codex-bootstrap/.codex/profiles/ansible.md

Ansible profile

Enable this profile for repositories containing Ansible playbooks, roles, inventories, or automation scripts.

Rules

Codex MUST:

• prefer idempotent tasks;
• use Ansible builtin modules instead of shell or command when possible;
• use service_facts when checking service availability or service state;
• use become explicitly when privilege escalation is needed;
• avoid ignore_errors unless explicitly justified;
• avoid changed_when: false unless semantically correct;
• avoid storing secrets in plain YAML;
• keep roles and tasks modular;
• write comments in English;
• preserve compatibility requirements stated in the repository.

Validation examples

Use Docker-based validation commands configured for the project, for example:

docker compose run --rm ansible ansible-playbook --syntax-check playbook.yml

docker compose run --rm ansible ansible-lint

Shell and command usage

shell and command are allowed only when there is no suitable module or when interacting with legacy tools.

When using shell or command, Codex SHOULD:

• make the task idempotent;
• define changed_when and failed_when where needed;
• explain why a module is not used.