r/ansible

Hi ansible community,

just out of curiosity, what are some of your "hidden gems", maybe not so well known functions / plugins / modules from the ansible.builtin collection?

If I were to be asked this question, I'd probably answer with the ternary filter, just one of those things you never need until you really need it.

I put together a quick walkthrough on how I connect VS Code to a remote Ansible server using Remote SSH.

This setup has made it much easier for me to manage playbooks, edit files, and work directly on the server without constantly switching contexts.

Curious how others are doing this — are you using VS Code Remote SSH, or sticking with terminal-based workflows?

Happy to hear any tips or better approaches.

I understand very little about apt and gpg keys, so you're gonna have to talk to me like I'm 2yrs old.

If I follow the instructions on a PPA website, I can add the PPA with the command:

add-apt-repository ppa:blah/blah

That one command downloads the gpg key and puts it in the keyrings folder, and creates a file in /etc/apt/sources.list.d that has the "signed-by" attribute that points to the keyring file.

I now want to do this with ansible. I followed ansible's instructions, and numerous articles written in the last few months, and they say to put an entry:

- name: Add PPA

ansible.builtin.apt_repository:

repo: ppa:blah/blah

state: present

Well it doesn't work. I can see it create the file in /etc/apt/sources.list.d, but it has no "signed-by" attribute in it. No keyring file is created at all. After a while of hanging, ansible finally erases the file it just created in /etc/apt/sources.list.d, and spits out the error:

Failed to update apt cache: unknown reason

Isn't ansible just supposed to (in the background) execute commands as if the user typed them? That is, I can add this PPA and GPG key with the one command above, why is ansible failing at it?

I've come across some instructions that say to have two separate ansible instructions where the first instruction is to download the gpg key to the keyring folder. Well I can't believe that is a solution, because when I go to these PPA websites, they have no links for gpg keys, they only have the above one command (add-apt-repository) that does everything.

I’ve been using Ansible for Oracle database patching for a while now, mainly to standardize and simplify the process across environments.

Although 19.31 is around the corner and it’s already time to move forward with the usual n-1 approach (19.30), I realized I never shared my updated playbooks for 19.28.

The playbooks cover:

• Grid Infrastructure patching
• Database RU + MRP
• RAC environments
• Out-of-place patching

They reflect what I actually use in real systems, not just a lab setup.

If you're dealing with Oracle patching and want something repeatable and less manual, this might help.

Feedback / suggestions welcome.

Hey r/ansible!

Here's a summary of what's in The Bullhorn #224, our community newsletter:

Major new releases 🏆️

- Ansible-Core

- ansible-core Beta Release

- Latest ansible-core Beta

- antsibull-nox Release

- Ansible Community Package

- Latest Ansible Package Pre-Release

- Ansible Package Alpha Release

Project updates 🛠️

- Ansible Community Execution Environment Base 2.20.4-1 (Latest)

- Ansible Community Execution Environment Minimal 2.20.4-1

- Ansible Community Execution Environment Base 2.20.3-1

- Ansible Community Execution Environment Minimal 2.20.3-1

- Ansible Community Execution Environment Base 2.20.2-1

- Ansible Community Execution Environment Minimal 2.20.2-1

- andebox Release Update

Collection updates 🪄

- cisco.dnac Collection Deprecated

- infra.ee_utilities Release

- community.proxmox Beta Release

- community.sops Pre-Release

- community.docker Export Feature

- community.routeros Update

- infra.aap_configuration Release

- infra.controller_configuration Release

- infra.aap_utilities Major Release

- ansible.netcommon:8.5.0

- ansible.utils:6.0.2

- cisco.dcnm:3.11.0

- cisco.intersight:2.18.0

- cisco.iosxr:12.2.1

- crowdstrike.falcon:4.11.2

- os_migrate.vmware_migration_kit:2.2.3

- servicenow.itsm:2.14.0

- splunk.es:6.0.0

Help wanted 🙏

- OpenSuSE Testing for Collections

Community updates 👂️

- Ansible Community AI Policy Proposal

- ansible-core Branch Updates

- New community.clickhouse Maintainer

- Collections Needing New Releases

Community events and meetups 📅

- Securing Ansible Workflows Webinar

- 2026-04-23, AWS Community Meeting

- 2026-05-05, Announcing Our Official Code Freeze Schedule & Process

- 2026-05-07, AAP Config as Code Office Hours - First Thursday of Every Month

Read the full newsletter on the Ansible Forum.

Hello, I'm looking for a tool that convert ansible playbooks to uml/mermaid diagrams. the approche is to documented end to end my playbooks.

do you have any ideas?

I already found ansible-grapher and docsible.

thanks

Hii everyone , hope u're doing well

I'm using NetBox as a source of truth and Ansible + Jinja2 templates to generate and push configs to devices.

My lab is a small multi-vendor VXLAN EVPN fabric (spine-leaf topology), mainly mixing Nokia SR Linux and Arista devices.

What I’m trying to figure out is:

* How you define everything cleanly in NetBox, or partially in Ansible vars? (VRFs, VNIs, VLANs, loopbacks, VTEPs, etc.)

* How do you usually structure your Ansible project in this case? (mean tamplates , roles , playbooks ,inventory)

* roles per feature (interfaces, routing, evpn, etc.)?

* or per device/vendor?

* How do you handle multi-vendor differences in templates without making things messy?

Right now I feel like I understand the concepts, but I’m not sure what a “clean and scalable” structure looks like in practice.

Any advice, examples, or even repo references would really help

Hello everybody,

our AWX infrastructure has grown quite a lot in the last years. At the moment we have 10 execution node scattered in our customer's networks and having a single control node starts to feel like a huge SPOF since we have a lot of automation in place.

We are starting to organize our migration from a single server to an HA installation. We already exported the internal database to an external postgres cluster based on EDB clustering solution.

Now we have to migrate web and task. At the moment everything is deployed through the AWX operator on a single instance minikube cluster.

What we were thinking is to deploy a new k3s cluster with multiple nodes using the same crs and secrets of the old installation and, when we are ready, stop the old cluster and simply run a kubectl apply of the kustomization file.

Since the db is already populated with all the information it should simply spin up our "old" AWX instance but in HA, right?

Have you ever migrate an existing AWX instance to an HA one using the same db? Would you do it in a different manner?

Thank you very much.

Best regards

I am hoping someone can point me in the right direction here as I am not seeing a way to accomplish my desired outcome. I am creating a playbook that will create a new VM in proxmox. I then want to execute a task on said VM as part of the configuration. So I can create the VM but how do I execute my tasks on this VM when it isn't in the inventory to be executed on. I cannot declare the new VM in hosts and use limits to specify which host this applies to as the server isn't created yet and I don't have the required information to connect to it until it is created.

I am sure someone out there has got past this so I am hoping you can guide me to a solution to this problem without having to run a separate playbook after the fact.

The main task I am trying to do after it is deployed is join my server to a FreeIPA server but I am sure there will be other tasks as part of the preparation of the server.

I've got a playbook that does some evaluations on hosts and then does an import_playbook for a reboot. I do this so I can change the strategy of the reboot on hosts to free, and they can take care of it in their own time, not waiting for the other hosts to finish.

It seems when you use the free strategy that the task name won't display until a host has something to report. So when the reboot module task actually starts, there's no task name displayed and it kind of looks like the play just freezes up until one of the hosts finishes the reboot and responds again. So I'd like to post a message for the user running the playbook not to panic, and just wait for a bit.

I know I can just use debug and print a message, with run_once, but it just looks a bit sloppy. I'm just being a stickler here, but I really like the idea of a blank "comment" task, where it just displays the typical:

TASK [This is the task name] *********************

The meta module has noop, which displays the task name, and that's it. it's perfect, but for some reason it runs for every host, even though it has the bypass_host_loop attribute. Even when I use run_once: true, it still repeats for each host. If I use the free strategy, it doesn't seem to run at all, which I see is also because of the bypass_host_loop attribute.

Likewise, even run_once with the debug isn't honored when using the "free" strategy.

So does anyone know how I can possibly display a quick simple note for the user just before the reboot task starts given the scenario?

I currently am using kanidm to manage user accounts, but find the management a bit fickle. I would like to manage users using an idP via Ansible. With kanidm it's very clunky, and while I could write things to make it easier, I am at a point where I am able to migrate rather easily. But idP is a necessity for me.

I have looked at Authelina, but that's a web-only focus (no Linux PAM support without hacks). I am hoping for something lightweight like kanidm (e.g., can be managed via CLI so scripting is easy), but I'm not opposed to a web-based config if needed.

Needs:

• Linux PAM support
• Be central authority of server access
• Allows support for SSH auth (e.g., kanidm can act as a pubkey store for users)

Hey everyone,

I’ve been working on a Python tool called p2a (puppet-to-ansible) to help automate the migration of legacy Puppet codebases to Ansible.

I wanted a solution that was strictly local—no sending infrastructure code or secrets to external LLM APIs. It uses a deterministic parser built with the Lark library.

Main features:

• Local Parsing: Converts .pp manifests and full modules to Ansible roles/playbooks on your machine.
• Templates: Converts ERB to Jinja2.
• Hiera: Resolves Hiera lookups into Ansible defaults/vars.
• Safety: If the parser hits something too complex, it leaves a valid Ansible task with a # TODO comment containing the original code.

On the AI side: To be fully transparent, I used Claude Code to help write the parser logic and the boilerplate. To make sure the output isn't "hallucinated," I’ve implemented over 200 tests to validate the conversion logic.

How to get it: The package is available on PyPI (pip). You can install it with: pip install puppet-to-ansible

The CLI command is p2a.

How to find the code: "puppet-to-ansible"  (user_gh: pavelux00x).

I’m looking for feedback! If you have some old Puppet manifests, please try to run them through the tool and let me know where it breaks or where I can improve the Ansible output best practices.

Thanks!

Hi, I'm working on a project where I automate the firmware updates of Juniper QFX5120-48YB switches. This is my 3rd time working with Ansible and only worked with it to deploy VM's, LXC's and configurations.

I basically need to trigger a pipeline that does pre-checks, installs the firmware on the switches and post-checks

Are there any tips that will be helpful to complete this project?

I am struggling to find any good examples on google of how to use this collection. I am able to get it to apply configuration in various ways i.e. with nvidia.nvue.api, the specific module or with nvidia.nvue.commands.

However, I am unable to find a way to remove configuration other than just using commands with the unset option.

I was hoping to use it as a proper "desired state" option but I can't even remove the default ntp servers let alone myriad ACL entries I don't want to manually specify.

Has anyone here had any luck using this collection?

Genuinely trying to understand what’s going on with AWX (the upstream of Ansible Tower / AAP).

The GitHub repo shows the last release around July 2024, and since then it looks like:

• No new official releases
• “Active development” but without shipping anything usable
• Ongoing refactoring with no clear ETA
• Increasing confusion about whether it’s even meant to be consumed anymore

At this point it’s starting to feel less like an open-source project and more like a paused reference implementation that only exists for Red Hat’s AAP pipeline.

So what’s the actual situation?

• Is AWX still an intended production-ready upstream, or has it effectively been deprioritized?
• If releases are “paused for refactoring”, how long is that supposed to last realistically?
• Are users just expected to move to Ansible Automation Platform now?
• Or is AWX slowly turning into abandonware outside of AAP?

Because from the outside, it looks like:

>

GitHub: https://github.com/ansible/awx

Would appreciate honest input from maintainers or anyone actually close to the project, because the current state is pretty unclear.

Clearest example I have is as follows. I have a playbook that I run on all new servers, doing things like installing docker and some basic hardening. One of the tasks here is writing the sshd config from a template.

For my backup server, I need to allow certain users to ssh in. The backup-setup playbook is run, and with LineInFile it happens to modify the sshd config.

It has just so happened that a modification was made to the hardening role, and it needed to be re-run. This obviously broke things, but I wasn't immediately aware as it had been a while since setting up the backup server.

What is the right way to approach this issue? The hardening role isn't necessarily maintained by myself. My instinct says to craft playbooks in such a way that these conflicting tasks are always run in the right order, but I think that in practice that would mean often running way more tasks than is necessary.

As per the title, I just obtained my CCNA about a week ago. I'm eyeing the EX457 to complement it. Do I need to study anything prior to starting a course specific to the EX457 on something like CBT Nuggets? I have no prior experience in Linux or Coding languages. Any recommendations or can I jump in head first? Also any study material you guys might recommend is welcome information, please and thank you.

Hi,

I just started tutoring and I need to create some material for my students so they can learn ansible. If you’re interested, we can do a session where I teach you ansible and you help me test out the labs I’m creating for my students.

It’s free but I’m NOT helping you set up your dev environment lol.

So I have been experimenting with Ansible and creating a new VM and I have been successful but I want to take it to the next level by using cloud-init. I am able to get a cloud-init and template setup and clone from within proxmox. My issue is that I am confused by the method through proxmox and the community.proxmox.proxmox_kvm module. In the documentation it seems to indicate in the example to create a new VM and attach the cloud-init image to that VM for initialization of the VM.

- name: Create new VM using Cloud-Init with an ssh key
  community.proxmox.proxmox_kvm:
    node: sabrewulf
    api_user: root@pam
    api_password: secret
    api_host: helldorado
    name: spynal
    ide:
      ide2: 'local:cloudinit,format=qcow2'
    sshkeys: |
      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUF/cMCRObddaMmvUDio//yge6gRGXNv3uqMq7ve0x3 ssh-key-1@example.com
      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+v9HERWdWKh1lxceobl98LBX3+alfVK0zJnAxLbMRq ssh-key-2@example.com
    searchdomains: 'mydomain.internal'
    nameservers:
      - '1.1.1.1'
      - '8.8.8.8'
    net:
      net0: 'virtio,bridge=vmbr1,tag=77'
    ipconfig:
      ipconfig0: 'ip=192.168.1.1/24'

However other examples show cloning a template with cloud-init attached to the template:

  - name: Clone cloud-init template
    community.general.proxmox_kvm:
      node: proxmox
      vmid: 9000
      clone: gemini
      name: cloud-1
      api_user: ansible@pam
      api_token_id: ansible_pve_token
      api_token_secret: 1daf3b05-5f94-4f10-b924-888ba30b038b
      api_host: your.proxmox.host
      storage: ZFS01
      timeout: 90

I don't know if there is a method that is considered best practice or if there is an advantage of one over the other. The creating a VM from scratch (Edit: using Ansible to create the VM and attaching the cloud init image, I think I confused people by saying from scratch) seems better to me as you don't have to store a template around. Maybe I am missing something but is there a best practice here? It gets confusing when I see different ways of doing what appears the same thing but nobody documenting what is the best option. Thanks in advance for your guidance.

EDIT: Ok so I figured out what I needed. I found information on this from some of the people posting here as well as the following sites below. It seems a minimal template is required to hold the cloud-init image being stored in relation to the template. You have to then import that image to your newly created VM and boot it and it will deploy with what you set in your ansible script. Thank you all.

https://joshrnoll.com/deploying-proxmox-vms-with-ansible-part-2/

https://www.uncommonengineer.com/docs/engineer/LAB/proxmox-cloudinit/