git.lirion.de

Of git, get, and gud

summaryrefslogtreecommitdiffstats
path: root/roles/patch_debian
diff options
context:
space:
mode:
authormail_redacted_for_web 2024-05-05 14:46:51 +0200
committermail_redacted_for_web 2024-05-05 14:46:51 +0200
commit4f0b5cb177f98c7f1d80504f94eeba94f721d2de (patch)
tree0cc13128f0ac6301c969a328908b74eb3f003344 /roles/patch_debian
downloados-patch-4f0b5cb177f98c7f1d80504f94eeba94f721d2de.tar.bz2
Initial commit after portHEADmaster
This is a ported collection of my patch playbooks + roles. Before, they were living inside an "all things ansible" repository. The history is not important as shortly before porting, the code had been revamped (before, it employed changes for host selection which worked but changes are not intended for that).
Diffstat (limited to 'roles/patch_debian')
-rw-r--r--roles/patch_debian/tasks/main.yaml99
1 files changed, 99 insertions, 0 deletions
diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml
new file mode 100644
index 0000000..9d96a4e
--- /dev/null
+++ b/roles/patch_debian/tasks/main.yaml
@@ -0,0 +1,99 @@
+---
+- name: "Check whether OS is a Debian derivative"
+ ansible.builtin.assert:
+ that:
+ - ansible_distribution_file_variety == 'Debian'
+ no_log: true
+- name: Update repository cache
+ ansible.builtin.apt:
+ update_cache: "yes"
+ become: true
+- name: Check for upgrades
+ ansible.builtin.shell:
+ cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l
+ # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W
+ register: aue
+ # apt will throw an error because it doesn't like piping yet.
+ # for our purposes, however, everything has already been sufficiently implemented.
+ failed_when: false
+ #changed_when: aue.stdout|int > 0
+ changed_when: false
+- block:
+ - name: Check for existence of rkhunter
+ ansible.builtin.stat:
+ path: /usr/bin/rkhunter
+ register: rkhex
+ ignore_errors: true
+ no_log: true
+ changed_when: false
+ - name: RKhunter pre-check
+ ansible.builtin.command: rkhunter -c --sk --rwo --ns
+ become: true
+ no_log: true
+ changed_when: false
+ when:
+ - rkhex.stat is defined
+ - rkhex.stat.executable is defined
+ - rkhex.stat.executable|bool == True
+ - name: Clean packages cache
+ ansible.builtin.command: apt clean
+ changed_when: true
+ become: true
+ - name: Upgrade packages (Debian)
+ ansible.builtin.apt:
+ upgrade: dist
+ become: true
+ - name: Remove dependencies that are no longer required
+ ansible.builtin.apt:
+ autoremove: "yes"
+ purge: "yes"
+ become: true
+ name: Update and RKhunter checks
+ when: aue.stdout|int > 0
+- block:
+ - name: Check for existence of needrestart
+ ansible.builtin.stat:
+ path: /usr/sbin/needrestart
+ register: nrex
+ - name: Check for outdated kernel
+ ansible.builtin.command: /usr/sbin/needrestart -pk
+ register: kernout
+ changed_when: false
+ # failed_when necessary to not fail on RC 1 instead of a true failure
+ failed_when: kernout.rc > 2
+ - name: Check for outdated services
+ ansible.builtin.command: /usr/sbin/needrestart -pl
+ register: svcout
+ changed_when: false
+ # failed_when necessary to not fail on RC 1 instead of a true failure
+ failed_when: svcout.rc > 2
+ become: true
+ name: Check reboot requirement
+ when:
+ - nrex.stat is defined
+ - nrex.stat.exists == true
+ - nrex.stat.executable|bool == True
+- name: Clean apt cache
+ # ansible's apt module does not have a dedicated action for this yet. So shell it is:
+ ansible.builtin.command: apt clean
+ changed_when: false
+ become: true
+ # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well)
+- name: RKhunter properties update
+ ansible.builtin.command: rkhunter --propupd --rwo --ns
+ become: true
+ changed_when: true
+ when:
+ - rkhex.stat is defined
+ - rkhex.stat.executable is defined
+ - rkhex.stat.executable|bool == True
+- name: Reboot if required
+ # ignore_errors: yes
+ ansible.builtin.reboot:
+ reboot_timeout: 300
+ pre_reboot_delay: 5
+ test_command: uptime
+ reboot_command: "/bin/systemctl reboot"
+ become: true
+ when: ( kernout.rc is defined and kernout.rc|int == 1 ) or ( svcout.rc is defined and svcout.r|int == 1 ) or
+ ( kernout.rc is not defined and svcout.rc is not defined )