validating generated config files in Ansible

2025-05-06 #ansible #sysadmin

I always forget where it goes, but it's just a validate attribute on ansible.builtin.template and ansible.builtin.copy.

- name: Copy in config file
  ansible.builtin.template:
    src: "knot.conf.j2"
    dest: "/etc/knot/knot.conf"
    owner: "root"
    group: "knot"
    mode: '0640'
    validate: "knotc -v -c '%s' conf-check"
  notify: "knot : restart"

Note that this will get passed the temporary path to the file that Ansible creates before moving it in to place, so you must use %s in the command to check the temporary file. If you don't, you'll get the wonderful bug I had of passing every check then immediately blowing up the service on restart.