# Ansible profile

Enable this profile for repositories containing Ansible playbooks, roles, inventories, or automation scripts.

## Rules

Codex MUST:

- prefer idempotent tasks;
- use Ansible builtin modules instead of `shell` or `command` when possible;
- use `service_facts` when checking service availability or service state;
- use `become` explicitly when privilege escalation is needed;
- avoid `ignore_errors` unless explicitly justified;
- avoid `changed_when: false` unless semantically correct;
- avoid storing secrets in plain YAML;
- keep roles and tasks modular;
- write comments in English;
- preserve compatibility requirements stated in the repository.

## Validation examples

Use Docker-based validation commands configured for the project, for example:

```bash
docker compose run --rm ansible ansible-playbook --syntax-check playbook.yml
```

```bash
docker compose run --rm ansible ansible-lint
```

## Shell and command usage

`shell` and `command` are allowed only when there is no suitable module or when interacting with legacy tools.

When using `shell` or `command`, Codex SHOULD:

- make the task idempotent;
- define `changed_when` and `failed_when` where needed;
- explain why a module is not used.