# Ad-Hoc

## 1. Run Ad-Hoc

### 1.1. List servers in group

In [None]:
ansible group_debian --list

### 1.2. Work with module

```bash
$ ansible <group1, group2, ..., groupn | all> -m <module> -a "command string"
```

For example:
```bash
$ ansible all -m shell -a "ps aux"
```

## 2. Modules

### 2.1. Ping

> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ping_module.html

In [None]:
ansible group_debian1 -m ping

### 1.2. Run remote command

#### 1.2.1. Raw

> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/raw_module.html

In [None]:
ansible group_debian1 -m raw -a "ps aux"

### 1.3. Software repository

#### 1.3.1. Yum

> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/yum_module.html
> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/yum_repository_module.html

- **`yum` module**
    - `allow_downgrade`: `no`(default) or `yes`. Specify if the named package and version is allowed to downgrade a maybe already installed higher version of that package. Note that setting allow_downgrade=True can make this module behave in a non-idempotent way. The task could end up with a set of packages that does not match the complete list of specified packages to install (because dependencies between the downgraded package and others can cause changes to the packages which were in the earlier transaction)
    - `autoremove`: `no`(default) or `yes`. If `yes`, removes all "leaf" packages from the system that were originally installed as dependencies of user-installed packages but which are no longer required by any such package. Should be used alone or when state is absent
    - `bugfix`：Default: "no". If set to yes, and `state=latest` then only installs updates that have been marked bugfix related.
    - `conf_file`: The remote yum configuration file to use for the transaction
    - `disable_excludes`: Disable the excludes defined in YUM config files. If set to `all`, disables all excludes. If set to `main`, disable excludes defined in `[main]` in yum.conf. If set to `repoid`, disable excludes defined for given repo id
    - `disable_gpg_check`: `no`(default) or `yes`. Whether to disable the GPG checking of signatures of packages being installed. Has an effect only if state is present or latest
    - `disable_plugin`: Plugin name to disable for the install/update operation. The disabled plugins will not persist beyond the transaction
    - `disablerepo`: Repoid of repositories to disable for the install/update operation. These repos will not persist beyond the transaction. When specifying multiple repos, separate them with a ","
    - `download_dir`: Specifies an alternate directory to store packages. Has an effect only if download_only is specified
    - `download_only`: `no`(default) or `yes`. Only download the packages, do not install them
    - `enable_plugin`: Plugin name to enable for the install/update operation. The enabled plugin will not persist beyond the transaction
    - `enablerepo`: Repoid of repositories to enable for the install/update operation. These repos will not persist beyond the transaction. When specifying multiple repos, separate them with a ","
    - `exclude`: Package name(s) to exclude when `state=present`, or `latest`
    - `install_repoquery`: `no` or `yes`(default). If repoquery is not available, install `yum-utils`. If the system is registered to RHN or an RHN Satellite, repoquery allows for querying all channels assigned to the system. It is also required to use the 'list' parameter. 
    > - NOTE: This will run and be logged as a separate yum transation which takes place before any other installation or removal
    > - NOTE: This will use the system's default enabled repositories without regard for disablerepo/enablerepo given to the module
    - `install_weak_deps`: `no` or `yes`(default). Will also install all packages linked by a weak dependency relation
    > - NOTE: This feature requires yum >= 4 (RHEL/CentOS 8+)
    - `installroot`: Default: "/". Specifies an alternative installroot, relative to which all packages will be installed
    - `list`: Package name to run the equivalent of yum list `--show-duplicates <package>` against. In addition to listing packages, use can also list the following: installed, updates, available and repos. This parameter is mutually exclusive with name
    - `lock_timeout`: Default: 30. Amount of time to wait for the yum lockfile to be freed
    - `name`: A package name or package specifier with version, like `name-1.0`. If a previous version is specified, the task also needs to turn allow_downgrade on. See the allow_downgrade documentation for caveats with downgrading packages. When using `state=latest`, this can be '*' which means `run yum -y update`. You can also pass a url or a local path to a rpm file (using state=present). To operate on several packages this can accept a comma separated string of packages or (as of 2.0) a list of packages.
    > - aliases: `pkg`
    - `releasever`: Specifies an alternative release from which all packages will be installed
    - `security`: `no`(default) or `yes`. If set to yes, and state=latest then only installs updates that have been marked security related
    - `skip_broken`: `no`(default) or `yes`. Skip packages with broken dependencies(devsolve) and are causing problems
    - `state`: `absent`, `installed`, `latest`, `present` or `removed`. Whether to install (`present` or `installed`, `latest`), or remove (`absent` or `removed`) a package. `present` and `installed` will simply ensure that a desired package is installed. `latest` will update the specified package if it's not of the latest available version. `absent` and `removed `will remove the specified package. Default is `None`, however in effect the default action is present unless the `autoremove` option is enabled for this module, then `absent` is inferred.
    - `update_cache`: `no`(default) or `yes`. Force yum to check if cache is out of date and redownload if needed. Has an effect only if state is present or latest
    > - aliases: `expire-cache`
    - `update_only`: `no`(default) or `yes`. When using latest, only update installed packages. Do not install packages. Has an effect only if state is latest
    - `use_backend`: `auto`(default), `yum`, `yum4` or `dnf`. This module supports yum (as it always has), this is known as yum3/YUM3/yum-deprecated by upstream yum developers. As of Ansible 2.7+, this module also supports YUM4, which is the "new yum" and it has an dnf backend. By default, this module will select the backend based on the `ansible_pkg_mgr` fact.
    - `validate_certs`: `no` or `yes`(default). This only applies if using a https url as the source of the rpm. e.g. for localinstall. If set to no, the SSL certificates will not be validated. This should only set to no used on personally controlled sites using self-signed certificates as it avoids verifying the source site. Prior to 2.1 the code worked as if this was set to yes.


- **`yum_repository` module**
    - `async`: `no` or `yes`(default). If set to `yes` Yum will download packages and metadata from this repo in parallel, if possible.
    - `attributes`: The attributes the resulting file or directory should have. To get supported flags look at the man page for `chattr` on the target system. This string should contain the attributes in the same order as the one displayed by `lsattr`. The `=` operator is assumed as default, otherwise `+` or `-` operators need to be included in the string
    > - aliases: `attr`
    - `bandwidth`: Default: `0`. Maximum available network bandwidth in bytes/second. Used with the `throttle` option. If `throttle` is a percentage and bandwidth is `0` then bandwidth throttling will be disabled. If `throttle` is expressed as a data rate (bytes/sec) then this option is ignored. Default is `0` (no bandwidth throttling)
    - `baseurl`: URL to the directory where the yum repository's 'repodata' directory lives. It can also be a list of multiple URLs. This, the metalink or mirrorlist parameters are required if state is set to `present`
    - `cost`: Default: `1000`. Relative cost of accessing this repository. Useful for weighing one repo's packages as greater/less than any other
    - `deltarpm_metadata_percentage`: Default: `100`. When the relative size of deltarpm metadata vs pkgs is larger than this, deltarpm metadata is not downloaded from the repo. Note that you can give values over `100`, so `200` means that the metadata is required to be half the size of the packages. Use `0` to turn off this check, and always download metadata.
    - `deltarpm_percentage`: Default: `75`. When the relative size of delta vs pkg is larger than this, delta is not used. Use 0 to turn off delta rpm processing. Local repositories (with `file://baseurl`) have delta rpms turned off by default.
    - `description`: A human readable string describing the repository. This option corresponds to the "name" property in the repo file. This parameter is only required if state is set to `present`
    - `enabled`: `no` or `yes`(default). This tells yum whether or not use this repository
    - `enablegroups`: `no` or `yes`(default). Determines whether yum will allow the use of package groups for this repository
    - `exclude`: List of packages to exclude from updates or installs. This should be a space separated list. Shell globs using wildcards (eg. `*` and `?`) are allowed. The list can also be a regular YAML array
    - `failovermethod`: `roundrobin`(default) or `priority`. `roundrobin` randomly selects a URL out of the list of URLs to start with and proceeds through each of them as it encounters a failure contacting the host. `priority` starts from the first baseurl listed and reads through them sequentially
    - `file`: File name without the `.repo` extension to save the repo in. Defaults to the value of `name`
    - `gpgcakey`: A URL pointing to the ASCII-armored CA key file for the repository
    - `gpgcheck`: `no` or `yes`. Tells yum whether or not it should perform a GPG signature check on packages. No default setting. If the value is not set, the system setting from `/etc/yum.conf` or system default of `no` will be used
    - `gpgkey`: A URL pointing to the ASCII-armored GPG key file for the repository. It can also be a list of multiple URLs.
    - `group`: Name of the group that should own the file/directory, as would be fed to chown
    - `http_caching`: `all`(default), `packages` or `none`. Determines how upstream HTTP caches are instructed to handle any HTTP downloads that Yum does. `all` means that all HTTP downloads should be cached. `packages` means that only RPM package downloads should be cached (but not repository metadata downloads). `none` means that no HTTP downloads should be cached
    - `include`: Include external configuration file. Both, local path and URL is supported. Configuration file will be inserted at the position of the `include=line`. Included files may contain further include lines. Yum will abort with an error if an inclusion loop is detected
    - `includepkgs`: List of packages you want to only use from a repository. This should be a space separated list. Shell globs using wildcards (eg. `*` and `?`) are allowed. Substitution variables (e.g. `$releasever`) are honored here. The list can also be a regular YAML array
    - `ip_resolve`: `4`, `6`, `IPv4`, `IPv6` or `whatever`(default). Determines how yum resolves host names
        - `4` or `IPv4`: resolve to IPv4 addresses only
        - `6` or `IPv6`: resolve to IPv6 addresses only
    - `keepalive`: `no`(default) or `yes`. This tells yum whether or not HTTP/1.1 keepalive should be used with this repository. This can improve transfer speeds by using one connection when downloading multiple files from a repository
    - `keepcache`: `0` or `1`(default). Either `1` or `0`. Determines whether or not yum keeps the cache of headers and packages after successful installation
    - `metadata_expire`: Default: `21600`. Time (in seconds) after which the metadata will expire. Default value is 6 hours
    - `metadata_expire_filter`: `never`, `read-only:past`, `read-only:present`(default) or `read-only:future`. Filter the metadata_expire time, allowing a trade of speed for accuracy if a command doesn't require it. Each yum command can specify that it requires a certain level of timeliness quality from the remote repos. from "I'm about to install/upgrade, so this better be current" to "Anything that's available is good enough"
        - `never`: Nothing is filtered, always obey metadata_expire
        - `read-only:past`: Commands that only care about past information are filtered from metadata expiring. Eg. `yum history info` (if history needs to lookup anything about a previous transaction, then by definition the remote package was available in the past)
        - `read-only:present`: Commands that are balanced between past and future. Eg. `yum list yum`
        - `read-only:future`: Commands that are likely to result in running other commands which will require the latest metadata. Eg.` yum check-update`
        > - Note that this option does not override "yum clean expire-cache".
    - `metalink`: Specifies a URL to a metalink file for the `repomd.xml`, a list of mirrors for the entire repository are generated by converting the mirrors for the repomd.xml file to a baseurl. This, the `baseurl` or `mirrorlist` parameters are required if state is set to present
    - `mirrorlist`: Specifies a URL to a file containing a list of baseurls. This, the `baseurl` or `metalink` parameters are required if state is set to `present`
    - `mirrorlist_expire`: Default: `21600`. Time (in seconds) after which the mirrorlist locally cached will expire. Default value is 6 hours
    - `mode`: The permissions the resulting file or directory should have. For those used to `/usr/bin/chmod` remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like `0644` or `01777`) or quote it (like `'644'` or `'1777'`) so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, `u+rwx` or `u=rw,g=r,o=r`) 
    - `name`: Unique repository ID. This option builds the section name of the repository in the repo file. This parameter is only required if state is set to present or absent
    - `owner`: Name of the user that should own the file/directory, as would be fed to chown
    - `password`: Password to use with the username for basic authentication
    - `priority`: Default: `99`. Enforce ordered protection of repositories. The value is an integer from `1` to `99`. This option only works if the YUM Priorities plugin is installed
    - `protect`: `no`(default) or `yes`. Protect packages from updates from other repositories
    - `proxy`: URL to the proxy server that yum should use. Set to `_none_` to disable the global proxy setting
    - `proxy_password`: Password for this proxy
    - `proxy_username`: Username to use for proxy
    - `repo_gpgcheck`: `no`(default) or `yes`. This tells yum whether or not it should perform a GPG signature check on the repodata from this repository
    - `reposdir`: Default: `"/etc/yum.repos.d"`. Directory where the `.repo` files will be stored
    - `retries`: Default: 10. Set the number of times any attempt to retrieve a file should retry before returning an error. Setting this to 0 makes yum try forever
    - `s3_enabled`: `no`(default) or `yes`. Enables support for S3 repositories. This option only works if the YUM S3 plugin is installed
    - `selevel`: The level part of the SELinux file context. This is the MLS/MCS attribute, sometimes known as the range. When set to `_default`, it will use the level portion of the policy if available
    - `serole`: The role part of the SELinux file context. When set to `_default`, it will use the role portion of the policy if available
    - `setype`: The type part of the SELinux file context. When set to `_default`, it will use the type portion of the policy if available
    - `seuser`: The user part of the SELinux file context. By default it uses the system policy, where applicable. When set to `_default`, it will use the user portion of the policy if available.
    - `skip_if_unavailable`: no(default) or `yes`. If set to `yes` yum will continue running if this repository cannot be contacted for any reason. This should be set carefully as all repos are consulted for any given command
    - `ssl_check_cert_permissions`: `no`(default) or `yes`. Whether yum should check the permissions on the paths for the certificates on the repository (both remote and local). If we can't read any of the files then yum will force `skip_if_unavailable` to be yes. This is most useful for non-root processes which use yum on repos that have client cert files which are readable only by root
    - `sslcacert`: Path to the directory containing the databases of the certificate authorities yum should use to verify SSL certificates
    > - aliases: `ca_cert`
    - `sslclientcert`: Path to the SSL client certificate yum should use to connect to `repos/remote` sites
    > - aliases: `client_cert`
    - `sslclientkey`: Path to the SSL client key yum should use to connect to `repos/remote` sites
    > - aliases: `client_key`
    - `sslverify`: `no` or `yes`(default). Defines whether yum should verify SSL `certificates/hosts` at all
    > - aliases: `validate_certs`
    - `state`: `absent` or `present`(default). State of the repo file
    - `throttle`: Enable bandwidth throttling for downloads. This option can be expressed as a absolute data rate in bytes/sec. An SI prefix (k, M or G) may be appended to the bandwidth value
    - `timeout`: Default: `30`. Number of seconds to wait for a connection before timing out
    - `ui_repoid_vars`: Default: `"releasever basearch"`. When a repository id is displayed, append these yum variables to the string if they are used in the baseurl/etc. Variables are appended in the order listed (and found)
    - `unsafe_writes`: `no`(default) or `yes`. Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target file. By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target files, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted files, which cannot be updated atomically from inside the container and can only be written in an unsafe manner.
This option allows Ansible to fall back to unsafe methods of updating files when atomic operations fail (however, it doesn't force Ansible to perform unsafe writes).
    > - **IMPORTANT!** Unsafe writes are subject to race conditions and can lead to data corruption
    - `username`: Username to use for basic authentication to a repo or really any url

##### 1.2.1.1. Install software

In [None]:
# do apt update and install 'htop' package
ansible group_centos1_vault -m yum \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='epel-release' \
        state='present' \
        use_backend='dnf'";
        
ansible group_centos1_vault -m yum \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='htop' \
        state='present' \
        update_cache='yes' \
        use_backend='dnf'";

# Remove htop
ansible group_centos1_vault -m yum \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='htop' \
        state='absent' \
        use_backend='dnf'";

##### 1.3.1.2. Set yum repository and install software

In [None]:
# uninstall legacy docker package
ansible group_centos1_vault -m yum \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -e "{ names: ['docker', 'docker-engine', 'docker.io'] }" \
    -a "name={{ names }} \
        autoremove='yes' \
        state='absent' \
        use_backend='dnf'";
        
# Install dependencies
ansible group_centos1_vault -m yum \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -e "{ names: ['yum-utils', 'device-mapper-persistent-data', 'lvm2'] }" \
    -a "name={{ names }} \
        state='present' \
        use_backend='dnf'";
        
# Download 'repo' file from source site
ansible group_centos1_vault -m get_url \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "url='https://download.docker.com/linux/centos/docker-ce.repo' \
        dest='/etc/yum.repos.d/docker-ce.repo' \
        timeout=20";
        
# Replace source site to mirror site
ansible group_centos1_vault -m raw \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo";
    
# do yum makecache and install docker-ce package
ansible group_centos1_vault -m yum \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='docker-ce' \
        update_cache='yes' \
        state='present' \
        use_backend='dnf'";

#### 1.3.2. Apt

> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html
> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_key_module.html
> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_repository_module.html


- **`apt` module:**
    - `allow_unauthenticated`: `no`(default) or `yes`. Ignore if packages cannot be authenticated. This is useful for bootstrapping environments that manage their own `apt-key` setup. allow_unauthenticated is only supported with `state`: `install`/`present`
    - `autoclean`: `no`(default) or `yes`. If yes, cleans the local repository of retrieved package files that can no longer be downloaded
    - `autoremove`: `no`(default) or `yes`. If yes, remove unused dependency packages for all module states except build-dep. It can also be used as the only option. Previous to version 2.4, autoclean was also an alias for autoremove, now it is its own separate command. See documentation for further information
    - `cache_valid_time`: Default: 0. Update the apt cache if its older than the cache_valid_time. This option is set in seconds. As of Ansible 2.4, if explicitly set, this sets `update_cache=yes`
    - `deb`: Path to a `.deb` package on the remote machine. If :// in the path, ansible will attempt to download deb before installing. Requires the xz-utils package to extract the control file of the deb package to install
    - `default_release`: Corresponds to the `-t` option for `apt` and sets pin priorities
    - `dpkg_options`: Default: "force-confdef,force-confold". Add dpkg options to apt command. Defaults to `-o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold"`. Options should be supplied as comma separated list
    - `force`: `no`(default) or  `yes`. Corresponds to the `--force-yes` to `apt-get` and implies `allow_unauthenticated: yes`. This option will disable checking both the packages' signatures and the certificates of the web servers they are downloaded from. This option *is not* the equivalent of passing the -f flag to apt-get on the command line. **This is a destructive operation with the potential to destroy your system, and it should almost never be used.** Please also see man apt-get for more information
    - `force_apt_get`: `no`(default) or `yes`. Force usage of `apt-get` instead of aptitude
    - `install_recommends`: `no` or `yes`. Corresponds to the --no-install-recommends option for apt. yes installs recommended packages. no does not install recommended packages. By default, Ansible will use the same defaults as the operating system. Suggested packages are never installed. *aliases: `install-recommends`*
    - `name`: A list of package names, like foo, or package specifier with version, like `foo=1.0`. Name wildcards (fnmatch) like apt  and version wildcards like foo=1.0 are also supported. *aliases: `package`, `pkg`*
    - `only_upgrade`: `no`(default) or `yes`. Only upgrade a package if it is already installed
    - `policy_rc_d`: Force the exit code of `/usr/sbin/policy-rc.d`. For example, if `policy_rc_d=101` the installed package will not trigger a service start. If `/usr/sbin/policy-rc.d` already exist, it is backed up and restored after the package installation. If `null`, the `/usr/sbin/policy-rc.d` isn't created/changed
    - `purge`: `no`(default) or `yes`. Will force purging of configuration files if the module state is set to absent
    - `state`: `absent`, `build-dep`, `latest`, `present`(default) or `fixed`. Indicates the desired package state. `latest` ensures that the latest version is installed. `build-dep` ensures the package build dependencies are installed. `fixed` attempt to correct a system with broken dependencies in place
    - `update_cache`: `no`(default) or `yes`. Run the equivalent of `apt-get` update before the operation. Can be run as part of the package installation or as a separate step
    - `update_cache_retries`: Default: 5. Amount of retries if the cache update fails. Also see `update_cache_retry_max_delay`
    - `update_cache_retry_max_delay`: Default: 12. Use an exponential backoff delay for each retry (see `update_cache_retries`) up to this max delay in seconds.
    - `upgrade`: `dist`, `full`, `no`(default), `safe` or `yes`. If `yes` or `safe`, performs an aptitude safe-upgrade. If `full`, performs an aptitude full-upgrade. If `dist`, performs an `apt-get dist-upgrade`. Note: This does not upgrade a specific package, use `state=latest` for that


- **`apt_key` module:**
    - `data`: The keyfile contents to add to the keyring
    - `file`: The path to a keyfile on the remote server to add to the keyring
    - `id`: The identifier of the key. Including this allows check mode to correctly report the changed state. If specifying a subkey's id be aware that apt-key does not understand how to remove keys via a subkey id. Specify the primary key's id instead. This parameter is required when state is set to absent.
    - `keyring`: The full path to specific keyring file in `/etc/apt/trusted.gpg.d/`
    - `keyserver`: The keyserver to retrieve key from
    - `state`: `absent` or `present`(default), Ensures that the key is present (added) or absent (revoked)
    - `url`: The URL to retrieve key from
    - `validate_certs`: `no` or `yes`. If no, SSL certificates for the target url will not be validated. This should only be used on personally controlled sites using self-signed certificates


- **`apt_repository` module:**
    - `codename`: Override the distribution codename to use for PPA repositories. Should usually only be set when working with a PPA on a non-Ubuntu target (e.g. Debian or Mint)
    - `filename`: Sets the name of the source list file in `sources.list.d`. Defaults to a file name based on the repository source url. The `.list` extension will be automatically added.
    - `mode`: Default: "0644". The octal mode for newly created files in `sources.list.d`
    - `repo`: A source string for the repository
    - `state`: `absent`(remove) or `present`(default, add), A source string state
    - `update_cache`: `no` or `yes`(default), Run the equivalent of apt-get update when a change occurs. Cache updates are run after making changes
    - `update_cache_retries`: Default: 5, Amount of retries if the cache update fails. Also see `update_cache_retry_max_delay`
    - `update_cache_retry_max_delay`: Default: 12, Use an exponential backoff delay for each retry (see `update_cache_retries`) up to this max delay in seconds
    - `validate_certs`: `no` or `yes`(default), If `no`, SSL certificates for the target repo will not be validated. This should only be used on personally controlled sites using self-signed certificates.

##### 1.3.2.1. Install software

In [None]:
# do apt update and install 'htop' package
ansible group_debian1_vault -m apt \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='htop' \
        install_recommends=true \
        state='present' \
        update_cache='yes'";
        
# uninstall 'htop' package
ansible group_debian1_vault -m apt \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='htop' \
        purge='yes' \
        state='absent'";

##### 1.3.2.2. Set apt repository and install software

In [None]:
# uninstall legacy docker package
ansible group_debian1_vault -m apt \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -e "{ names: ['docker', 'docker-engine', 'docker.io'] }" \
    -a "name={{ names }} \
        purge='yes' \
        autoremove='yes' \
        autoclean='yes' \
        state='absent'";

# Add GPG public-key
ansible group_debian1_vault -m apt_key \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "url='https://download.docker.com/linux/debian/gpg' \
        state='present'";

# Add apt repository
ansible group_debian1_vault -m apt_repository \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "repo='deb [arch=amd64] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian buster stable' \
        state='present'";
        
# do apt update and install 'docker' package
ansible group_debian1_vault -m apt \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='docker-ce' \
        install_recommends=true \
        state='present' \
        update_cache='yes'";

##### 1.3.2.3. Misc

In [None]:
# apt update
ansible group_debian1_vault -m apt \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "update_cache='yes'";

# apt upgrade
ansible group_debian1_vault -m apt \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='*' \
        state='latest'";

# apt autoremove 
ansible group_debian1_vault -m apt \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "autoremove='yes' \
        purge='yes'";

### 1.4. Template

- Arguments
    - `src`: template file in current machine
    - `dest`: target file in remote server
    - `owner`: owner of target file
    - `mode`: mode of target file, canbe numbers (like `0644`) or letters (like `u=rw,g=r,o=r`), see also `chmod` command
    - `backup`: `ture` if create backup file if file content is changed

In [None]:
# Run template module
ansible group_debian1 -m template \
    -a "src='./test_template.txt' \
        dest='~/test_template.txt' \
        owner='alvin' \
        mode='u=rw,g=r,o=r' \
        backup='yes'" \
    --extra-vars "dynamic_name=Alvin";

# Show generated files on remote server
ansible group_debian1 -m raw -a "ls -al ~/test_template*";

# Show content of lastest generated file
ansible group_debian1 -a "cat ~/test_template.txt";

# remove all generated files on remote server
ansible group_debian1 -m raw -a "rm ~/test_template*";

### 1.5. Copy

- `src`: The source file on local machine, can be file or directory
- `content`: The content will be copied
- `dest`: The remote server to copied file
- `directory_mode`: The permission mode of remote directory
- `force`: Always copy file to target even file exist when value is 'yes'
- other arguments: all arguments for `file` module can use for this module, see `file` module

#### 1.5.1. Copy file

In [None]:
# Use copy module
ansible group_debian1 -m copy -a "src='./ansible.cfg' dest='~/' force='yes'";

# Show copied file on remote server
ansible group_debian1 -m raw -a "ls -al ~/ansible.*";

# Remove copied files
ansible group_debian1 -m raw -a "rm ~/ansible.*";

#### 1.5.2. Copy files in folder

In [None]:
# Use copy module
ansible group_debian1 -m copy -a "src='./hosts/' dest='~/target' force='yes'";

# Show copied folders
ansible group_debian1 -m raw -a "ls -al ~/target";

# Remove copied files
ansible group_debian1 -m raw -a "rm -rf ~/target*";

#### 1.5.3. Copy folder

In [None]:
# Use copy module
ansible group_debian1 -m copy -a "src='./hosts' dest='~/target' force='yes'";

# Show copied folders
ansible group_debian1 -m raw -a "ls -al ~/target";
ansible group_debian1 -m raw -a "ls -al ~/target/hosts";

# Remove copied files
ansible group_debian1 -m raw -a "rm -rf ~/target*";

#### 1.5.4. Copy content

In [None]:
# Use copy module
ansible group_debian1 -m copy -a "content='Hello World' dest='~/target.txt' force='yes'";

# Show copied folders
ansible group_debian1 -m raw -a "cat ~/target.txt";

# Remove copied files
ansible group_debian1 -m raw -a "rm target.txt";

### 1.6. User and Group

#### 1.6.1. User

- `home`: Home folder of user
- `groups`: Groups of user
- `uid`: Id of user
- `password`: Password of user, password cannot be plaintext, it need hashed by sha512
- `name`: User name
- `createhome`：`yes` if create home directory
- `system`: `yes` if a system user
- `remove`: `yes` if delete user home directory when `state = absent`
- `state`: Create (`statue=present`) or remove (`state=absent`) user
- `shell`: Which shell for this user
- `generate_ssh_key`: `yes` if create ssh key for this user
- `ssh_key_bits`: Length (bits) of ssh key
- `ssh_key_passphrase`: Phrase password of ssh key
- `ssh_key_file`: File name to save ssh key
- `ssh_key_type`: Type of ssh key

In [None]:
# Add and modify user: if user exist, then modify this user by new arguments
ansible group_debian1_vault -m user \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='test' \
        password='{{ 'test'|password_hash('sha512') }}' \
        append='yes' \
        createhome='yes' \
        shell='/bin/bash' \
        generate_ssh_key='yes' \
        groups='sudo,root' \
        state='present'";
        
# Show user and password (hashed) on remote server
ansible group_debian1_vault -m raw \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "cat /etc/shadow" | grep 'test';
    
# Allow sudo for new user
ansible group_debian1_vault -m copy \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "content='alvin ALL=(ALL:ALL) ALL\n' \
        dest='/etc/sudoers.d/alvin' \
        force='yes' \
        mode='u=r,g=r'";
        
# Copy ssh public key from current machine to remove server
ansible group_debian1_vault -m authorized_key \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "user='test' \
        key='{{ lookup('file', '~/.ssh/id_rsa.pub') }}' \
        state='present'";
        
# Delete user
ansible group_debian1_vault -m user \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "user='test' \
        remove='yes' \
        state='absent'";

#### 1.6.2. Group

- `gid`：Id of group
- `name`: Name of group
- `state`: State of group, `present` or `absent`
- `system`: `yes` if a system group

In [None]:
# Create a group
ansible group_debian1_vault -m group \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='test' \
        state='present'";
        
# Remove a group
ansible group_debian1_vault -m group \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='test' \
        state='absent'";

### 1.7. Service

- `arguments`: Arguments for commandline
- `enabled`: `yes` if start server when user login
- `name`: Name of service
- `runlevel`: Level of service
- `sleep`: If `state` is `restarted`, the delay seconds between `stop` and `start`
- `state`: State of service, value can be: `started`, `stopped`, `restarted`, `reloaded`

In [None]:
# Stop service
ansible group_debian1_vault -m service \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='sshd' state='stopped'";
    
# Start service
ansible group_debian1_vault -m service \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "name='sshd' state='started'";

### 1.8. Get url

- `sha256sum`: sha256 checksum
- `timeout`: Timeout second of download
- `url`: Url of download file
- `url_password`, `url_username`: Password and username of download request
- `dest`: Filename to save download file, if just path name, use default filename
- `headers`: Headers of download request, use `key1: value1, key2: value2` form

In [None]:
# Download file
ansible group_debian1 -m get_url \
    -a "url='https://www.learningcontainer.com/download/sample-text-file/?wpdmdl=1669&refresh=5f918bb1200901603374001' \
        dest='~/test.txt' \
        timeout=20";
        
# Validate download file
ansible group_debian1 -m raw -a "cat ~/test.txt";
    
# Delete downloaded file
ansible group_debian1 -m raw -a "rm ~/test.txt";

### 1.9. Fetch

- `src`: Source file on remote service
- `dest`: Backup folder on local machine
- `flat`: `yes` if do not create full pathname like `<machine>/<full path>/<file>`, only transfer file to dest folder

In [None]:
# Fetch remote file
ansible group_debian1 -m fetch \
    -a "src='/home/alvin/.bashrc' \
        dest='~/ansible_backup/' \
        flat='yes'";
    
# Show backup file content
cat ~/ansible_backup/.bashrc;

# Delete fetched file
rm -rf ~/ansible_backup;

### 1.10. File

- `force`: `yes` means whatever file link exist, if symbol is exist, delete old symbol and create new one
- `group`: Define the group of file or directory
- `mode`: Define permissions of file or directory
- `owner`: Define the owner of file or directory
- `path`: Fullpath of file or directory to operate
- `recurse`: Properties of recursive Settings files, valid only for directories
- `src`: Source file to linked, only if `state=link`
- `dest`: Target symbol of linked file, only if `state=link`
- `state`: 
    - `directory`: Create if directory not exist
    - `file`: Default value, do operate to file, but never create new file
    - `link`: Create soft file link
    - `hard`: Create hard file link
    - `touch`: Create new empty file, if file exist, update create time
    - `absent`: Delete file, unlink file or delete directory

#### 1.10.1. Create file

In [None]:
# Create empty file (use touch)
ansible group_debian1 -m file \
    -a "path='/home/alvin/test.txt' \
        mode='0644' \
        state='touch'";
        
# Check created file
ansible group_debian1 -m raw -a "ls -al /home/alvin/test.*";
    
# Touch file again, and modify file mode
ansible group_debian1 -m file \
    -a "path='/home/alvin/test.txt' \
        mode='u+rw,g-gw,o-gw' \
        state='touch'";
        
# Check created file again
ansible group_debian1 -m raw -a "ls -al /home/alvin/test.*";     

# Modify access time and modification time
ansible group_debian1 -m file \
    -a "path='/home/alvin/test.txt' \
        modification_time='now' \
        access_time='202010010000.0'";

# Check created file again
ansible group_debian1 -m raw -a "ls -al /home/alvin/test.*";

#### 1.10.2. Change file mode

In [None]:
# Change file owner, group and permission
ansible group_debian1_vault -m file \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -a "path='/home/alvin/test.txt' \
        owner='root' \
        group='root' \
        mode='0644'";
        
# Check file
ansible group_debian1 -m raw -a "ls -al /home/alvin/test.*";

#### 1.10.3. Make file link

In [None]:
# Create soft file link
ansible group_debian1 -m file \
    -a "src='/home/alvin/test.txt' \
        dest='/home/alvin/test-slink.txt' \
        owner='alvin' \
        group='alvin' \
        state='link'";

# Create hard file link
ansible group_debian1 -m file \
    -a "src='/home/alvin/test.txt' \
        dest='/home/alvin/test-hlink.txt' \
        owner='alvin' \
        group='alvin' \
        state='link'";

# Set source file content
ansible group_debian1 -m copy \
    -a "content='Hello World' \
        dest='/home/alvin/test.txt' \
        force='yes'";

# Check file link
ansible group_debian1 -m raw -a "cat /home/alvin/test-slink.txt";
    
# Check file link
ansible group_debian1 -m raw -a "cat /home/alvin/test-hlink.txt";

#### 1.10.4. Create and delete directory

In [None]:
# Create directory
ansible group_debian1 -m file \
    -a "path='/home/alvin/test_dir' \
        mode='0755' \
        state='directory'";
        
# Delete directory
ansible group_debian1 -m file \
    -a "path='/home/alvin/test_dir' \
        state='absent'";

#### 1.10.5. Delete file

In [None]:
# Delete file
ansible group_debian1 -m file \
    -a "path='/home/alvin/test.txt' \
        state='absent'";

# Delete soft link
ansible group_debian1 -m file \
    -a "path='/home/alvin/test-slink.txt' \
        state='absent'";

# Delete hard link
ansible group_debian1 -m file \
    -a "path='/home/alvin/test-hlink.txt' \
        state='absent'";

### 1.11. Pip

- `chdir`: The folder to run pip
- `name`: The python package name to be installed
- `requirements`: The `requirement.txt` file on remote server
- `version`: Version of python package to be installed
- `extra_args`: Extra arguents for pip command
- `executable`: Path of the executable `pip` command
- `virtualenv`: Path to create virtualenv
- `virtualenv_command`: Command to create virtualenv
- `virtualenv_python`：Which python to create virtualenv
- `state`：
    - `present`: Default value, install package
    - `lastest`: Install the lastest version of package
    - `absent`: Uninstall package
    - `forcereinstall`: force to reinstall, delete exist package and install new one

#### 1.11.1. Install pip and pip config

In [None]:
# Install dependency of python3 pip
ansible group_debian1_vault -m apt \
    -b --vault-id=vault-id --extra-vars "@password.yml"  \
    -e "{ names: ['python3-venv', 'python3-pip'] }" \
    -a "name={{ names }} \
        state='present' \
        update_cache='yes' \
        autoclean='yes' \
        autoremove='yes'";

# Create .pip directory at user home
ansible group_debian1 -m file \
    -a "path='~/.pip' \
        state='directory'";

# Copy pip.conf to remote server
ansible group_debian1 -m template \
    -a "src='./pip/pip.conf' \
        dest='~/.pip/pip.conf'";

# Install virtualenv package to python
ansible group_debian1 -m pip \
    -a "name='virtualenv' \
        state='present'";

#### 1.11.2. Create virtualenv and install package

In [None]:
# Create python project folder
ansible group_debian1 -m file \
    -a "path='~/test_pip' \
        state='directory'";

# Create virtualenv py 'venv' python module and install 'wheel' package
ansible group_debian1 -m pip \
    -a "chdir='~/test_pip' \
        name='wheel' \
        virtualenv='.venv' \
        virtualenv_command='python3 -m venv' \
        state='present'";

# Remove 'wheel' package from virtualenv
ansible group_debian1 -m pip \
    -a "chdir='~/test_pip' \
        name='wheel' \
        virtualenv='.venv' \
        state='absent'";

#### 1.11.3. Create virtualenv and install package by requirements.txt

In [None]:
# Copy 'requirements.txt' to remote server
ansible group_debian1 -m template \
    -a "src='./pip/requirements.txt' \
        dest='~/test_pip/requirements.txt'";

# Install packages from 'requirements.txt'
ansible group_debian1 -m pip \
    -a "chdir='~/test_pip' \
        requirements='requirements.txt' \
        virtualenv='.venv' \
        virtualenv_command='python3 -m venv' \
        state='present'";