# Ansible — Agentless Server Automation

> Practical guide to Ansible — agentless IT automation over SSH, provisioning, deploying and configuring with YAML playbooks plus Vault for secrets.

Source: https://www.jpkc.com/db/en/cheatsheets/cloud-iac/ansible/

<!-- PROSE:intro -->
Ansible is an agentless automation tool from Red Hat that lets you provision servers, configure them and roll out software – without running any agent on the managed hosts. Everything happens over plain SSH, and your desired state lives as code in declarative YAML playbooks. The name actually covers several binaries: `ansible` for ad-hoc commands, `ansible-playbook` for full workflows, plus `ansible-galaxy`, `ansible-vault` and `ansible-inventory`. This guide takes you from a quick ping through structured playbooks all the way to encrypted secrets management.
<!-- PROSE:intro:end -->

## Ad-Hoc Commands

`ansible <hosts> -m ping` — Test connectivity to hosts.

```bash
ansible all -m ping
```

`ansible <hosts> -a '<command>'` — Run a shell command on remote hosts.

```bash
ansible webservers -a 'uptime'
```

`ansible <hosts> -m <module> -a '<args>'` — Run a module with arguments.

```bash
ansible webservers -m apt -a 'name=nginx state=present' -b
```

`ansible <hosts> -m copy -a 'src=<src> dest=<dest>'` — Copy a file to remote hosts.

```bash
ansible all -m copy -a 'src=config.conf dest=/etc/app/config.conf' -b
```

`ansible <hosts> -m service -a 'name=<svc> state=restarted'` — Restart a service on remote hosts.

```bash
ansible webservers -m service -a 'name=nginx state=restarted' -b
```

`ansible <hosts> -b -a '<command>'` — Run command with sudo (become).

```bash
ansible all -b -a 'apt update'
```

## Playbooks

`ansible-playbook <playbook>` — Run a playbook.

```bash
ansible-playbook site.yml
```

`ansible-playbook <playbook> -i <inventory>` — Run with a specific inventory file.

```bash
ansible-playbook deploy.yml -i production/hosts
```

`ansible-playbook <playbook> --check` — Dry run: show what would change without applying.

```bash
ansible-playbook site.yml --check
```

`ansible-playbook <playbook> --diff` — Show file differences when making changes.

```bash
ansible-playbook site.yml --diff
```

`ansible-playbook <playbook> -l <hosts>` — Limit execution to specific hosts.

```bash
ansible-playbook site.yml -l webserver01
```

`ansible-playbook <playbook> -t <tags>` — Run only tasks with specific tags.

```bash
ansible-playbook site.yml -t nginx,deploy
```

`ansible-playbook <playbook> -e '<key>=<value>'` — Pass extra variables.

```bash
ansible-playbook deploy.yml -e 'version=2.0 env=production'
```

## Inventory

`ansible-inventory --list` — Show the full inventory in JSON format.

```bash
ansible-inventory --list -i hosts.yml
```

`ansible-inventory --graph` — Show inventory as a tree graph.

```bash
ansible-inventory --graph
```

`ansible <hosts> --list-hosts` — List which hosts match a pattern.

```bash
ansible webservers --list-hosts
```

`ansible-playbook <playbook> --list-tasks` — List all tasks in a playbook.

```bash
ansible-playbook site.yml --list-tasks
```

`ansible-playbook <playbook> --list-tags` — List all tags in a playbook.

```bash
ansible-playbook site.yml --list-tags
```

## Galaxy & Roles

`ansible-galaxy init <role>` — Create a new role directory structure.

```bash
ansible-galaxy init my-role
```

`ansible-galaxy install <role>` — Install a role from Ansible Galaxy.

```bash
ansible-galaxy install geerlingguy.docker
```

`ansible-galaxy install -r requirements.yml` — Install roles from a requirements file.

```bash
ansible-galaxy install -r requirements.yml
```

`ansible-galaxy collection install <collection>` — Install an Ansible collection.

```bash
ansible-galaxy collection install community.docker
```

`ansible-galaxy list` — List installed roles.

```bash
ansible-galaxy list
```

## Vault (Secrets)

`ansible-vault create <file>` — Create a new encrypted file.

```bash
ansible-vault create secrets.yml
```

`ansible-vault edit <file>` — Edit an encrypted file.

```bash
ansible-vault edit secrets.yml
```

`ansible-vault encrypt <file>` — Encrypt an existing file.

```bash
ansible-vault encrypt vars/passwords.yml
```

`ansible-vault decrypt <file>` — Decrypt an encrypted file.

```bash
ansible-vault decrypt secrets.yml
```

`ansible-vault view <file>` — View an encrypted file without decrypting.

```bash
ansible-vault view secrets.yml
```

`ansible-playbook <playbook> --ask-vault-pass` — Run playbook and prompt for vault password.

```bash
ansible-playbook site.yml --ask-vault-pass
```

`ansible-vault encrypt_string '<string>' --name '<var>'` — Encrypt a single string for use in YAML.

```bash
ansible-vault encrypt_string 'mysecret' --name 'db_password'
```

## Debugging & Config

`ansible-playbook <playbook> -v` — Run with verbose output (-v, -vv, -vvv, -vvvv).

```bash
ansible-playbook site.yml -vvv
```

`ansible-config dump` — Show all configuration settings.

```bash
ansible-config dump --only-changed
```

`ansible-doc <module>` — Show documentation for a module.

```bash
ansible-doc ansible.builtin.apt
```

`ansible-doc -l` — List all available modules.

```bash
ansible-doc -l | grep docker
```

`ansible-playbook <playbook> --syntax-check` — Check playbook syntax without running.

```bash
ansible-playbook site.yml --syntax-check
```

`ansible-playbook <playbook> --step` — Run playbook step by step with confirmation.

```bash
ansible-playbook site.yml --step
```

<!-- PROSE:outro -->
## Conclusion

The same toolbox covers both worlds: quick ad-hoc fixes and reproducible playbooks versioned in YAML – idempotent, so running them repeatedly converges on the same target state. For risky changes, dry-run with `--check` and `--diff` before you apply for real, because ad-hoc `shell` or `command` calls and `state=absent` take effect immediately and irreversibly. Keep secrets encrypted in `ansible-vault` only – never in plaintext in a Git repository – and reach for `-b`/`--become` solely where you genuinely need root privileges.

## Further Reading

- [Ansible documentation](https://docs.ansible.com/) – official reference for playbooks, modules and inventory
- [Ansible Vault – encrypting secrets](https://docs.ansible.com/ansible/latest/vault_guide/index.html) – official guide to managing secrets securely
- [Ansible (software)](https://en.wikipedia.org/wiki/Ansible_(software)) – background and context on the English Wikipedia
<!-- PROSE:outro:end -->

## Related Commands

- [aws](https://www.jpkc.com/db/en/cheatsheets/cloud-iac/aws/) – command-line client for Amazon Web Services resources
- [terraform](https://www.jpkc.com/db/en/cheatsheets/cloud-iac/terraform/) – declarative infrastructure as code across providers