Initial commit after portHEADmaster

This is a ported collection of my patch playbooks + roles. Before,
they were living inside an "all things ansible" repository. The
history is not important as shortly before porting, the code
had been revamped (before, it employed changes for host selection
which worked but changes are not intended for that).

1 files changed, 99 insertions, 0 deletions

diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml
new file mode 100644
index 0000000..9d96a4e
--- /dev/null
+++ b/roles/patch_debian/tasks/main.yaml
@@ -0,0 +1,99 @@
+---
+- name: "Check whether OS is a Debian derivative"
+  ansible.builtin.assert:
+    that:
+      - ansible_distribution_file_variety == 'Debian'
+  no_log: true
+- name: Update repository cache
+  ansible.builtin.apt:
+    update_cache: "yes"
+  become: true
+- name: Check for upgrades
+  ansible.builtin.shell:
+    cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l
+  # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W
+  register: aue
+  # apt will throw an error because it doesn't like piping yet.
+  # for our purposes, however, everything has already been sufficiently implemented.
+  failed_when: false
+  #changed_when: aue.stdout|int > 0
+  changed_when: false
+- block:
+    - name: Check for existence of rkhunter
+      ansible.builtin.stat:
+        path: /usr/bin/rkhunter
+      register: rkhex
+      ignore_errors: true
+      no_log: true
+      changed_when: false
+    - name: RKhunter pre-check
+      ansible.builtin.command: rkhunter -c --sk --rwo --ns
+      become: true
+      no_log: true
+      changed_when: false
+      when:
+        - rkhex.stat is defined
+        - rkhex.stat.executable is defined
+        - rkhex.stat.executable|bool == True
+    - name: Clean packages cache
+      ansible.builtin.command: apt clean
+      changed_when: true
+      become: true
+    - name: Upgrade packages (Debian)
+      ansible.builtin.apt:
+        upgrade: dist
+      become: true
+    - name: Remove dependencies that are no longer required
+      ansible.builtin.apt:
+        autoremove: "yes"
+        purge: "yes"
+      become: true
+  name: Update and RKhunter checks
+  when: aue.stdout|int > 0
+- block:
+    - name: Check for existence of needrestart
+      ansible.builtin.stat:
+        path: /usr/sbin/needrestart
+      register: nrex
+    - name: Check for outdated kernel
+      ansible.builtin.command: /usr/sbin/needrestart -pk
+      register: kernout
+      changed_when: false
+      # failed_when necessary to not fail on RC 1 instead of a true failure
+      failed_when: kernout.rc > 2
+    - name: Check for outdated services
+      ansible.builtin.command: /usr/sbin/needrestart -pl
+      register: svcout
+      changed_when: false
+      # failed_when necessary to not fail on RC 1 instead of a true failure
+      failed_when: svcout.rc > 2
+  become: true
+  name: Check reboot requirement
+  when:
+    - nrex.stat is defined
+    - nrex.stat.exists == true
+    - nrex.stat.executable|bool == True
+- name: Clean apt cache
+  # ansible's apt module does not have a dedicated action for this yet. So shell it is:
+  ansible.builtin.command: apt clean
+  changed_when: false
+  become: true
+  # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well)
+- name: RKhunter properties update
+  ansible.builtin.command: rkhunter --propupd --rwo --ns
+  become: true
+  changed_when: true
+  when:
+    - rkhex.stat is defined
+    - rkhex.stat.executable is defined
+    - rkhex.stat.executable|bool == True
+- name: Reboot if required
+  # ignore_errors: yes
+  ansible.builtin.reboot:
+    reboot_timeout: 300
+    pre_reboot_delay: 5
+    test_command: uptime
+    reboot_command: "/bin/systemctl reboot"
+  become: true
+  when: ( kernout.rc is defined and kernout.rc|int == 1 ) or ( svcout.rc is defined and svcout.r|int == 1 ) or
+        ( kernout.rc is not defined and svcout.rc is not defined )