diff options
-rw-r--r-- | patch.yaml | 58 | ||||
-rw-r--r-- | roles/patch_debian/tasks/main.yaml | 4 | ||||
-rw-r--r-- | roles/patch_redhat/tasks/main.yaml | 4 | ||||
-rw-r--r-- | roles/patch_suse/tasks/main.yaml | 6 |
4 files changed, 32 insertions, 40 deletions
@@ -1,51 +1,57 @@ --- # You may want to change the default to your favourite host (group) you run this on the most. -- hosts: "{{ rthosts | default('CHANGE_ME') }}" - order: inventory +- name: Arrange Inventory + hosts: "{{ rthosts | default('CHANGE_ME') }}" + # Change: "inventory" now became "default". "inventory" is being frowned upon by ansible-lint. + # (At least until "default" behaviour changes again in the future, I assume :-) ) + order: default gather_facts: false # default: all in first step, but that shit requires (int) serial: 666 tasks: - - name: Gather necessary facts - ansible.builtin.setup: - filter: "ansible_distribution*" - - name: Group hosts by distribution file variety - group_by: - # We choose to lowercase anything here as there should be no collisions but - # SUSE could be "SuSE" or "SUSE" (assumed and unverified, but you never know...) - key: "adfv_{{ ansible_distribution_file_variety | lower | default('none') }}" + - name: Gather necessary facts + ansible.builtin.setup: + filter: "ansible_distribution*" + - name: Group hosts by distribution file variety + ansible.builtin.group_by: + # We choose to lowercase anything here as there should be no collisions but + # SUSE could be "SuSE" or "SUSE" (assumed and unverified, but you never know...) + key: "adfv_{{ ansible_distribution_file_variety | lower | default('none') }}" tags: - - all -- hosts: adfv_debian - order: inventory + - always +- name: Trigger Debian patching role on Debian hosts + hosts: adfv_debian + order: default gather_facts: false # default: all in first step, but that shit requires (int) serial: 666 tasks: - - name: Debian Patches - ansible.builtin.import_role: - name: "patch_debian" + - name: Debian Patches + ansible.builtin.import_role: + name: "patch_debian" tags: - debian -- hosts: adfv_redhat - order: inventory +- name: Trigger Red Hat patching role on Red Hat hosts + hosts: adfv_redhat + order: default gather_facts: false # default: all in first step, but that shit requires (int) serial: 666 tasks: - - name: Red Hat Patches - ansible.builtin.import_role: - name: "patch_redhat" + - name: Red Hat Patches + ansible.builtin.import_role: + name: "patch_redhat" tags: - redhat -- hosts: adfv_suse - order: inventory +- name: Trigger SUSE patching role on SUSE hosts + hosts: adfv_suse + order: default gather_facts: false # default: all in first step, but that shit requires (int) serial: 666 tasks: - - name: SUSE Patches - ansible.builtin.import_role: - name: "patch_suse" + - name: SUSE Patches + ansible.builtin.import_role: + name: "patch_suse" tags: - suse diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml index fab61ab..9d96a4e 100644 --- a/roles/patch_debian/tasks/main.yaml +++ b/roles/patch_debian/tasks/main.yaml @@ -55,10 +55,6 @@ ansible.builtin.stat: path: /usr/sbin/needrestart register: nrex - ignore_errors: "yes" - no_log: true - failed_when: false - changed_when: false - name: Check for outdated kernel ansible.builtin.command: /usr/sbin/needrestart -pk register: kernout diff --git a/roles/patch_redhat/tasks/main.yaml b/roles/patch_redhat/tasks/main.yaml index 45d9e18..7f200e7 100644 --- a/roles/patch_redhat/tasks/main.yaml +++ b/roles/patch_redhat/tasks/main.yaml @@ -28,9 +28,6 @@ ansible.builtin.stat: path: /usr/bin/rkhunter register: rkhex - ignore_errors: true - no_log: true - changed_when: false - name: RKhunter pre-check ansible.builtin.command: rkhunter -c --sk --rwo --ns become: true @@ -61,7 +58,6 @@ # "yum needs-restarting still works on RHEL 8, and "needs-restarting" is obsolete # On major releases >= 9 you may want to create an alternative for symlinking yum to dnf ansible.builtin.command: yum needs-restarting -r - ignore_errors: "yes" register: nr changed_when: false failed_when: false diff --git a/roles/patch_suse/tasks/main.yaml b/roles/patch_suse/tasks/main.yaml index cd5a4c5..db15d75 100644 --- a/roles/patch_suse/tasks/main.yaml +++ b/roles/patch_suse/tasks/main.yaml @@ -8,12 +8,6 @@ ansible.builtin.stat: path: /usr/bin/rkhunter register: rkhex - ignore_errors: true - no_log: true - # yum always tosses this arbitrary extra line at you, a simple tr -s does not eradicate it, so - well, - # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible. - changed_when: false - notify: "rkhunter execution" - name: Update zypper cache (SUSE) # we cannot cheat like we did with yum: we need to update any package to refresh the cache with the zypper module. Hence falling back # to shell. |