From 9cc82874a1b45ab2e75f38096c9f37c7d5a406f3 Mon Sep 17 00:00:00 2001
From: Harald Pfeiffer <coding@lirion.de>
Date: Sun, 14 Apr 2024 21:30:38 +0200
Subject: Code fixes

---
 patch.yaml                         | 58 +++++++++++++++++++++-----------------
 roles/patch_debian/tasks/main.yaml |  4 ---
 roles/patch_redhat/tasks/main.yaml |  4 ---
 roles/patch_suse/tasks/main.yaml   |  6 ----
 4 files changed, 32 insertions(+), 40 deletions(-)

diff --git a/patch.yaml b/patch.yaml
index 3ab323d..2ed2ea5 100644
--- a/patch.yaml
+++ b/patch.yaml
@@ -1,51 +1,57 @@
 ---
 # You may want to change the default to your favourite host (group) you run this on the most.
-- hosts: "{{ rthosts | default('CHANGE_ME') }}"
-  order: inventory
+- name: Arrange Inventory
+  hosts: "{{ rthosts | default('CHANGE_ME') }}"
+  # Change: "inventory" now became "default". "inventory" is being frowned upon by ansible-lint.
+  # (At least until "default" behaviour changes again in the future, I assume :-) )
+  order: default
   gather_facts: false
   # default: all in first step, but that shit requires (int)
   serial: 666
   tasks:
-  - name: Gather necessary facts
-    ansible.builtin.setup:
-      filter: "ansible_distribution*"
-  - name: Group hosts by distribution file variety
-    group_by:
-      # We choose to lowercase anything here as there should be no collisions but
-      # SUSE could be "SuSE" or "SUSE" (assumed and unverified, but you never know...)
-      key: "adfv_{{ ansible_distribution_file_variety | lower | default('none') }}"
+    - name: Gather necessary facts
+      ansible.builtin.setup:
+        filter: "ansible_distribution*"
+    - name: Group hosts by distribution file variety
+      ansible.builtin.group_by:
+        # We choose to lowercase anything here as there should be no collisions but
+        # SUSE could be "SuSE" or "SUSE" (assumed and unverified, but you never know...)
+        key: "adfv_{{ ansible_distribution_file_variety | lower | default('none') }}"
   tags:
-    - all
-- hosts: adfv_debian
-  order: inventory
+    - always
+- name: Trigger Debian patching role on Debian hosts
+  hosts: adfv_debian
+  order: default
   gather_facts: false
   # default: all in first step, but that shit requires (int)
   serial: 666
   tasks:
-  - name: Debian Patches
-    ansible.builtin.import_role:
-      name: "patch_debian"
+    - name: Debian Patches
+      ansible.builtin.import_role:
+        name: "patch_debian"
   tags:
     - debian
-- hosts: adfv_redhat
-  order: inventory
+- name: Trigger Red Hat patching role on Red Hat hosts
+  hosts: adfv_redhat
+  order: default
   gather_facts: false
   # default: all in first step, but that shit requires (int)
   serial: 666
   tasks:
-  - name: Red Hat Patches
-    ansible.builtin.import_role:
-      name: "patch_redhat"
+    - name: Red Hat Patches
+      ansible.builtin.import_role:
+        name: "patch_redhat"
   tags:
     - redhat
-- hosts: adfv_suse
-  order: inventory
+- name: Trigger SUSE patching role on SUSE hosts
+  hosts: adfv_suse
+  order: default
   gather_facts: false
   # default: all in first step, but that shit requires (int)
   serial: 666
   tasks:
-  - name: SUSE Patches
-    ansible.builtin.import_role:
-      name: "patch_suse"
+    - name: SUSE Patches
+      ansible.builtin.import_role:
+        name: "patch_suse"
   tags:
     - suse
diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml
index fab61ab..9d96a4e 100644
--- a/roles/patch_debian/tasks/main.yaml
+++ b/roles/patch_debian/tasks/main.yaml
@@ -55,10 +55,6 @@
       ansible.builtin.stat:
         path: /usr/sbin/needrestart
       register: nrex
-      ignore_errors: "yes"
-      no_log: true
-      failed_when: false
-      changed_when: false
     - name: Check for outdated kernel
       ansible.builtin.command: /usr/sbin/needrestart -pk
       register: kernout
diff --git a/roles/patch_redhat/tasks/main.yaml b/roles/patch_redhat/tasks/main.yaml
index 45d9e18..7f200e7 100644
--- a/roles/patch_redhat/tasks/main.yaml
+++ b/roles/patch_redhat/tasks/main.yaml
@@ -28,9 +28,6 @@
       ansible.builtin.stat:
         path: /usr/bin/rkhunter
       register: rkhex
-      ignore_errors: true
-      no_log: true
-      changed_when: false
     - name: RKhunter pre-check
       ansible.builtin.command: rkhunter -c --sk --rwo --ns
       become: true
@@ -61,7 +58,6 @@
       # "yum needs-restarting still works on RHEL 8, and "needs-restarting" is obsolete
       # On major releases >= 9 you may want to create an alternative for symlinking yum to dnf
       ansible.builtin.command: yum needs-restarting -r
-      ignore_errors: "yes"
       register: nr
       changed_when: false
       failed_when: false
diff --git a/roles/patch_suse/tasks/main.yaml b/roles/patch_suse/tasks/main.yaml
index cd5a4c5..db15d75 100644
--- a/roles/patch_suse/tasks/main.yaml
+++ b/roles/patch_suse/tasks/main.yaml
@@ -8,12 +8,6 @@
   ansible.builtin.stat:
     path: /usr/bin/rkhunter
   register: rkhex
-  ignore_errors: true
-  no_log: true
-  # yum always tosses this arbitrary extra line at you, a simple tr -s does not eradicate it, so - well,
-  # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible.
-  changed_when: false
-  notify: "rkhunter execution"
 - name: Update zypper cache (SUSE)
   # we cannot cheat like we did with yum: we need to update any package to refresh the cache with the zypper module. Hence falling back
   # to shell.
-- 
cgit v1.2.3