chore(ansible): establish development standards and tooling

- ansible/.ansible-lint: Configure safety profile with strict enforcement
- ansible/.ansible-standards.md: Define architectural standards (idempotency, SSH, naming)
- ansible/DEVELOPMENT-SETUP.md: Document required CLI tools and VSCode extensions

Sets foundation for future infrastructure-as-code automation. Enforces Ansible best practices (FQCN, idempotency, block/rescue) and establishes development environment requirements (ansible-lint, proxmoxer, molecule).

Prepares for automated node provisioning and configuration management workflows.

ansible/.ansible-lint

@@ -0,0 +1,34 @@
+---
+# .ansible-lint - Architecture Enforcement Configuration
+# This ensures idempotency, security, and best practices.
+
+# Use the 'safety' profile to enforce strict security and reliability rules
+profile: safety
+
+# Stop the build if these rules are violated
+strict: true
+
+# Rules to explicitly enforce or ignore
+warn_list:
+  - experimental           # Notify me of experimental features but don't fail
+  - name[casing]           # Warning only for task name capitalization
+
+skip_list:
+  - yaml[line-length]      # Homelab scripts often have long strings/URLs
+
+# Exclude these paths from linting
+exclude_paths:
+  - .cache/
+  - .git/
+  - roles/external/        # Don't lint roles downloaded from Galaxy
+
+# Enforce specific tagging for organization
+require_status:
+  - shared
+  - production
+
+# Custom configurations for specific rules
+# Ensures we always use Fully Qualified Collection Names (FQCN)
+# e.g., ansible.builtin.copy instead of just 'copy'
+fqcn:
+  - ansible.builtin

ansible/.ansible-standards.md

@@ -0,0 +1,25 @@
+# Ansible Architectural Standards v1.0
+---
+metadata:
+  role: Lead Ansible Architect
+  enforcement: Strict
+  idempotency: Required
+  vault_encryption: Required
+---
+
+## 1. Project Philosophy
+- **Agentless Execution:** Rely on SSH and Python 3.
+- **Desired State:** Tasks must define the *result*, not the *command* (e.g., use `apt`, not `shell: apt install`).
+- **Failure Domains:** Use `block/rescue` for all destructive or system-level changes (updates, partitioning).
+
+## 2. Technical Specs
+- **Connection:** SSH via ED25519 keys; `ansible_user` must have passwordless sudo or Vault-stored credentials.
+- **Variables:** - `defaults/main.yml`: Default values (lowest priority).
+  - `vars/main.yml`: Role-specific constants.
+  - `group_vars/`: Environment-specific overrides.
+- **Naming:** Kebab-case for files (`web-server.yml`), snake_case for variables (`web_server_port`).
+
+## 3. Maintenance Logic
+- **Serial Execution:** `serial: 1` for hypervisor/cluster nodes.
+- **Reboot Strategy:** Always check for `/var/run/reboot-required` before initiating a `reboot` task.
+- **Service Verification:** Post-task loops must verify that critical services (e.g., `pveproxy`) are `started`.

ansible/DEVELOPMENT-SETUP.md

@@ -0,0 +1,69 @@
+# Development Setup Manifest
+**Version:** 1.0  
+**Target Environment:** Ansible Control Node & Local Workstation
+
+This document outlines the software and configurations required to develop, lint, and execute Ansible playbooks within this ecosystem.
+
+---
+
+## 1. CLI Tools (The Engine Room)
+
+These tools must be installed on your **Control Node**. If you are developing locally, they should also be installed on your workstation.
+
+| Tool | Function | Purpose | Cost |
+| :--- | :--- | :--- | :--- |
+| **Ansible-Core** | Execution Engine | Processes YAML playbooks and manages SSH connections. | Free |
+| **Ansible-Lint** | Static Analysis | Validates code against best practices and idempotency rules. | Free |
+| **Molecule** | Testing Framework | Runs playbooks against temporary containers to verify roles. | Free |
+| **Ansible-Vault** | Secret Management | Encrypts sensitive data (passwords/API keys) at rest. | Free |
+| **Proxmoxer** | Python API Library | Allows Ansible to communicate with the Proxmox VE API. | Free |
+| **ssh-pass** | Auth Utility | Enables password-based login during the initial key-copy phase. | Free |
+
+### Installation Command (Debian/Ubuntu)
+```bash
+sudo apt update && sudo apt install -y ansible ansible-lint sshpass python3-pip
+pip3 install proxmoxer --break-system-packages
+```
+
+---
+
+## 2. VSCode Extensions (The Cockpit)
+
+For the best development experience, install these extensions in Visual Studio Code.
+
+### **Ansible (by Red Hat)**
+* **What it does:** Provides syntax highlighting, jinja2 auto-completion, and direct linting integration.
+* **Why you want it:** It catches "broken" YAML and missing parameters while you type.
+* **Cost:** Free
+
+### **YAML (by Red Hat)**
+* **What it does:** Validates the structure of `.yml` and `.yaml` files.
+* **Why you want it:** Ansible is hypersensitive to indentation; this extension prevents 90% of syntax errors.
+* **Cost:** Free
+
+### **GitLens (by GitKraken)**
+* **What it does:** Provides "blame" annotations and repository heatmaps.
+* **Why you want it:** Crucial for tracking *why* a system configuration was changed three months ago.
+* **Cost:** Free Core (Pro features available via sub)
+
+### **Remote - SSH (by Microsoft)**
+* **What it does:** Connects VSCode directly to your Control Node over SSH.
+* **Why you want it:** Allows you to code on your main PC but use the environment/tools installed on the Control Node.
+* **Cost:** Free
+
+---
+
+## 3. Configuration Files
+
+To ensure the tools above work correctly, the following files should exist in your project root:
+
+1.  **`.ansible-lint`**: Defines the "Safety" profile to enforce architecture standards.
+2.  **`ansible.cfg`**: Configures default inventory paths and SSH behavior.
+3.  **`.ssh/id_ed25519`**: The private key used for node authentication.
+
+---
+
+## 4. LLM Context Hook
+When using an LLM to generate code for this project, provide the following context to ensure compatibility:
+
+> "My environment uses **Ansible-Core** with the **Proxmoxer** API library. I enforce standards via **Ansible-Lint** using the **safety** profile. All playbooks must pass these checks and use **ED25519** keys for authentication."