From 8927a48515420e82bc5c056a83a681dd44a0d3e1 Mon Sep 17 00:00:00 2001
From: Harald Pfeiffer <coding@lirion.de>
Date: Sun, 14 Apr 2024 14:59:49 +0200
Subject: Code improvements: FQCNs, boolean handling, shell/command
---
patch.yaml | 2 +-
roles/patch_debian/tasks/main.yaml | 46 +++++++++++++++++++++-----------------
2 files changed, 27 insertions(+), 21 deletions(-)
diff --git a/patch.yaml b/patch.yaml
index 5fa350f..a0e9700 100644
--- a/patch.yaml
+++ b/patch.yaml
@@ -7,7 +7,7 @@
serial: 666
tasks:
- name: Gather necessary facts
- setup:
+ ansible.builtin.setup:
filter: "ansible_distribution*"
- name: Debian Patches
ansible.builtin.import_role:
diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml
index 6e19050..84bfa9a 100644
--- a/roles/patch_debian/tasks/main.yaml
+++ b/roles/patch_debian/tasks/main.yaml
@@ -5,11 +5,11 @@
- ansible_distribution_file_variety == 'Debian'
no_log: true
- name: Update repository cache
- apt:
+ ansible.builtin.apt:
update_cache: "yes"
become: true
- name: Check for upgrades
- shell:
+ ansible.builtin.shell:
cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l
# ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W
register: aue
@@ -20,74 +20,80 @@
changed_when: false
- block:
- name: Check for existence of rkhunter
- stat:
+ ansible.builtin.stat:
path: /usr/bin/rkhunter
register: rkhex
ignore_errors: true
no_log: true
changed_when: false
- - name: rkhunter pre-check
- shell: rkhunter -c --sk --rwo --ns
+ - name: RKhunter pre-check
+ ansible.builtin.command: rkhunter -c --sk --rwo --ns
become: true
no_log: true
+ changed_when: false
when:
- rkhex.stat is defined
- rkhex.stat.executable is defined
- - rkhex.stat.executable == true
+ - rkhex.stat.executable|bool == True
- name: Clean packages cache
- command: apt clean
+ ansible.builtin.command: apt clean
+ changed_when: true
become: true
- name: Upgrade packages (Debian)
- apt:
+ ansible.builtin.apt:
upgrade: dist
become: true
- name: Remove dependencies that are no longer required
- apt:
+ ansible.builtin.apt:
autoremove: "yes"
purge: "yes"
become: true
+ name: Update and RKhunter checks
+ when: aue.stdout|int > 0
+- block:
- name: Check for existence of needrestart
- stat:
+ ansible.builtin.stat:
path: /usr/sbin/needrestart
register: nrex
ignore_errors: "yes"
no_log: true
failed_when: false
changed_when: false
- when: aue.stdout|int > 0
-- block:
- name: Check for outdated kernel
- shell: /usr/sbin/needrestart -pk
+ ansible.builtin.command: /usr/sbin/needrestart -pk
register: kernout
changed_when: false
# failed_when necessary to not fail on RC 1 instead of a true failure
failed_when: kernout.rc > 2
- name: Check for outdated services
- shell: /usr/sbin/needrestart -pl
+ ansible.builtin.command: /usr/sbin/needrestart -pl
register: svcout
changed_when: false
# failed_when necessary to not fail on RC 1 instead of a true failure
failed_when: svcout.rc > 2
become: true
+ name: Check reboot requirement
when:
- nrex.stat is defined
- nrex.stat.exists == true
- - nrex.stat.executable == true
+ - nrex.stat.executable|bool == True
- name: Clean apt cache
# ansible's apt module does not have a dedicated action for this yet. So shell it is:
- shell: apt clean
+ ansible.builtin.command: apt clean
+ changed_when: false
become: true
# here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well)
-- name: rkhunter properties update
- command: rkhunter --propupd --rwo --ns
+- name: RKhunter properties update
+ ansible.builtin.command: rkhunter --propupd --rwo --ns
become: true
+ changed_when: false
when:
- rkhex.stat is defined
- rkhex.stat.executable is defined
- - rkhex.stat.executable == true
+ - rkhex.stat.executable|bool == True
- name: Reboot if required
# ignore_errors: yes
- reboot:
+ ansible.builtin.reboot:
reboot_timeout: 300
pre_reboot_delay: 5
test_command: uptime
--
cgit v1.2.3