From fca01219755624b12fd9237dcb81102ee01dd45c Mon Sep 17 00:00:00 2001
From: Harald Pfeiffer <coding@lirion.de>
Date: Sat, 18 Apr 2026 09:54:44 +0200
Subject: fix: fix logic

---
 roles/patch_debian/tasks/main.yaml | 21 ++++++---------------
 roles/patch_redhat/tasks/main.yaml |  5 +----
 2 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml
index 9d96a4e..485d60a 100644
--- a/roles/patch_debian/tasks/main.yaml
+++ b/roles/patch_debian/tasks/main.yaml
@@ -31,10 +31,7 @@
       become: true
       no_log: true
       changed_when: false
-      when:
-        - rkhex.stat is defined
-        - rkhex.stat.executable is defined
-        - rkhex.stat.executable|bool == True
+      when: rkhex.stat is defined and rkhex.stat.executable is defined and rkhex.stat.executable|bool == True
     - name: Clean packages cache
       ansible.builtin.command: apt clean
       changed_when: true
@@ -56,23 +53,20 @@
         path: /usr/sbin/needrestart
       register: nrex
     - name: Check for outdated kernel
-      ansible.builtin.command: /usr/sbin/needrestart -pk
+      ansible.builtin.command: /usr/sbin/needrestart -rl -pk
       register: kernout
       changed_when: false
       # failed_when necessary to not fail on RC 1 instead of a true failure
       failed_when: kernout.rc > 2
     - name: Check for outdated services
-      ansible.builtin.command: /usr/sbin/needrestart -pl
+      ansible.builtin.command: /usr/sbin/needrestart -rl -pl
       register: svcout
       changed_when: false
       # failed_when necessary to not fail on RC 1 instead of a true failure
       failed_when: svcout.rc > 2
   become: true
   name: Check reboot requirement
-  when:
-    - nrex.stat is defined
-    - nrex.stat.exists == true
-    - nrex.stat.executable|bool == True
+  when: nrex.stat is defined and nrex.stat.exists == true and nrex.stat.executable|bool == True
 - name: Clean apt cache
   # ansible's apt module does not have a dedicated action for this yet. So shell it is:
   ansible.builtin.command: apt clean
@@ -83,10 +77,7 @@
   ansible.builtin.command: rkhunter --propupd --rwo --ns
   become: true
   changed_when: true
-  when:
-    - rkhex.stat is defined
-    - rkhex.stat.executable is defined
-    - rkhex.stat.executable|bool == True
+  when: rkhex.stat is defined and rkhex.stat.executable is defined and rkhex.stat.executable|bool == True
 - name: Reboot if required
   # ignore_errors: yes
   ansible.builtin.reboot:
@@ -96,4 +87,4 @@
     reboot_command: "/bin/systemctl reboot"
   become: true
   when: ( kernout.rc is defined and kernout.rc|int == 1 ) or ( svcout.rc is defined and svcout.r|int == 1 ) or
-        ( kernout.rc is not defined and svcout.rc is not defined )
+        ( kernout.rc is not defined and svcout.rc is not defined ) or ( kernout is not defined and svcout is not defined )
diff --git a/roles/patch_redhat/tasks/main.yaml b/roles/patch_redhat/tasks/main.yaml
index 7f200e7..f67bfcf 100644
--- a/roles/patch_redhat/tasks/main.yaml
+++ b/roles/patch_redhat/tasks/main.yaml
@@ -33,10 +33,7 @@
       become: true
       no_log: true
       changed_when: false
-      when:
-        - rkhex.stat is defined
-        - rkhex.stat.executable is defined
-        - rkhex.stat.executable
+      when: rkhex.stat is defined and rkhex.stat.executable is defined and rkhex.stat.executable
     - name: Upgrade all installed packages (RHEL)
       ansible.builtin.yum:
         name: '*'
-- 
cgit v1.2.3