From 4f0b5cb177f98c7f1d80504f94eeba94f721d2de Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Sun, 5 May 2024 14:46:51 +0200 Subject: Initial commit after port This is a ported collection of my patch playbooks + roles. Before, they were living inside an "all things ansible" repository. The history is not important as shortly before porting, the code had been revamped (before, it employed changes for host selection which worked but changes are not intended for that). --- roles/patch_debian/tasks/main.yaml | 99 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 roles/patch_debian/tasks/main.yaml (limited to 'roles/patch_debian') diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml new file mode 100644 index 0000000..9d96a4e --- /dev/null +++ b/roles/patch_debian/tasks/main.yaml @@ -0,0 +1,99 @@ +--- +- name: "Check whether OS is a Debian derivative" + ansible.builtin.assert: + that: + - ansible_distribution_file_variety == 'Debian' + no_log: true +- name: Update repository cache + ansible.builtin.apt: + update_cache: "yes" + become: true +- name: Check for upgrades + ansible.builtin.shell: + cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l + # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W + register: aue + # apt will throw an error because it doesn't like piping yet. + # for our purposes, however, everything has already been sufficiently implemented. + failed_when: false + #changed_when: aue.stdout|int > 0 + changed_when: false +- block: + - name: Check for existence of rkhunter + ansible.builtin.stat: + path: /usr/bin/rkhunter + register: rkhex + ignore_errors: true + no_log: true + changed_when: false + - name: RKhunter pre-check + ansible.builtin.command: rkhunter -c --sk --rwo --ns + become: true + no_log: true + changed_when: false + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable|bool == True + - name: Clean packages cache + ansible.builtin.command: apt clean + changed_when: true + become: true + - name: Upgrade packages (Debian) + ansible.builtin.apt: + upgrade: dist + become: true + - name: Remove dependencies that are no longer required + ansible.builtin.apt: + autoremove: "yes" + purge: "yes" + become: true + name: Update and RKhunter checks + when: aue.stdout|int > 0 +- block: + - name: Check for existence of needrestart + ansible.builtin.stat: + path: /usr/sbin/needrestart + register: nrex + - name: Check for outdated kernel + ansible.builtin.command: /usr/sbin/needrestart -pk + register: kernout + changed_when: false + # failed_when necessary to not fail on RC 1 instead of a true failure + failed_when: kernout.rc > 2 + - name: Check for outdated services + ansible.builtin.command: /usr/sbin/needrestart -pl + register: svcout + changed_when: false + # failed_when necessary to not fail on RC 1 instead of a true failure + failed_when: svcout.rc > 2 + become: true + name: Check reboot requirement + when: + - nrex.stat is defined + - nrex.stat.exists == true + - nrex.stat.executable|bool == True +- name: Clean apt cache + # ansible's apt module does not have a dedicated action for this yet. So shell it is: + ansible.builtin.command: apt clean + changed_when: false + become: true + # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well) +- name: RKhunter properties update + ansible.builtin.command: rkhunter --propupd --rwo --ns + become: true + changed_when: true + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable|bool == True +- name: Reboot if required + # ignore_errors: yes + ansible.builtin.reboot: + reboot_timeout: 300 + pre_reboot_delay: 5 + test_command: uptime + reboot_command: "/bin/systemctl reboot" + become: true + when: ( kernout.rc is defined and kernout.rc|int == 1 ) or ( svcout.rc is defined and svcout.r|int == 1 ) or + ( kernout.rc is not defined and svcout.rc is not defined ) -- cgit v1.2.3