OpenSkillIndex← back to search
claude-codeautomation

Claude-skill-registry ansible-host-limiter

Ensures ansible and ansible-playbook commands always include the -l (limit) flag to target only ndelucca-server and prevent accidental execution on raspberry-printer or other hosts. Activate this skill whenever running any ansible or ansible-playbook commands.

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/ansible-host-limiter" ~/.claude/skills/majiayu000-claude-skill-registry-ansible-host-limiter && rm -rf "$T"
manifest: skills/data/ansible-host-limiter/SKILL.md
tags
#ansible#automation#security#infrastructure#playbook#configuration-management
safety · automated scan (low risk)
This is a pattern-based risk scan, not a security review. Our crawler flagged:
  • uses sudo
Always read a skill's source content before installing. Patterns alone don't mean the skill is malicious — but they warrant attention.
source content

Ansible Host Limiter Skill

Purpose

This skill enforces a critical safety practice for the home-server infrastructure: always limit ansible commands to specific hosts to prevent accidental execution on unintended targets like the raspberry-printer.

Target Hosts

Primary Target (Default)

  • ndelucca-server: The main home server running Fedora 43

Hosts to Avoid (Unless Explicitly Requested)

  • ndelucca-raspberry-printer: Raspberry Pi running Debian (not Fedora)
  • Any other hosts in the inventory

Mandatory Rules

Rule 1: Always Use -l Flag

Every 

ansible-playbook
and 
ansible
command MUST include the 
-l
(limit) flag.

Correct:

ansible-playbook playbooks/jellyfin.yml -l ndelucca-server
ansible-playbook playbooks/site.yml -l ndelucca-server
ansible ndelucca-server -m ping

Incorrect (NEVER DO THIS):

ansible-playbook playbooks/jellyfin.yml
ansible-playbook playbooks/site.yml
ansible all -m ping

Rule 2: Default to ndelucca-server

Unless the user explicitly requests a different target, always default to 

-l ndelucca-server
.

Rule 3: Confirm Before Multi-Host Execution

If the user asks to run commands on multiple hosts or "all" hosts, ask for explicit confirmation before proceeding.

Implementation Guidelines

When Running Playbooks

  1. User says: "Run the jellyfin playbook" You execute:

    ansible-playbook playbooks/jellyfin.yml -l ndelucca-server

  2. User says: "Deploy nginx" You execute:

    ansible-playbook playbooks/site.yml --tags nginx -l ndelucca-server

  3. User says: "Run the site playbook" You execute:

    ansible-playbook playbooks/site.yml -l ndelucca-server

When Running Ad-Hoc Commands

  1. User says: "Restart nginx" You execute:

    ansible ndelucca-server -m ansible.builtin.systemd -a "name=nginx state=restarted" --become

  2. User says: "Check disk space" You execute:

    ansible ndelucca-server -m shell -a "df -h"

When User Requests Multi-Host Execution

User says: "Run this on all servers"

You respond: "This command would affect multiple hosts including ndelucca-raspberry-printer. Are you sure you want to run it on all hosts, or should I limit it to ndelucca-server only?"

Wait for user confirmation before proceeding.

Safety Checklist

Before executing any ansible command, verify:

  • The 
    -l
    flag is present
  • The target is 
    ndelucca-server
    (or user explicitly requested otherwise)
  • The command is appropriate for the targeted host
  • The playbook/role supports the target OS (ndelucca-server runs Fedora 43)

Common Commands with Correct Syntax

# Run site playbook (all roles)
ansible-playbook playbooks/site.yml -l ndelucca-server

# Run specific playbook
ansible-playbook playbooks/jellyfin.yml -l ndelucca-server
ansible-playbook playbooks/nginx.yml -l ndelucca-server

# Run with tags
ansible-playbook playbooks/site.yml --tags nginx -l ndelucca-server

# Ad-hoc command to restart service
ansible ndelucca-server -m ansible.builtin.systemd -a "name=jellyfin state=restarted" --become

# Ad-hoc command to check service status
ansible ndelucca-server -m ansible.builtin.systemd -a "name=nginx" --become

# Syntax check
ansible-playbook playbooks/site.yml --syntax-check -l ndelucca-server

Error Prevention

Common Mistakes to Avoid

  1. Running without -l flag: This will execute on ALL hosts in inventory
  2. Using 
    all
    as host pattern    : Affects all hosts including raspberry-printer
  3. Forgetting --become: Some tasks require sudo privileges

What to Do If User Asks to Run Without Limiting

Never run ansible commands without the 

-l
flag unless the user:

  1. Explicitly says "run on all hosts" or "run on raspberry-printer"
  2. Confirms they understand it will affect multiple hosts
  3. You've warned them about the consequences

Examples of Correct Behavior

Example 1: Implicit Target

User: "run the playbook first, make sure nothing brakes"
You: Execute: ansible-playbook playbooks/site.yml -l ndelucca-server

Example 2: Service Management

User: "restart jellyfin"
You: Execute: ansible ndelucca-server -m ansible.builtin.systemd -a "name=jellyfin state=restarted" --become

Example 3: Configuration Update

User: "deploy the nginx changes"
You: Execute: ansible-playbook playbooks/site.yml --tags nginx -l ndelucca-server

Notes

  • The raspberry-printer runs Debian, not Fedora, so Fedora-specific playbooks will fail on it
  • Always working directory: 
    /home/ndelucca/environment/home-server
  • Inventory files are in: 
    inventory/hosts.yml
    and 
    playbooks/hosts.yml
  • Most playbooks are in: 
    playbooks/
    directory

Summary

Golden Rule: Every ansible-playbook and ansible command MUST include 

-l ndelucca-server
unless explicitly instructed otherwise by the user.