To use secrets, encrypt them with Ansible Vault, then reference them in the playbook/inventory using Jinja2 syntax. For example, adding in a sudo password is as simple as:

user:~$ ansible-vault create passwd.yml
magicpony_sudo_password: secretpassword
 
user:~$ cat /etc/ansible/hosts
servers:
  hosts:
    magicpony:
      ansible_become_pass: "{{ magicpony_sudo_password }}"
 
user:~$ ansible-playbook --ask-vault-pass --extra-var '@passwd.yml' playbook.yml

This secret filestore can be edited or rekeyed with a different vault password:

user:~$ ansible-vault edit passwd.yml
user:~$ ansible-vault rekey passwd.yml

The desired Python interpreter may not be directly at /usr/bin/python3, but instead shimmed, e.g. using pyenv. The location of the interpreter needs to be set directly to the shimmed version:

user:~$ cat hosts.yml
servers:
  hosts:
    magicpony:
  vars:
    ansible_python_interpreter: "/home/justin/.pyenv/shims/python3"

The output of shell commands can be monitored, by assigning the output to a variable and using Python syntax for verifying the output:

user:~$ cat playbook.yml
...
  tasks:
    - name: "Load kernel module"
      become: true
      ansible.builtin.command: "insmod {{ dir_usbtmst4 }}/driver/usbtmst4.ko"
      register: result
      changed_when: "'File exists' not in result.stderr"
      failed_when: "'could not load module' in result.stderr"

Managed nodes with older OS releases may have Python 3.6 as the system Python, which is dropped as of ansible-core 2.17. Ansible core 2.16 in turn is only supported up to Ansible 9, and as of Nov 2024 the following applies:

pip install ansible==9.12.0 ansible-core==2.16.13