diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index d723e44..fe65518 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -107,6 +107,10 @@ jobs:
       - name: Install Ansible and linting tools
         run: pip3 install --no-cache-dir ansible ansible-lint yamllint
 
+      - name: Install Ansible collections
+        run: |
+          ansible-galaxy collection install -r collections/requirements.yml
+
       - name: Validate YAML syntax
         run: |
           echo "Checking YAML syntax..."
@@ -115,10 +119,7 @@ jobs:
           done
 
       - name: Run ansible-lint
-        run: |
-          # Skip vault-encrypted files and playbooks that require vault passwords
-          ansible-lint --skip-list vault,internal-error || true
-        continue-on-error: true
+        run: ansible-lint
 
   secret-scanning:
     needs: skip-ci-check
@@ -230,6 +231,7 @@ jobs:
       - name: Validate vault files are encrypted
         run: |
           echo "Checking for Ansible Vault files..."
+          # Intentionally skip *.example files: they are plaintext templates.
           vault_files=$(find . -name "*vault*.yml" -o -name "*vault*.yaml" | grep -v ".git" | grep -v ".example" || true)
           if [ -z "$vault_files" ]; then
             echo "No vault files found"
@@ -275,29 +277,56 @@ jobs:
       - name: Install Ansible
         run: pip3 install --no-cache-dir ansible
 
-      - name: Dry-run playbooks
+      - name: Install Ansible collections
         run: |
-          echo "Running dry-run tests on playbooks..."
+          ansible-galaxy collection install -r collections/requirements.yml
+
+      - name: Validate playbooks (CI inventory, no vault)
+        run: |
+          set -e
+          echo "Validating playbooks against a CI-only localhost inventory (no vault required)..."
+          cat > /tmp/ci-inventory.ini <<'EOF'
+          [dev]
+          localhost ansible_connection=local
+
+          [desktop]
+          localhost ansible_connection=local
+
+          [services]
+          localhost ansible_connection=local
+
+          [qa]
+          localhost ansible_connection=local
+
+          [ansible]
+          localhost ansible_connection=local
+
+          [tailscale]
+          localhost ansible_connection=local
+
+          [local]
+          localhost ansible_connection=local
+          EOF
+
           failed=0
-          for playbook in playbooks/*.yml; do
-            if [ -f "$playbook" ]; then
-              echo "Testing $playbook..."
-              if ansible-playbook "$playbook" --syntax-check --list-tasks > /dev/null 2>&1; then
-                echo "✓ $playbook syntax is valid"
-              else
-                echo "✗ $playbook has syntax errors"
-                failed=1
-              fi
+          for playbook in playbooks/*.yml site.yml configure_app.yml provision_vms.yml; do
+            [ -f "$playbook" ] || continue
+            echo "Testing $playbook..."
+            if ansible-playbook -i /tmp/ci-inventory.ini "$playbook" --syntax-check --list-tasks; then
+              echo "✓ $playbook validated (syntax-check + list-tasks)"
+            else
+              echo "✗ $playbook failed validation (syntax-check/list-tasks)"
+              failed=1
             fi
           done
+
           if [ $failed -eq 1 ]; then
-            echo "❌ Some playbooks have syntax errors!"
-            echo "Note: This may be expected if playbooks require inventory/vault, but syntax errors should still be fixed."
+            echo "❌ Some playbooks failed CI validation."
+            echo "This should not require production inventory or vault secrets."
             exit 1
           else
-            echo "✅ All playbooks passed syntax check"
+            echo "✅ All playbooks passed CI validation"
           fi
-        continue-on-error: true
 
   container-scan:
     needs: skip-ci-check