ilia
3415340e26
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m18s
CI / lint-and-test (pull_request) Successful in 1m21s
CI / ansible-validation (pull_request) Successful in 2m43s
CI / secret-scanning (pull_request) Successful in 1m19s
CI / dependency-scan (pull_request) Successful in 1m23s
CI / sast-scan (pull_request) Successful in 2m28s
CI / license-check (pull_request) Successful in 1m20s
CI / vault-check (pull_request) Successful in 2m21s
CI / playbook-test (pull_request) Successful in 2m19s
CI / container-scan (pull_request) Successful in 1m48s
CI / sonar-analysis (pull_request) Successful in 1m26s
CI / workflow-summary (pull_request) Successful in 1m17s
1.4 KiB
1.4 KiB
Standards
Ansible + YAML conventions
- Indentation: 2 spaces (no tabs)
- Task naming: every task should include a clear
name: - Play-level privilege: prefer
become: trueat play level when most tasks need sudo - Modules:
- Prefer native modules over
shell/command - Use fully qualified collection names (FQCN), e.g.
ansible.builtin.apt,community.general.ufw
- Prefer native modules over
- Handlers: use handlers for restarts/reloads
- Idempotency:
- If
shell/commandis unavoidable, setchanged_when:/creates:/removes:appropriately
- If
Role structure
Roles should follow:
roles/<role_name>/
├── defaults/main.yml
├── handlers/main.yml
├── tasks/main.yml
├── templates/
├── files/
└── README.md
Variable naming
- snake_case everywhere
- Vault-backed variables are prefixed with
vault_
Secrets / Vault
- Never commit plaintext secrets.
- Use Ansible Vault for credentials:
inventories/production/group_vars/all/vault.yml(encrypted)
- Local vault password file is expected at
~/.ansible-vault-pass.
Makefile-first workflow
- Prefer
make ...targets over directansible-playbookcommands for consistency.
Linting
ansible-lintis the primary linter..ansible-lintexcludes vault-containing inventory paths to keep linting deterministic without vault secrets.