ilia/ansible
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
ansible/project-docs/standards.md
ilia 3415340e26
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m18s
Details
CI / lint-and-test (pull_request) Successful in 1m21s
Details
CI / ansible-validation (pull_request) Successful in 2m43s
Details
CI / secret-scanning (pull_request) Successful in 1m19s
Details
CI / dependency-scan (pull_request) Successful in 1m23s
Details
CI / sast-scan (pull_request) Successful in 2m28s
Details
CI / license-check (pull_request) Successful in 1m20s
Details
CI / vault-check (pull_request) Successful in 2m21s
Details
CI / playbook-test (pull_request) Successful in 2m19s
Details
CI / container-scan (pull_request) Successful in 1m48s
Details
CI / sonar-analysis (pull_request) Successful in 1m26s
Details
CI / workflow-summary (pull_request) Successful in 1m17s
Details
Refactor playbooks: servers/workstations, split monitoring, improve shell
2025-12-31 23:13:03 -05:00

50 lines
1.4 KiB
Markdown
Raw Blame History

## Standards
### Ansible + YAML conventions
- **Indentation**: 2 spaces (no tabs)
- **Task naming**: every task should include a clear `name:`
- **Play-level privilege**: prefer `become: true` at play level when most tasks need sudo
- **Modules**:
- Prefer native modules over `shell`/`command`
- Use **fully qualified collection names** (FQCN), e.g. `ansible.builtin.apt`, `community.general.ufw`
- **Handlers**: use handlers for restarts/reloads
- **Idempotency**:
- If `shell`/`command` is unavoidable, set `changed_when:` / `creates:` / `removes:` appropriately
### Role structure
Roles should follow:
```
roles/<role_name>/
├── defaults/main.yml
├── handlers/main.yml
├── tasks/main.yml
├── templates/
├── files/
└── README.md
```
### Variable naming
- **snake_case** everywhere
- Vault-backed variables are prefixed with **`vault_`**
### Secrets / Vault
- Never commit plaintext secrets.
- Use Ansible Vault for credentials:
- `inventories/production/group_vars/all/vault.yml` (encrypted)
- Local vault password file is expected at `~/.ansible-vault-pass`.
### Makefile-first workflow
- Prefer `make ...` targets over direct `ansible-playbook` commands for consistency.
### Linting
- `ansible-lint` is the primary linter.
- `.ansible-lint` excludes vault-containing inventory paths to keep linting deterministic without vault secrets.
Reference in New Issue View Git Blame Copy Permalink