Variables and Templates

First PublishedFeb 16, 2026ByAtif Alam

Variables and Jinja2 templates make Ansible playbooks dynamic. Variables hold data; templates use that data to generate configuration files.

Defining Variables

In a Playbook

1
- name: Configure app
2
  hosts: webservers
3
  vars:
4
    app_port: 8080
5
    app_env: production
6
    db_host: db1.example.com
7

8
  tasks:
9
    - name: Deploy config
10
      template:
11
        src: app.conf.j2
12
        dest: /etc/app/config.yml

In Inventory (group_vars / host_vars)

1
app_port: 8080
2
app_env: production
3

4
# host_vars/web1.example.com.yml
5
app_port: 9090    # override for this specific host

In Role Defaults

1
app_port: 8080
2
app_env: development
3
app_log_level: info

On the Command Line

1
ansible-playbook site.yml -e "app_env=staging app_port=3000"
2
ansible-playbook site.yml -e @vars/staging.yml    # from a file

Variable Precedence

Ansible has 22 levels of precedence. The most important ones (lowest to highest):

Priority	Source
1 (lowest)	Role defaults (`defaults/main.yml`)
2	Inventory group vars
3	Inventory host vars
4	Playbook `group_vars/`
5	Playbook `host_vars/`
6	Playbook `vars:`
7	Role vars (`vars/main.yml`)
8	Task `vars:`
9	`set_fact` / `register`
10 (highest)	Extra vars (`-e` on command line)

Rule of thumb: Extra vars (-e) always win. Role defaults are always the easiest to override. Put variables users should change in defaults/; put internal constants in vars/.

Facts

Ansible automatically gathers facts about each host — OS, IP addresses, memory, disk, etc.

1
tasks:
2
  - name: Show OS info
3
    debug:
4
      msg: "{{ ansible_distribution }} {{ ansible_distribution_version }} ({{ ansible_os_family }})"
5
    # Output: "Ubuntu 22.04 (Debian)"
6

7
  - name: Show IP
8
    debug:
9
      msg: "{{ ansible_default_ipv4.address }}"

Common Facts

Fact	Example Value
`ansible_distribution`	Ubuntu, CentOS, Debian
`ansible_distribution_version`	22.04, 8.5
`ansible_os_family`	Debian, RedHat
`ansible_hostname`	web1
`ansible_fqdn`	web1.example.com
`ansible_default_ipv4.address`	10.0.1.5
`ansible_memtotal_mb`	8192
`ansible_processor_vcpus`	4

Viewing All Facts

1
ansible web1.example.com -m setup              # all facts
2
ansible web1.example.com -m setup -a "filter=ansible_distribution*"  # filtered

Disabling Fact Gathering

If you don’t need facts (speeds up execution):

1
- name: Quick task
2
  hosts: webservers
3
  gather_facts: false
4
  tasks:
5
    - name: Ping
6
      ping:

Custom Facts

Place a script or JSON/INI file in /etc/ansible/facts.d/ on the managed host:

1
[general]
2
app_version=2.1.0
3
environment=production

Access with ansible_local.app.general.app_version.

set_fact

Define variables dynamically during a play:

1
tasks:
2
  - name: Get app version
3
    command: /opt/myapp/bin/myapp --version
4
    register: version_output
5
    changed_when: false
6

7
  - name: Set version fact
8
    set_fact:
9
      app_version: "{{ version_output.stdout | trim }}"
10

11
  - name: Use the fact
12
    debug:
13
      msg: "Running version {{ app_version }}"

Jinja2 Templates

Templates are text files with Jinja2 expressions that get rendered with Ansible variables. They live in templates/ and typically end in .j2.

Basic Substitution

1
app:
2
  port: {{ app_port }}
3
  environment: {{ app_env }}
4
  database:
5
    host: {{ db_host }}
6
    port: {{ db_port | default(5432) }}
7
    name: {{ db_name }}

Conditionals

1
server {
2
    listen {{ nginx_port }};
3
    server_name {{ nginx_server_name }};
4

5
{% if ssl_enabled %}
6
    listen 443 ssl;
7
    ssl_certificate {{ ssl_cert_path }};
8
    ssl_certificate_key {{ ssl_key_path }};
9
{% endif %}
10

11
    location / {
12
        proxy_pass http://127.0.0.1:{{ app_port }};
13
    }
14
}

Loops

1
{% for host in app_servers %}
2
{{ hostvars[host].ansible_default_ipv4.address }}  {{ host }}
3
{% endfor %}

1
{% for key, value in env_vars.items() %}
2
{{ key }}={{ value }}
3
{% endfor %}

Comments

1
{# This is a Jinja2 comment — not included in output #}

Filters

Filters transform values using |:

String Filters

1
"{{ hostname | upper }}"              # WEB1
2
"{{ hostname | lower }}"              # web1
3
"{{ hostname | capitalize }}"         # Web1
4
"{{ path | basename }}"               # file.txt (from /etc/app/file.txt)
5
"{{ path | dirname }}"                # /etc/app
6
"{{ name | regex_replace('old', 'new') }}"

Default Values

1
"{{ db_port | default(5432) }}"                # use 5432 if db_port is undefined
2
"{{ optional_var | default(omit) }}"           # omit the parameter entirely if undefined
3
"{{ items | default([]) }}"                    # empty list as default

List/Dict Filters

1
"{{ my_list | join(', ') }}"                   # "a, b, c"
2
"{{ my_list | unique }}"                       # deduplicate
3
"{{ my_list | sort }}"                         # sort
4
"{{ my_list | length }}"                       # count
5
"{{ my_list | first }}"                        # first element
6
"{{ my_list | last }}"                         # last element
7
"{{ my_dict | dict2items }}"                   # convert dict to list of {key, value}
8
"{{ my_list | items2dict }}"                   # reverse
9
"{{ [list1, list2] | flatten }}"               # merge nested lists

Type Conversion

1
"{{ '8080' | int }}"                           # 8080 (integer)
2
"{{ 8080 | string }}"                          # "8080" (string)
3
"{{ 'true' | bool }}"                          # true (boolean)
4
"{{ my_dict | to_json }}"                      # JSON string
5
"{{ my_dict | to_yaml }}"                      # YAML string
6
"{{ json_string | from_json }}"                # parse JSON to dict

Hashing and Encoding

1
"{{ 'password' | password_hash('sha512') }}"   # hashed password for user module
2
"{{ content | b64encode }}"                     # base64 encode
3
"{{ encoded | b64decode }}"                     # base64 decode

Lookups

Lookups pull data from external sources on the control node:

1
# Read a file
2
"{{ lookup('file', '/path/to/local/file.txt') }}"
3

4
# Read an environment variable
5
"{{ lookup('env', 'HOME') }}"
6

7
# Read from a password store
8
"{{ lookup('password', '/tmp/passwordfile length=20') }}"
9

10
# Read lines from a file
11
"{{ lookup('lines', 'cat /etc/hosts') }}"
12

13
# Read a CSV file
14
"{{ lookup('csvfile', 'key1 file=data.csv delimiter=,') }}"

Lookups run on the control node, not on managed hosts. For remote data, use register with a task.

Key Takeaways

Extra vars (-e) always have highest precedence; role defaults/ have the lowest.
Facts provide system info automatically — OS, IPs, memory, CPU.
Use set_fact to create variables dynamically from task output.
Jinja2 templates support {{ variables }}, {% if %}, {% for %}, and filters.
Use | default(value) liberally to handle undefined variables gracefully.
Lookups pull data from the control node (files, env vars, passwords).
Prefer group_vars/ and host_vars/ files over inline variables for maintainability.