From 77eebe507e4b9ba4041ccc0f06ecd4bfd4e21a97 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Mon, 30 Mar 2026 16:10:24 -0700
Subject: [PATCH] Review Ansible reference doc: add missing roles, clarify IaC
 positioning

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docs/changelog.d/+ansible-doc-review.doc.md |  1 +
 docs/reference/tools/ansible.md             | 21 ++++++++++++++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 docs/changelog.d/+ansible-doc-review.doc.md

diff --git a/docs/changelog.d/+ansible-doc-review.doc.md b/docs/changelog.d/+ansible-doc-review.doc.md
new file mode 100644
index 0000000..976517a
--- /dev/null
+++ b/docs/changelog.d/+ansible-doc-review.doc.md
@@ -0,0 +1 @@
+Review and update Ansible reference doc: add missing roles, sibling playbooks, and clarify Ansible's role in the IaC stack.
diff --git a/docs/reference/tools/ansible.md b/docs/reference/tools/ansible.md
index 2f21eb2..7c0ebc9 100644
--- a/docs/reference/tools/ansible.md
+++ b/docs/reference/tools/ansible.md
@@ -1,6 +1,7 @@
 ---
 title: Ansible
-modified: 2026-02-12
+modified: 2026-03-30
+last-reviewed: 2026-03-30
 tags:
   - ansible
   - reference
@@ -8,7 +9,7 @@ tags:
 
 # Ansible
 
-Configuration management for native services on [[indri]]. The primary playbook is `ansible/playbooks/indri.yml`.
+Host-level configuration management — the layer between cloud infrastructure ([[pulumi]]) and containerized workloads ([[argocd]]). The primary playbook is `ansible/playbooks/indri.yml` (targets [[indri]]); separate playbooks exist for [[ringtail]] and [[sifaka]].
 
 ## CLI Patterns
 
@@ -23,6 +24,16 @@ mise run provision-indri -- --tags caddy
 mise run provision-indri -- --check --diff
 ```
 
+Other hosts have their own playbooks:
+
+```bash
+# Ringtail (NixOS, k3s)
+mise run provision-ringtail
+
+# Sifaka (Synology NAS exporters)
+mise run provision-sifaka
+```
+
 ## Available Roles
 
 | Role | Purpose | Service |
@@ -32,6 +43,8 @@ mise run provision-indri -- --check --diff
 | **borgmatic_metrics** | Backup metrics exporter | [[borgmatic]] |
 | **caddy** | Reverse proxy & TLS | [[routing]] |
 | **forgejo** | Git forge | [[forgejo]] |
+| **forgejo_actions_secrets** | CI/CD secrets for Forgejo Actions | [[forgejo]] |
+| **forgejo_metrics** | Forge metrics exporter | [[forgejo]] |
 | **jellyfin** | Media server | [[jellyfin]] |
 | **jellyfin_metrics** | Media metrics exporter | [[jellyfin]] |
 | **minikube** | Kubernetes cluster | [[cluster]] |
@@ -57,5 +70,7 @@ Roles that need secrets use 1Password via the playbook's `pre_tasks`. Secrets ar
 
 ## Related
 
-- [[indri]] — Target host
+- [[indri]] — Primary managed host
+- [[ringtail]] — NixOS host managed by its own playbook
+- [[sifaka]] — Synology NAS managed by its own playbook
 - [[observability]] — Metrics collection