git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--AUTHORS5
-rw-r--r--LICENSE165
-rw-r--r--README.md3
-rw-r--r--patch.yml211
4 files changed, 384 insertions, 0 deletions
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000..f3f4cd3
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1,5 @@
+Maintainers:
+ Harald Pfeiffer <coding@lirion.de>
+
+Contributors:
+ Harald Pfeiffer <coding@lirion.de>
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..0a04128
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,165 @@
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+ This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+ 0. Additional Definitions.
+
+ As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+ "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+ An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+ A "Combined Work" is a work produced by combining or linking an
+Application with the Library. The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+ The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+ The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+ 1. Exception to Section 3 of the GNU GPL.
+
+ You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+ 2. Conveying Modified Versions.
+
+ If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+ a) under this License, provided that you make a good faith effort to
+ ensure that, in the event an Application does not supply the
+ function or data, the facility still operates, and performs
+ whatever part of its purpose remains meaningful, or
+
+ b) under the GNU GPL, with none of the additional permissions of
+ this License applicable to that copy.
+
+ 3. Object Code Incorporating Material from Library Header Files.
+
+ The object code form of an Application may incorporate material from
+a header file that is part of the Library. You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+ a) Give prominent notice with each copy of the object code that the
+ Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the object code with a copy of the GNU GPL and this license
+ document.
+
+ 4. Combined Works.
+
+ You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+ a) Give prominent notice with each copy of the Combined Work that
+ the Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the Combined Work with a copy of the GNU GPL and this license
+ document.
+
+ c) For a Combined Work that displays copyright notices during
+ execution, include the copyright notice for the Library among
+ these notices, as well as a reference directing the user to the
+ copies of the GNU GPL and this license document.
+
+ d) Do one of the following:
+
+ 0) Convey the Minimal Corresponding Source under the terms of this
+ License, and the Corresponding Application Code in a form
+ suitable for, and under terms that permit, the user to
+ recombine or relink the Application with a modified version of
+ the Linked Version to produce a modified Combined Work, in the
+ manner specified by section 6 of the GNU GPL for conveying
+ Corresponding Source.
+
+ 1) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (a) uses at run time
+ a copy of the Library already present on the user's computer
+ system, and (b) will operate properly with a modified version
+ of the Library that is interface-compatible with the Linked
+ Version.
+
+ e) Provide Installation Information, but only if you would otherwise
+ be required to provide such information under section 6 of the
+ GNU GPL, and only to the extent that such information is
+ necessary to install and execute a modified version of the
+ Combined Work produced by recombining or relinking the
+ Application with a modified version of the Linked Version. (If
+ you use option 4d0, the Installation Information must accompany
+ the Minimal Corresponding Source and Corresponding Application
+ Code. If you use option 4d1, you must provide the Installation
+ Information in the manner specified by section 6 of the GNU GPL
+ for conveying Corresponding Source.)
+
+ 5. Combined Libraries.
+
+ You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+ a) Accompany the combined library with a copy of the same work based
+ on the Library, uncombined with any other library facilities,
+ conveyed under the terms of this License.
+
+ b) Give prominent notice with the combined library that part of it
+ is a work based on the Library, and explaining where to find the
+ accompanying uncombined form of the same work.
+
+ 6. Revised Versions of the GNU Lesser General Public License.
+
+ The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+ If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..96ee6f6
--- /dev/null
+++ b/README.md
@@ -0,0 +1,3 @@
+# Content
+
+Well, just some ansible stuff I intend to use for my own entertainment and/or work. For now.
diff --git a/patch.yml b/patch.yml
new file mode 100644
index 0000000..b377750
--- /dev/null
+++ b/patch.yml
@@ -0,0 +1,211 @@
+---
+# You may want to change the default to your favourite host (group) you run this on the most.
+- hosts: "{{ runtime_hosts | default('CHANGE_ME') }}"
+ order: inventory
+ gather_facts: false
+ # default: all in first step, but that shit requires (int)
+ serial: 666
+ tasks:
+ - name: Gather necessary facts
+ setup:
+ filter: "ansible_distribution*"
+ - name: Set up Red Hat and derivatives
+ debug:
+ msg: "System is {{ansible_distribution}}, checking in."
+ when: ansible_distribution_file_variety == "RedHat"
+ changed_when: true
+ notify: "redhat upd"
+ - name: Set up Debian and derivatives
+ debug:
+ msg: "System is {{ansible_distribution}}, checking in."
+ when: ansible_distribution_file_variety == "Debian"
+ changed_when: true
+ notify: "debian upd"
+ - name: Set up SUSE and derivatives
+ debug:
+ msg: "System is {{ansible_distribution}}, checking in."
+ # SuSE was "renamed" to SUSE somewhen around SLES 11 (now SLE :-} ), so we'll check for both. Even though generation 11
+ # repositories should be pretty ...deaddish by now.
+ when: ansible_distribution_file_variety == "SUSE" or ansible_distribution_file_variety == "SuSE"
+ changed_when: true
+ notify: "suse upd"
+ handlers:
+ - name: Update yum/dnf cache (RHEL)
+ # We want to see a dedicated failure if the repos cannot be fetched already.
+ # Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs -
+ # we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with
+ # updated cache :-)
+ yum:
+ state: present
+ update_cache: "yes"
+ validate_certs: "yes"
+ become: true
+ listen: "redhat upd"
+ - name: Update repository cache (Debian)
+ apt:
+ update_cache: yes
+ become: true
+ listen: "debian upd"
+ - name: Check for upgrades (RHEL)
+ # yum check-upgrade would normally throw an RC 100 if updates are available.
+ # But through ansible: RC0! Weeeee
+ shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l
+ args:
+ warn: false
+ register: yue
+ changed_when: yue.stdout|int > 1
+ become: true
+ listen: "redhat upd"
+ notify:
+ - "redhat updates available"
+ - "rkhunter"
+ - name: Check for upgrades (Debian)
+ shell:
+ cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l
+ # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W
+ register: aue
+ # apt will throw an error because it doesn't like piping yet.
+ # for our purposes, however, everything has already been sufficiently implemented.
+ failed_when: false
+ changed_when: aue.stdout|int > 0
+ notify:
+ - "debian updates available"
+ - "rkhunter"
+ listen: "debian upd"
+ - name: Check for existence of rkhunter
+ stat:
+ path: /usr/bin/rkhunter
+ register: rkhex
+ ignore_errors: true
+ no_log: true
+ # yum always tosses this arbitrary extra line at you, a simple tr -s does not eradicate it, so - well,
+ # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible.
+ listen: "rkhunter"
+ changed_when:
+ - rkhex.stat is defined
+ - rkhex.stat.executable is defined
+ - rkhex.stat.executable == true
+ notify: "rkhunter execution"
+ - name: rkhunter pre-check
+ shell: rkhunter -c --sk --rwo --ns
+ become: true
+ no_log: true
+ listen: "rkhunter execution"
+ - name: Upgrade all installed packages (RHEL)
+ yum:
+ name: '*'
+ state: latest
+ validate_certs: "yes"
+ skip_broken: "yes"
+ become: true
+ listen: "redhat updates available"
+ # Auto-removal is broken and will nuke packages we previously selected through e.g. ansible.
+ # See ansible issue #60349. Leaving commented out. -- pff
+ # - name: Auto-removal of orphaned dependencies (RHEL)
+ # yum:
+ # autoremove: "yes"
+ # when: (ansible_distribution_file_variety == "RedHat") or (ansible_distribution == "Red Hat Enterprise Linux") or (ansible_distribution == "CentOS")
+ - name: Register requirement for reboot (RHEL)
+ command: needs-restarting -r
+ ignore_errors: "yes"
+ register: nr
+ changed_when: "nr.rc > 0"
+ failed_when: false
+ notify: "Reboot if required"
+ become: true
+ # we listen to "redhat upd" here in case a previous reboot was not executed. If undesired, change to "redhat updates available".
+ listen: "redhat upd"
+ - name: Clean packages cache (Debian)
+ command: apt clean
+ become: true
+ listen: "debian upd"
+ - name: Upgrade packages (Debian)
+ apt:
+ upgrade: dist
+ become: true
+ listen: "debian updates available"
+ - name: Remove dependencies that are no longer required (Debian)
+ apt:
+ autoremove: "yes"
+ purge: "yes"
+ become: true
+ # we listen to "debian upd" here in case a previous cleanup was skipped. Change to "debian updates available" if undesired.
+ listen: "debian upd"
+ - name: Check for existence of needrestart (Debian)
+ stat:
+ path: /usr/sbin/needrestart
+ register: nrex
+ ignore_errors: "yes"
+ no_log: true
+ failed_when: false
+ changed_when:
+ - nrex.stat.exists == true
+ - nrex.stat.executable == true
+ notify: "debian needrestart"
+ - name: Check for outdated kernel (Debian)
+ shell: /usr/sbin/needrestart -pk
+ register: kernout
+ when:
+ - nrex.stat.exists == true
+ - nrex.stat.executable == true
+ become: true
+ changed_when: "kernout.rc|int == 1"
+ listen: "debian needrestart"
+ notify: "Reboot if required"
+ # failed_when necessary to have a change for RC 1 instead of a failure
+ failed_when: kernout.rc > 1
+ - name: Update zypper cache (SUSE)
+ # we cannot cheat like we did with yum: we need to update any package to refresh the cache with the zypper module. Hence falling back
+ # to shell.
+ shell: |
+ zypper refs && zypper ref
+ become: true
+ listen: "suse upd"
+ - name: Update all packages (SUSE)
+ # we could narrow this down via type:patch, but that's about all. So fire away.
+ zypper:
+ name: '*'
+ state: latest
+ become: true
+ # TODO: suse not productive yet, so we choose an arbitrary listener here. Change to something meaningful when going to production.
+ listen: "bonkadonk"
+ - name: Register requirement for reboot (SUSE)
+ shell: zypper ps -sss
+ register: zyppout
+ changed_when: "zyppout.rc == 102"
+ notify: "Reboot if required"
+ # we listen to "suse upd" here in case a previous reboot was skipped. Change to "suse updates available" if undesired.
+ listen: "suse upd"
+ - name: Clean packages cache (RHEL)
+ # ansible's yum module does not have a dedicated action for this. So shell it is.
+ # CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf.
+ # Also, despite yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off.
+ args:
+ warn: false
+ shell: yum clean packages
+ become: true
+ # we listen to "redhat upd" here in case a previous cleanup was skipped. Change to "redhat updates available" if undesired.
+ listen: "redhat upd"
+ - name: Clean apt cache (Debian)
+ # ansible's apt module does not have a dedicated action for this yet. So shell it is:
+ shell: apt clean
+ become: true
+ # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well)
+ listen: "debian updates available"
+ - name: Clean packages cache (SUSE)
+ # ansible's zypper module does not have a dedicated action for this yet. So shell it is:
+ shell: zypper clean
+ become: true
+ # we listen to "suse upd" here in case a previous cleanup was skipped. Change to "suse updates available" if undesired.
+ listen: "suse upd"
+ - name: rkhunter properties update
+ command: rkhunter --propupd --rwo --ns
+ become: true
+ listen: "rkhunter execution"
+ - name: Reboot if required
+ # ignore_errors: yes
+ reboot:
+ reboot_timeout: 300
+ pre_reboot_delay: 5
+ test_command: uptime
+ become: true