ansible

Verified·Scanned 2/18/2026

This skill provides Ansible best-practice guidance for YAML, variable precedence, idempotence, handlers, privilege escalation, and common mistakes. It references credential handling via --ask-vault-pass, vault password file, and ansible.cfg, which involves handling secrets but is purpose-aligned.

from clawhub.ai·v79d1ad1·3.1 KB·0 installs
Scanned from 1.0.0 at 79d1ad1 · Transparency log ↗
$ vett add clawhub.ai/ivangdavila/ansible

YAML Syntax Traps

  • Jinja2 in value needs quotes — "{{ variable }}" not {{ variable }}
  • : in string needs quotes — msg: "Note: this works" not msg: Note: this
  • Boolean strings: yes, no, true, false parsed as bool — quote if literal string
  • Indentation must be consistent — 2 spaces standard, tabs forbidden

Variable Precedence

  • Extra vars (-e) override everything — highest precedence
  • Host vars beat group vars — more specific wins
  • vars: in playbook beats inventory vars — order: inventory < playbook < extra vars
  • Undefined variable fails — use {{ var | default('fallback') }}

Idempotence

  • command/shell modules aren't idempotent — always "changed", use creates: or specific module
  • Use apt, yum, copy etc. — designed for idempotence
  • changed_when: false for commands that don't change state — like queries
  • creates:/removes: for command idempotence — skips if file exists/doesn't

Handlers

  • Handlers only run if task reports changed — not on "ok"
  • Handlers run once at end of play — not immediately after notify
  • Multiple notifies to same handler = one run — deduplicated
  • --force-handlers to run even on failure — or meta: flush_handlers

Become (Privilege Escalation)

  • become: yes to run as root — become_user: for specific user
  • become_method: sudo is default — use su or doas if needed
  • Password needed for sudo — --ask-become-pass or in ansible.cfg
  • Some modules need become at task level — even if playbook has become: yes

Conditionals

  • when: without Jinja2 braces — when: ansible_os_family == "Debian" not when: "{{ ... }}"
  • Multiple conditions use and/or — or list for implicit and
  • is defined, is not defined for optional vars — when: my_var is defined
  • Boolean variables: when: my_bool — don't compare == true

Loops

  • loop: is modern, with_items: is legacy — both work, loop preferred
  • loop_control.loop_var for nested loops — avoids variable collision
  • item is the loop variable — use loop_control.label for cleaner output
  • until: for retry loops — until: result.rc == 0 retries: 5 delay: 10

Facts

  • gather_facts: no speeds up play — but can't use ansible_* variables
  • Facts cached with fact_caching — persists across runs
  • Custom facts in /etc/ansible/facts.d/*.fact — JSON or INI, available as ansible_local

Common Mistakes

  • register: captures output even on failure — check result.rc or result.failed
  • ignore_errors: yes continues but doesn't change result — task still "failed" in register
  • delegate_to: localhost for local commands — but local_action is cleaner
  • Vault password for encrypted files — --ask-vault-pass or vault password file
  • --check (dry run) not supported by all modules — command, shell always skip