feat: add ansible task testing infrastructure based on Docker and pytest

[jfroche]

This complements the existing AMI tests in testinfra by providing a faster feedback loops for Ansible development without requiring a full VM.

We are also using testinfra to validate that the Ansible tasks have the desired effect.

It is based on Docker, it can be run locally (e.g. macOS) or in CI.

Note that this approach is not intended to replace the AMI tests, but rather to provide a more efficient way to test Ansible tasks during development.

You can run the tests using nix run -L .\#ansible-test

Summary by CodeRabbit

• New Features

  • CI workflow to build/publish multi-architecture test images and run the Ansible test suite.

• Tests

  • Added Ansible Nginx playbook and pytest tests to validate nginx automatically.
  • Added a local/CI test runner to execute the test suite.

• Quality / Tooling

  • Added Ansible lint configuration and integrated an ansible-lint pre-commit hook.
  • Added packaged test images and Nix helpers for building/testing.

• Bug Fixes / Chores

  • Fixed a YAML comment parse issue and normalized task titles/modes for consistency.

[hunleyd]

mostly ansible-lint fixups

[samrose]

@hunleyd I realize it may not yet be documented very well, but in order for you to get 1:1 parity with the linter in this PR, you would want to:

1. check out the branch test/ansible-tasks
2. run nix develop -c ansible-lint <the rest of your command here>

By doing it this way, you'll then use the same ansible lint version in this PR, and the same configuration.

This helps avoid the "works on my machine" problem that may come up if we install ansible lint and tools from brew install etc. We can get 1:1 with what other developers are doing with nix develop -c ansible-lint <the rest of your command here> plus what the CI job is doing which will also use the exactly same version and setup. I hope that helps, and thanks as ever for reviewing these PR.

[jfroche]

Also we have pre-commit hook in the dev shell. So if you start the dev shell using nix develop, pre-commit hook will be register and triggered when you commit/push but you can also run it manually inside the devshell (just like the CI will do): pre-commit run --all..

The pre-commit hook configuration is defined in nix/hooks.nix and as you will see we only validates github action, ansible-lint and formatting (defined in nix/fmt.nix) for the moment.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Ansible testing infrastructure and CI: a new .ansible-lint.yml; a GitHub Actions workflow .github/workflows/ansible-tests.yml to build/push multi-arch Docker images and run tests; Ansible test playbook and supporting tasks/files (ansible/tests/nginx.yaml, ansible/tasks/setup-nginx.yml, ansible/tasks/files); pytest test support and fixtures (ansible/tests/conftest.py, ansible/tests/test_nginx.py); Nix packages and Docker image expressions for the test runner and Ubuntu base (nix/packages/*, nix/hooks.nix); actionlint/runner label updates and small .envrc.recommended edits; and a minor YAML comment fix in ansible/vars.yml.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

ci, docker, nix, tests, infrastructure

Suggested reviewers

• samrose
• hunleyd

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description adequately explains the purpose and approach, but does not follow the repository's template structure which requires selecting from predefined sub-templates (Default or Extension Upgrade).	Select and use the appropriate PR template (Default or Extension Upgrade) to ensure consistency with repository standards and provide structured documentation.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding Ansible task testing infrastructure using Docker and pytest, which is clearly the primary focus of the changeset across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch test/ansible-tasks

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In @.github/workflows/ansible-tests.yml:
- Around line 96-98: The docker pull is backgrounded ("docker pull
supabase/ansible-test:latest &") so "nix run .#ansible-test" may start before
the image is ready; make the pull synchronous so the image is guaranteed before
running tests by removing the ampersand or chaining the commands (e.g., run the
pull and then run nix only after success), or if you must background for
parallelism ensure you wait for its PID to finish before invoking "nix run
.#ansible-test".
- Around line 70-73: The run-ansible-tests job is gated by needs:
create-manifest which is skipped on PRs because create-manifest only runs on
push; remove or conditionally apply the dependency so PRs run. Edit the job
named run-ansible-tests to either remove the needs: create-manifest entry
entirely (so it runs on PRs per its if), or wrap the dependency in a conditional
using github.event_name (e.g., set needs: create-manifest only when
github.event_name == 'push'), or split into two jobs (run-ansible-tests-pr
without needs and run-ansible-tests-postpush that needs create-manifest)
ensuring the job names run-ansible-tests and create-manifest are the referenced
symbols.

In `@ansible/tests/conftest.py`:
- Around line 23-29: The host fixture in conftest.py retrieves --docker-image
into docker_image but doesn't validate it; add a check after fetching
docker_image that fails fast with pytest.fail (or pytest.exit) and a clear
message when docker_image is missing or empty, so the host fixture returns
immediately with an explicit error instead of producing a downstream Docker
error.

In `@ansible/tests/nginx.yaml`:
- Around line 2-16: The play "Setup Nginx Server" needs privilege escalation;
add become: true at the play level (alongside hosts and name) so tasks like
"Install dependencies", "Setup Nginx using existing task file", and "Start Nginx
service" run with root privileges; update the play definition containing the
name "Setup Nginx Server" to include become: true (do not change task-level
logic).

In `@nix/packages/ansible-test.nix`:
- Around line 15-19: The pytest invocation in the text heredoc duplicates the
positional-args expansion "$@" (once before the path and once at the end),
causing arguments to be passed twice; update the command inside the text block
so "$@" appears only once (typically at the end) and remove the earlier
duplicate near $FLAKE_DIR/ansible/tests so pytest receives each user argument
exactly once (look for the pytest line using the FLAKE_DIR variable and adjust
it).

🧹 Nitpick comments (4)

.ansible-lint.yml (1)

36-38: Consider extending the kinds mapping for broader coverage.

The current kinds configuration only maps ansible/tasks/*.yml and ansible/vars.yml. If you plan to lint playbooks (like those in ansible/tests/), you may want to add a playbooks pattern:

kinds:
  - tasks: "ansible/tasks/*.yml"
  - vars: "ansible/vars.yml"
  - playbook: "ansible/tests/*.yaml"

This is optional since the subdir setting in nix/hooks.nix already scopes linting to ansible/tests, and ansible-lint can auto-detect file types.

ansible/tests/test_nginx.py (1)

9-11: Consider simplifying service name.

Testinfra's service() method typically accepts just the service name without the .service suffix. Both forms work, but the shorter form is more idiomatic:

 def test_nginx_service(host):
-    assert host.service("nginx.service").is_valid
-    assert host.service("nginx.service").is_running
+    assert host.service("nginx").is_valid
+    assert host.service("nginx").is_running

nix/packages/docker-ubuntu.nix (1)

41-44: Consider reproducibility implications of created = "now".

Using created = "now" produces a different image hash on each build, which may affect Nix caching. For test images this is typically acceptable, but if reproducible builds become important, consider using a fixed timestamp like created = "2025-01-01T00:00:00Z".

ansible/tests/conftest.py (1)

29-52: Ensure container cleanup if setup fails.
If an exception occurs after docker run but before the fixture yields, the container won’t be removed. Wrapping the yield in try/finally ensures cleanup in all paths.

♻️ Proposed refactor

-    yield testinfra.get_host("docker://" + docker_id)
-    subprocess.check_call(["docker", "rm", "-f", docker_id], stdout=subprocess.DEVNULL)
+    try:
+        yield testinfra.get_host("docker://" + docker_id)
+    finally:
+        subprocess.check_call(["docker", "rm", "-f", docker_id], stdout=subprocess.DEVNULL)

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In @.ansible-lint.yml:
- Around line 7-15: Remove the "ansible/tasks/" entry from the exclude_paths
list so task files are not skipped by ansible-lint, and update the kinds pattern
from "ansible/tasks/*.yml" to "ansible/tasks/**/*.yml" to include nested task
files (e.g., ansible/tasks/internal/*.yml); ensure you modify the exclude_paths
block and the kinds pattern reference in the config accordingly.

In `@ansible/tests/conftest.py`:
- Around line 9-20: The host fixture currently mounts the directory provided via
the --flake-dir CLI option without validating it; update the host fixture to
check the path returned by parser.addoption("--flake-dir") (i.e., the flake_dir
variable) using pathlib.Path.is_dir(), and call pytest.fail with a clear message
like "--flake-dir '<path>' does not exist or is not a directory" if the check
fails so invalid paths are caught early; keep references to pytest_addoption and
the --flake-dir option when locating the code to modify.
- Around line 23-54: The host fixture currently reads --flake-dir into flake_dir
but doesn't verify it exists, causing docker to silently mount an empty dir;
update the host fixture to validate that flake_dir is an existing directory (use
os.path.exists and os.path.isdir on flake_dir) and call pytest.fail with a clear
message if it is missing or not a directory; keep the same behavior for
docker_image validation and use the existing flake_dir variable when
constructing the docker run volume argument.

In `@nix/packages/docker-ubuntu.nix`:
- Around line 12-22: The platform check using stdenv.hostPlatform.system in
cloudImg is wrong for non-Linux hosts; update cloudImg to use Nixpkgs platform
predicates (e.g., isx86_64 and isAarch64) instead of comparing system strings,
returning the amd64 URL when isx86_64 is true, the arm64 URL when isAarch64 is
true, and throw a clear error for other platforms; reference the cloudImg
binding and replace the existing stdenv.hostPlatform.system equality checks with
these predicates so Intel macOS (x86_64-darwin) picks the amd64 image.

🧹 Nitpick comments (2)

.ansible-lint.yml (1)

42-44: Tasks glob only matches top-level files.

If there are nested task files under ansible/tasks/**, they won’t be classified (or linted). Consider widening the glob if nested tasks exist.

Suggested adjustment (if nested tasks exist)

-kinds:
-  - tasks: "ansible/tasks/*.yml"
+kinds:
+  - tasks: "ansible/tasks/**/*.yml"

nix/packages/docker-ubuntu.nix (1)

41-44: Use a fixed created timestamp for reproducible images.

created = "now" breaks image reproducibility. The nixpkgs dockerTools.buildImage default is 1970-01-01T00:00:01Z precisely to ensure binary-reproducible builds; adopt this value:

-  created = "now";
+  created = "1970-01-01T00:00:01Z";

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, find and read the .ansible-lint.yml file
find . -name ".ansible-lint.yml" -type f | head -5

Repository: supabase/postgres

Length of output: 80

---

🏁 Script executed:

# If it exists, read its full content
if [ -f ".ansible-lint.yml" ]; then
  cat -n ".ansible-lint.yml"
fi

Repository: supabase/postgres

Length of output: 1467

---

🏁 Script executed:

# Check if ansible/tasks/ directory exists
if [ -d "ansible/tasks" ]; then
  echo "=== Directory exists ==="
  find ansible/tasks -type f -name "*.yml" -o -name "*.yaml" | sort
else
  echo "ansible/tasks/ directory does not exist"
fi

Repository: supabase/postgres

Length of output: 1231

---

Remove the ansible/tasks/ exclusion to enable task linting.

The configuration excludes ansible/tasks/ from linting while also defining a kinds pattern for task files in the same directory. This contradiction prevents ansible-lint from checking any task files. If this PR aims to validate tasks, remove the ansible/tasks/ line from exclude_paths.

Additionally, note that the kinds pattern ansible/tasks/*.yml only matches top-level files and will miss nested tasks in ansible/tasks/internal/ (e.g., admin-api.yml, install-salt.yml). Consider updating the pattern to ansible/tasks/**/*.yml if nested tasks should be linted.

Suggested fix

 exclude_paths:
   - .cache/  # implicit unless exclude_paths is defined in config
   - .github/
   - ansible/files/
   - ansible/manifest-playbook.yml
   - ansible/playbook.yml
-  - ansible/tasks/
   - audit-specs/
   - nix/mkdocs.yml

And optionally update the kinds pattern:

 kinds:
-  - tasks: "ansible/tasks/*.yml"
+  - tasks: "ansible/tasks/**/*.yml"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	exclude_paths:
	- .cache/ # implicit unless exclude_paths is defined in config
	- .github/
	- ansible/files/
	- ansible/manifest-playbook.yml
	- ansible/playbook.yml
	- ansible/tasks/
	- audit-specs/
	- nix/mkdocs.yml
	exclude_paths:
	- .cache/ # implicit unless exclude_paths is defined in config
	- .github/
	- ansible/files/
	- ansible/manifest-playbook.yml
	- ansible/playbook.yml
	- audit-specs/
	- nix/mkdocs.yml

🤖 Prompt for AI Agents

In @.ansible-lint.yml around lines 7 - 15, Remove the "ansible/tasks/" entry
from the exclude_paths list so task files are not skipped by ansible-lint, and
update the kinds pattern from "ansible/tasks/*.yml" to "ansible/tasks/**/*.yml"
to include nested task files (e.g., ansible/tasks/internal/*.yml); ensure you
modify the exclude_paths block and the kinds pattern reference in the config
accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

rg -n -- "--flake-dir" -A 2 -B 2

Repository: supabase/postgres

Length of output: 230

---

🏁 Script executed:

cat -n ansible/tests/conftest.py | head -60

Repository: supabase/postgres

Length of output: 2045

---

🏁 Script executed:

git ls-files | grep -E "(conftest|pytest)" | head -20

Repository: supabase/postgres

Length of output: 86

---

🏁 Script executed:

rg -n "flake-dir"

Repository: supabase/postgres

Length of output: 450

---

🏁 Script executed:

rg -n "flake.dir\|flake_dir" ansible/tests/

Repository: supabase/postgres

Length of output: 43

---

🏁 Script executed:

find . -type f -name "*.sh" -o -name "*.yml" -o -name "*.yaml" | head -20

Repository: supabase/postgres

Length of output: 807

---

🏁 Script executed:

cat -n nix/packages/ansible-test.nix

Repository: supabase/postgres

Length of output: 754

---

🏁 Script executed:

cat -n .github/workflows/ansible-tests.yml

Repository: supabase/postgres

Length of output: 3842

---

🏁 Script executed:

rg -n "FLAKE_DIR" nix/

Repository: supabase/postgres

Length of output: 285

---

🏁 Script executed:

rg -n "from pathlib\|import pathlib" ansible/

Repository: supabase/postgres

Length of output: 43

---

🏁 Script executed:

rg -n "Path\|pathlib" ansible/tests/

Repository: supabase/postgres

Length of output: 43

---

🏁 Script executed:

rg -n "is_dir\|exists()" ansible/ | head -20

Repository: supabase/postgres

Length of output: 43

---

🏁 Script executed:

cat -n ansible/tests/conftest.py | sed -n '54,80p'

Repository: supabase/postgres

Length of output: 1059

---

🏁 Script executed:

rg -n "docker.*-v" ansible/

Repository: supabase/postgres

Length of output: 43

---

🏁 Script executed:

python3 << 'EOF'
import pathlib
# Check if pathlib is available and works as expected
p = pathlib.Path("/tmp").expanduser().resolve()
print(f"Path exists: {p.is_dir()}")
print(f"Path type: {type(p)}")
EOF

Repository: supabase/postgres

Length of output: 117

---

🏁 Script executed:

# Check if there are any other fixtures or functions that validate paths
rg -n "pytest.fail\|is_dir\|exists" ansible/tests/conftest.py

Repository: supabase/postgres

Length of output: 43

---

🏁 Script executed:

# Verify the exact Docker behavior with non-existent paths in this context
# by checking if there's any error handling for Docker mount issues
rg -n "docker.*run\|subprocess" ansible/tests/conftest.py -A 5

Repository: supabase/postgres

Length of output: 43

---

🏁 Script executed:

# Check what happens when docker run is called with non-existent mount path
# by looking at Docker documentation or testing behavior
python3 << 'EOF'
import subprocess
import tempfile

# Simulate what Docker does with non-existent paths
# Docker typically just creates an empty directory if the source doesn't exist

# Let's verify the concern: checking if Docker silently creates empty dirs
# by examining the current setup
print("Docker behavior with non-existent source paths:")
print("- Docker will mount a volume even if source doesn't exist (creates empty dir)")
print("- This would cause confusing errors later in the test execution")
print("- Early validation would catch this and fail explicitly")
EOF

Repository: supabase/postgres

Length of output: 306

---

🏁 Script executed:

# Check if there are any CI logs or error handling that shows this is a real issue
rg -n "mount\|volume" ansible/

Repository: supabase/postgres

Length of output: 43

---

🏁 Script executed:

# Verify the proposed fix doesn't break anything by checking all imports
head -10 ansible/tests/conftest.py

Repository: supabase/postgres

Length of output: 217

---

Add validation that --flake-dir is an existing directory.

Docker will silently mount an empty directory if the source path doesn't exist, causing confusing test failures later. Validating early provides immediate, explicit feedback.

Suggested implementation

+from pathlib import Path

     flake_dir = request.config.getoption("--flake-dir")
     if not flake_dir:
         pytest.fail("--flake-dir option is required")
+    flake_dir_path = Path(flake_dir).expanduser().resolve()
+    if not flake_dir_path.is_dir():
+        pytest.fail(f"--flake-dir must be an existing directory: {flake_dir}")
     docker_image = request.config.getoption("--docker-image")
     if not docker_image:
         pytest.fail("--docker-image option is required")
@@
-                f"{flake_dir}:/flake",
+                f"{flake_dir_path}:/flake",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@pytest.fixture(scope="module")
	def host(request):
	flake_dir = request.config.getoption("--flake-dir")
	if not flake_dir:
	pytest.fail("--flake-dir option is required")
	docker_image = request.config.getoption("--docker-image")
	if not docker_image:
	pytest.fail("--docker-image option is required")
	docker_id = (
	subprocess.check_output(
	[
	"docker",
	"run",
	"--privileged",
	"--cap-add",
	"SYS_ADMIN",
	"--security-opt",
	"seccomp=unconfined",
	"--cgroup-parent=docker.slice",
	"--cgroupns",
	"private",
	"-v",
	f"{flake_dir}:/flake",
	"-d",
	docker_image,
	]
	)
	.decode()
	.strip()
	)
	yield testinfra.get_host("docker://" + docker_id)
	subprocess.check_call(["docker", "rm", "-f", docker_id], stdout=subprocess.DEVNULL)
	`@pytest.fixture`(scope="module")
	def host(request):
	from pathlib import Path
	flake_dir = request.config.getoption("--flake-dir")
	if not flake_dir:
	pytest.fail("--flake-dir option is required")
	flake_dir_path = Path(flake_dir).expanduser().resolve()
	if not flake_dir_path.is_dir():
	pytest.fail(f"--flake-dir must be an existing directory: {flake_dir}")
	docker_image = request.config.getoption("--docker-image")
	if not docker_image:
	pytest.fail("--docker-image option is required")
	docker_id = (
	subprocess.check_output(
	[
	"docker",
	"run",
	"--privileged",
	"--cap-add",
	"SYS_ADMIN",
	"--security-opt",
	"seccomp=unconfined",
	"--cgroup-parent=docker.slice",
	"--cgroupns",
	"private",
	"-v",
	f"{flake_dir_path}:/flake",
	"-d",
	docker_image,
	]
	)
	.decode()
	.strip()
	)
	yield testinfra.get_host("docker://" + docker_id)
	subprocess.check_call(["docker", "rm", "-f", docker_id], stdout=subprocess.DEVNULL)

🧰 Tools

🪛 Ruff (0.14.14)

[error] 32-32: subprocess call: check for execution of untrusted input

(S603)

---

[error] 33-48: Starting a process with a partial executable path

(S607)

---

[error] 54-54: subprocess call: check for execution of untrusted input

(S603)

---

[error] 54-54: Starting a process with a partial executable path

(S607)

🤖 Prompt for AI Agents

In `@ansible/tests/conftest.py` around lines 23 - 54, The host fixture currently
reads --flake-dir into flake_dir but doesn't verify it exists, causing docker to
silently mount an empty dir; update the host fixture to validate that flake_dir
is an existing directory (use os.path.exists and os.path.isdir on flake_dir) and
call pytest.fail with a clear message if it is missing or not a directory; keep
the same behavior for docker_image validation and use the existing flake_dir
variable when constructing the docker run volume argument.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@nix/hooks.nix`:
- Around line 4-6: The workflow list variable lintedWorkflows contains a typo:
it references "ansible-test.yml" but the actual workflow file is named
"ansible-tests.yml"; update the lintedWorkflows array to include
"ansible-tests.yml" (replacing "ansible-test.yml") so the new workflow is picked
up by actionlint (look for the lintedWorkflows declaration to make this change).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Workflow name mismatch prevents linting the new workflow.

The list includes ansible-test.yml, but the workflow file is ansible-tests.yml. This will exclude the new workflow from actionlint.

🔧 Suggested fix

-    "ansible-test.yml"
+    "ansible-tests.yml"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	lintedWorkflows = [
	"ansible-test.yml"
	"nix-eval.yml"
	lintedWorkflows = [
	"ansible-tests.yml"
	"nix-eval.yml"

🤖 Prompt for AI Agents

In `@nix/hooks.nix` around lines 4 - 6, The workflow list variable lintedWorkflows
contains a typo: it references "ansible-test.yml" but the actual workflow file
is named "ansible-tests.yml"; update the lintedWorkflows array to include
"ansible-tests.yml" (replacing "ansible-test.yml") so the new workflow is picked
up by actionlint (look for the lintedWorkflows declaration to make this change).

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@nix/hooks.nix`:
- Around line 28-35: The ansible-lint hook currently sets settings.subdir =
"ansible/tests", which limits linting to just the test playbook; update the
ansible-lint hook (the ansible-lint attribute with settings and configPath) to
cover the whole Ansible tree—e.g. remove or change settings.subdir to "ansible"
or add include patterns for "ansible/tasks", "ansible/*.yml" and playbooks like
"playbook.yml"/"manifest-playbook.yml" so all task files, playbooks and vars are
linted (or alternatively add a clear comment explaining why only tests are
targeted).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check what Ansible directories/files exist that might need linting
echo "=== Ansible directories in repository ==="
fd -t d . ansible --max-depth 2

echo ""
echo "=== Ansible YAML files outside ansible/tests ==="
fd -e yml -e yaml . ansible -E 'ansible/tests/*'

Repository: supabase/postgres

Length of output: 2048

---

Fix ansible-lint hook scope to cover all Ansible content.

The subdir = "ansible/tests" setting restricts linting to only ansible/tests/nginx.yaml (1 file). The repository contains 28+ Ansible task files in ansible/tasks/, multiple playbooks (playbook.yml, manifest-playbook.yml), and variable files that are currently excluded from linting.

Either:

1. Update the hook to lint all relevant directories (ansible/tasks/, playbooks, etc.), or
2. Document why only test playbooks are linted.

🤖 Prompt for AI Agents

In `@nix/hooks.nix` around lines 28 - 35, The ansible-lint hook currently sets
settings.subdir = "ansible/tests", which limits linting to just the test
playbook; update the ansible-lint hook (the ansible-lint attribute with settings
and configPath) to cover the whole Ansible tree—e.g. remove or change
settings.subdir to "ansible" or add include patterns for "ansible/tasks",
"ansible/*.yml" and playbooks like "playbook.yml"/"manifest-playbook.yml" so all
task files, playbooks and vars are linted (or alternatively add a clear comment
explaining why only tests are targeted).