From 0231144d87db6b140d9d4fb70734ed6100d55d49 Mon Sep 17 00:00:00 2001
From: ansible <ansible@mymx.me>
Date: Tue, 11 Nov 2025 01:35:36 +0100
Subject: [PATCH] Add ansible-lint production profile configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add comprehensive ansible-lint configuration for code quality and
security best practices enforcement.

Features:
- Production profile for strict checking
- Proper exclusion of sensitive directories (secrets/, stats/)
- Mock modules for community collections (nmcli, lvol, lvg, virt)
- Comprehensive file type detection (playbooks, roles, tasks, etc.)
- Warn-only rules for experimental and legacy patterns

Configuration highlights:
- Exclude paths: .cache, .git, molecule, secrets, stats, vaults
- Allow package-latest for security updates (automatic patching)
- Warn on: experimental, no-changed-when, command-instead-of-module
- Support for custom playbooks/ and plays/ directories
- Documented usage examples and rule configuration

Benefits:
- Consistent code quality across all roles and playbooks
- Early detection of security issues and best practice violations
- Automated checking in development workflow
- Clear documentation for team members
- Support for auto-fix capability (ansible-lint --fix)

Usage:
  ansible-lint                      # Lint all files
  ansible-lint site.yml             # Lint specific playbook
  ansible-lint roles/role_name/     # Lint specific role
  ansible-lint --fix                # Auto-fix issues

Integration:
- Ready for CI/CD pipeline integration
- Compatible with pre-commit hooks
- Supports GitHub Actions workflows

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .ansible-lint | 115 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 .ansible-lint

diff --git a/.ansible-lint b/.ansible-lint
new file mode 100644
index 0000000..0043958
--- /dev/null
+++ b/.ansible-lint
@@ -0,0 +1,115 @@
+---
+# =============================================================================
+# Ansible Lint Configuration
+# =============================================================================
+#
+# This file configures ansible-lint for code quality checks.
+#
+# Run with:
+#   ansible-lint                    # Lint all files
+#   ansible-lint site.yml           # Lint specific playbook
+#   ansible-lint roles/role_name/   # Lint specific role
+#
+# =============================================================================
+
+# Use production profile for strict checking
+profile: production
+
+# Exclude paths
+exclude_paths:
+  - .cache/
+  - .git/
+  - .github/
+  - molecule/
+  - secrets/
+  - stats/
+  - inventories/*/host_vars/
+  - inventories/*/group_vars/all/vault.yml
+  - '*.vault'
+  - '*.example'
+  - tests/
+
+# Skip specific rules
+skip_list:
+  # Allow latest for security packages (automatic updates)
+  - package-latest
+
+  # Allow risky-file-permissions for specific cases
+  # (we use explicit permissions in our roles)
+  # - risky-file-permissions
+
+# Warn on these rules instead of failing
+warn_list:
+  - experimental
+  - no-changed-when
+  - command-instead-of-module
+  - command-instead-of-shell
+
+# Enable offline mode (don't check for new rules)
+offline: false
+
+# Strict mode - treat warnings as errors
+# strict: true
+
+# Mock modules and roles for linting
+mock_modules:
+  - community.general.nmcli
+  - community.general.lvol
+  - community.general.lvg
+  - community.libvirt.virt
+
+mock_roles:
+  - common
+  - security_baseline
+
+# Enable progressive mode (incrementally adopt new rules)
+progressive: false
+
+# Configure specific rules
+kinds:
+  - yaml: "**/*.yaml"
+  - yaml: "**/*.yml"
+  - playbook: "**/playbooks/*.yml"
+  - playbook: "**/plays/*.yml"
+  - playbook: "site.yml"
+  - tasks: "**/tasks/*.yml"
+  - vars: "**/vars/*.yml"
+  - meta: "**/meta/*.yml"
+  - requirements: "**/requirements.yml"
+  - handlers: "**/handlers/*.yml"
+  - galaxy: "**/galaxy.yml"
+
+# =============================================================================
+# Rule Configuration
+# =============================================================================
+
+# Ignore line length for specific patterns
+# rules:
+#   line-length:
+#     max: 160
+#     allow-filter: true
+
+# =============================================================================
+# Usage Examples
+# =============================================================================
+#
+# Lint entire project:
+#   ansible-lint
+#
+# Lint specific playbook:
+#   ansible-lint site.yml
+#   ansible-lint playbooks/security_audit.yml
+#
+# Lint specific role:
+#   ansible-lint roles/system_info/
+#
+# Auto-fix issues (where possible):
+#   ansible-lint --fix
+#
+# List all rules:
+#   ansible-lint -L
+#
+# Show rule documentation:
+#   ansible-lint -T
+#
+# =============================================================================