linux

How to properly implement Ansible over SSH?

Sobsno subject.
Input:
- My work PC with Ansible installed on it. For the user ' user1 ', under which I work, using ssh-keygen, a key pair was generated (without a passphrase) - id_rsa and id_rsa.pub . - The public key id_rsa.pub has been forwarded
to servers that have the same user 'user1' (part of the sudoers group) . - As a result - authentication " ssh 192.168.1.* " passes through the keys (no password required). I run it on my working PC: pong comes. I go further, I want to update all servers at once by the type of distribution - deb / rpm. Designated them in /etc/ansible/hosts:

ansible all -m ping

[deb:children]
vms
fileservers
[rpm:children]
gateway

For deb I create a playbook "upgrade-deb-servers.yml" with the following content:

---
- hosts: deb
  sudo: true
  tasks:
  - name: update packages
    apt: update_cache=yes
  - name: upgrade packages
    apt: upgrade=dist

I try to run:

ansible-playbook upgrade-deb-server.yml
PLAY [deb] ******************************************************************** 

GATHERING FACTS *************************************************************** 
fatal: [192.168.1.230] => Missing sudo password
fatal: [192.168.1.231] => Missing sudo password
fatal: [192.168.1.232] => Missing sudo password
fatal: [192.168.1.222] => Missing sudo password

Logically, it asks for a password. I add the -K switch (aka --ask-sudo-pass, asks for a password for the root of the remote machine):
ansible-playbook -K upgrade-deb-server.yml
Asks for a password, enter:

sudo password: 
PLAY [deb] ******************************************************************** 
GATHERING FACTS *************************************************************** 
ok: [192.168.1.230]
ok: [192.168.1.232]
ok: [192.168.1.231]
fatal: [192.168.1.222] => Incorrect sudo password
...
192.168.1.222              : ok=0    changed=0    unreachable=1    failed=0   
192.168.1.230              : ok=3    changed=0    unreachable=0    failed=0   
192.168.1.231              : ok=3    changed=0    unreachable=0    failed=0   
192.168.1.232              : ok=3    changed=0    unreachable=0    failed=0

Already better, but on 192.168.1.222 I have a different password, so the entered password does not work.
Question:

1. What about a host with a different sudo password? (Run a playbook for it separately? Or is it still possible to somehow process it in one playbook in conjunction with the rest of the hosts?)
   
2. What is the correct way to implement Ansible over SSH from a security/convenience point of view?
   
3. Did I understand correctly that only private / public keys generated without a passphrase via ssh-keygen are suitable for Ansible to work?
   
4. По идеи, я могу сгенерировать пару ключей для root и раскидать их на сервера, но ведь с точки зрения безопасности за это можно дать себе и по рукам?