refactor

.ansible-lint

@@ -1,3 +1,6 @@
 ---
+profile: production
 skip_list:
   - fqcn
+exclude_paths:
+  - config.sops.yml

.github/workflows/ci.yml_

@@ -0,0 +1,87 @@
+---
+name: CI
+on: # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: "0 0 * * 0"
+
+jobs:
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          activate-environment: "true"
+
+      - name: Install dependencies
+        run: uv sync --dev
+
+      - name: Lint YAML
+        run: yamllint .
+
+      - name: Lint Ansible
+        run: ansible-lint
+
+      - name: Check playbook syntax
+        run: ansible-playbook main.yml --syntax-check
+
+  integration-tests:
+    name: Integration Tests
+    runs-on: ${{ matrix.os }}
+    needs: lint
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-26]
+    env:
+      ANSIBLE_FORCE_COLOR: "1"
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          activate-environment: "true"
+
+      - name: Install dependencies
+        run: uv sync --dev
+
+      - name: Playbook dry-run
+        run: ansible-playbook main.yml --check
+
+      - name: Execute playbook
+        run: ansible-playbook main.yml
+
+      - name: Check idempotence
+        run: |
+          ansible-playbook main.yml --skip-tags dock | tee /tmp/idempotence.log
+          grep -q 'changed=0.*failed=0' /tmp/idempotence.log \
+            && echo "✓ Playbook is idempotent" \
+            || (echo "✗ Playbook is not idempotent" && exit 1)
+
+      - name: Upload test logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ansible-logs-${{ matrix.os }}
+          path: /tmp/idempotence.log
+          retention-days: 7

.github/workflows/lint.yml

@@ -0,0 +1,41 @@
+name: Lint
+
+on: # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  pull_request:
+    types: [ready_for_review, reopened] # synchronize makes CI too chatt
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  lint:
+    name: Lint & Syntax Checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Python # Leverage caching
+        uses: actions/setup-python@v6
+        with:
+          python-version-file: .python-version
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          activate-environment: true
+
+      - name: Sync dependencies
+        run: uv sync --dev
+
+      - name: Install Ansible Galaxy collections
+        run: ansible-galaxy install -r requirements.yml
+
+      - name: YAML lint
+        run: yamllint .
+
+      - name: Ansible lint
+        run: ansible-lint
+
+      - name: Check playbook syntax
+        run: ansible-playbook main.yml --syntax-check

.gitignore

@@ -1,3 +1,6 @@
 .DS_Store
 ._*
-venv
+.venv/
+.ansible/
+.vscode/
+.decrypted~*

.pre-commit-config.yaml

@@ -0,0 +1,26 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-merge-conflict
+      - id: check-yaml
+      - id: detect-private-key
+      - id: debug-statements
+      - id: double-quote-string-fixer
+      - id: name-tests-test
+      - id: requirements-txt-fixer
+  - repo: local
+    hooks:
+      - id: yamllint
+        name: yamllint
+        entry: .venv/bin/yamllint
+        language: python
+        types: [yaml]
+      - id: ansible-lint
+        name: ansible-lint
+        entry: .venv/bin/ansible-lint
+        language: python
+        types: [yaml]

.python-version

@@ -0,0 +1 @@
+3.14

.sops.yaml

@@ -0,0 +1,10 @@
+---
+creation_rules:
+  - path_regex: "config.sops.yml"
+    encrypted_regex: ^(dotfiles_auth_home|dotfiles_repo|dotfiles_secrets_src|dotfiles_secrets)$
+    key_groups:
+      - age: [age1n2g0g2z9jdgnqx826e8d0d78y8z0lc7ngdadm3jw9gzpxj2nf5rs0hm6p6]
+  - path_regex: "config.work.sops.yml"
+    key_groups:
+      - age: [age1n2g0g2z9jdgnqx826e8d0d78y8z0lc7ngdadm3jw9gzpxj2nf5rs0hm6p6]
+  - age: age1n2g0g2z9jdgnqx826e8d0d78y8z0lc7ngdadm3jw9gzpxj2nf5rs0hm6p6

.yamllint

@@ -1,10 +1,20 @@
 ---
 extends: default
 
+ignore:
+  - .venv/
+  - .ansible/
+  - "*.sops.y*ml"
+
 rules:
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
+  document-start: disable
   line-length:
-    max: 180
-
-ignore:
-  - '*.enc.yml'
-  - venv/
+    max: 160
+  braces:
+    max-spaces-inside: 1
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true