## Project rules (Ansible infrastructure repo)

### Canonical documentation

- Start here: `project-docs/index.md`
- Architecture: `project-docs/architecture.md`
- Standards: `project-docs/standards.md`
- Workflow: `project-docs/workflow.md`
- Decisions: `project-docs/decisions.md`

### Repo structure (high level)

- **Inventory**: `inventories/production/`
- **Playbooks**: `playbooks/`
  - `playbooks/servers.yml`: server baseline
  - `playbooks/workstations.yml`: workstation baseline + desktop apps on `desktop` group only
  - `playbooks/app/*`: Proxmox app-project suite
- **Roles**: `roles/*` (standard Ansible role layout)

### Key standards to follow

- **YAML**: 2-space indentation; tasks must have `name:`
- **Modules**: prefer native modules; use FQCN (e.g., `ansible.builtin.*`, `community.general.*`)
- **Idempotency**: no “always-changed” shell tasks; use `changed_when:` / `creates:` / `removes:`
- **Secrets**: never commit plaintext; use Ansible Vault with `vault_`-prefixed vars
- **Makefile-first**: prefer `make ...` targets over raw `ansible-playbook`

### Architectural decisions (must not regress)

- Editor/IDE installation is **out of scope** for Ansible roles/playbooks.
- Monitoring is split: `monitoring_server` vs `monitoring_desktop`.
- Desktop applications run only for `desktop` group (via workstations playbook).