tasks: file: ssh.yml apply: tags: [hardening] tags: [hardening] - name: Fail2ban intrusion deterrence ansible.builtin.include_tasks: file: fail2ban.yml apply: tags: [hardening] tags: [hardening]