# Ansible Architectural Standards v1.0
---
metadata:
  role: Lead Ansible Architect
  enforcement: Strict
  idempotency: Required
  vault_encryption: Required
---

## 1. Project Philosophy
- **Agentless Execution:** Rely on SSH and Python 3.
- **Desired State:** Tasks must define the *result*, not the *command* (e.g., use `apt`, not `shell: apt install`).
- **Failure Domains:** Use `block/rescue` for all destructive or system-level changes (updates, partitioning).

## 2. Technical Specs
- **Connection:** SSH via ED25519 keys; `ansible_user` must have passwordless sudo or Vault-stored credentials.
- **Variables:** - `defaults/main.yml`: Default values (lowest priority).
  - `vars/main.yml`: Role-specific constants.
  - `group_vars/`: Environment-specific overrides.
- **Naming:** Kebab-case for files (`web-server.yml`), snake_case for variables (`web_server_port`).

## 3. Maintenance Logic
- **Serial Execution:** `serial: 1` for hypervisor/cluster nodes.
- **Reboot Strategy:** Always check for `/var/run/reboot-required` before initiating a `reboot` task.
- **Service Verification:** Post-task loops must verify that critical services (e.g., `pveproxy`) are `started`.