Late commit: Red Hat role playbook

3 files changed, 100 insertions, 2 deletions

diff --git a/patch.yaml b/patch.yaml
index b32e9b0..f78d79e 100644
--- a/patch.yaml
+++ b/patch.yaml
@@ -14,6 +14,8 @@
       # We choose to lowercase anything here as there should be no collisions but
       # SUSE could be "SuSE" or "SUSE" (assumed and unverified, but you never know...)
       key: "adfv_{{ ansible_distribution_file_variety | lower | default('none') }}"
+  tags:
+    - all
 - hosts: adfv_debian
   order: inventory
   gather_facts: false
@@ -23,7 +25,8 @@
   - name: Debian Patches
     ansible.builtin.import_role:
       name: "patch_debian"
-    when: ansible_distribution_file_variety == "Debian"
+  tags:
+    - debian
 - hosts: adfv_redhat
   order: inventory
   gather_facts: false
diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml
index 84bfa9a..fab61ab 100644
--- a/roles/patch_debian/tasks/main.yaml
+++ b/roles/patch_debian/tasks/main.yaml
@@ -86,7 +86,7 @@
 - name: RKhunter properties update
   ansible.builtin.command: rkhunter --propupd --rwo --ns
   become: true
-  changed_when: false
+  changed_when: true
   when:
     - rkhex.stat is defined
     - rkhex.stat.executable is defined
diff --git a/roles/patch_redhat/tasks/main.yaml b/roles/patch_redhat/tasks/main.yaml
new file mode 100644
index 0000000..45d9e18
--- /dev/null
+++ b/roles/patch_redhat/tasks/main.yaml
@@ -0,0 +1,95 @@
+---
+- name: "Check whether OS is a Red Hat derivative"
+  ansible.builtin.assert:
+    that:
+      - ansible_distribution_file_variety == 'RedHat'
+  no_log: true
+- name: Update yum/dnf cache
+  # We want to see a dedicated failure if the repos cannot be fetched already.
+  # Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs -
+  # we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with
+  # updated cache :-)
+  ansible.builtin.yum:
+    state: present
+    update_cache: "yes"
+    validate_certs: "yes"
+  become: true
+- name: Check for upgrades (RHEL)
+  # yum check-upgrade would normally throw an RC 100 if updates are available.
+  # But through ansible: RC0! Weeeee
+  ansible.builtin.shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l
+  # args:
+  #   warn: false
+  register: yue
+  changed_when: false
+  become: true
+- block:
+    - name: Check for existence of rkhunter
+      ansible.builtin.stat:
+        path: /usr/bin/rkhunter
+      register: rkhex
+      ignore_errors: true
+      no_log: true
+      changed_when: false
+    - name: RKhunter pre-check
+      ansible.builtin.command: rkhunter -c --sk --rwo --ns
+      become: true
+      no_log: true
+      changed_when: false
+      when:
+        - rkhex.stat is defined
+        - rkhex.stat.executable is defined
+        - rkhex.stat.executable
+    - name: Upgrade all installed packages (RHEL)
+      ansible.builtin.yum:
+        name: '*'
+        state: latest
+        validate_certs: "yes"
+        skip_broken: "yes"
+      become: true
+    # Auto-removal is broken and will nuke packages we previously selected through e.g. ansible.
+    # See ansible issue #60349. Leaving commented out. -- pff
+    # - name: Auto-removal of orphaned dependencies (RHEL)
+    #   ansible.builtin.yum:
+    #     autoremove: "yes"
+  name: Updates and RKhunter checks
+  # yum always tosses an arbitrary extra line at you, a simple tr -s does not eradicate it, so - well,
+  # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible.
+  when: yue.stdout|int > 1
+- block:
+    - name: Register requirement for reboot (RHEL)
+      # "yum needs-restarting still works on RHEL 8, and "needs-restarting" is obsolete
+      # On major releases >= 9 you may want to create an alternative for symlinking yum to dnf
+      ansible.builtin.command: yum needs-restarting -r
+      ignore_errors: "yes"
+      register: nr
+      changed_when: false
+      failed_when: false
+      become: true
+  name: Check reboot requirement
+- name: Clean packages cache (RHEL)
+  # ansible's yum module does not have a dedicated action for this. So shell it is.
+  # CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf.
+  # Also, despite ansible's yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off.
+  #args:
+  #  warn: false
+  ansible.builtin.command: yum clean packages
+  changed_when: true
+  become: true
+- name: RKhunter properties update
+  ansible.builtin.command: rkhunter --propupd --rwo --ns
+  become: true
+  changed_when: true
+  when:
+    - rkhex.stat is defined
+    - rkhex.stat.executable is defined
+    - rkhex.stat.executable
+- name: Reboot if required
+  # ignore_errors: yes
+  ansible.builtin.reboot:
+    reboot_timeout: 300
+    pre_reboot_delay: 5
+    test_command: uptime
+    reboot_command: "/bin/systemctl reboot"
+  become: true
+  when: ( nr.rc is defined and nr.rc|int > 0 ) or ( nr.rc is not defined )