diff options
Diffstat (limited to 'roles/patch_debian')
| -rw-r--r-- | roles/patch_debian/tasks/main.yaml | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml new file mode 100644 index 0000000..9d96a4e --- /dev/null +++ b/roles/patch_debian/tasks/main.yaml @@ -0,0 +1,99 @@ +--- +- name: "Check whether OS is a Debian derivative" + ansible.builtin.assert: + that: + - ansible_distribution_file_variety == 'Debian' + no_log: true +- name: Update repository cache + ansible.builtin.apt: + update_cache: "yes" + become: true +- name: Check for upgrades + ansible.builtin.shell: + cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l + # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W + register: aue + # apt will throw an error because it doesn't like piping yet. + # for our purposes, however, everything has already been sufficiently implemented. + failed_when: false + #changed_when: aue.stdout|int > 0 + changed_when: false +- block: + - name: Check for existence of rkhunter + ansible.builtin.stat: + path: /usr/bin/rkhunter + register: rkhex + ignore_errors: true + no_log: true + changed_when: false + - name: RKhunter pre-check + ansible.builtin.command: rkhunter -c --sk --rwo --ns + become: true + no_log: true + changed_when: false + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable|bool == True + - name: Clean packages cache + ansible.builtin.command: apt clean + changed_when: true + become: true + - name: Upgrade packages (Debian) + ansible.builtin.apt: + upgrade: dist + become: true + - name: Remove dependencies that are no longer required + ansible.builtin.apt: + autoremove: "yes" + purge: "yes" + become: true + name: Update and RKhunter checks + when: aue.stdout|int > 0 +- block: + - name: Check for existence of needrestart + ansible.builtin.stat: + path: /usr/sbin/needrestart + register: nrex + - name: Check for outdated kernel + ansible.builtin.command: /usr/sbin/needrestart -pk + register: kernout + changed_when: false + # failed_when necessary to not fail on RC 1 instead of a true failure + failed_when: kernout.rc > 2 + - name: Check for outdated services + ansible.builtin.command: /usr/sbin/needrestart -pl + register: svcout + changed_when: false + # failed_when necessary to not fail on RC 1 instead of a true failure + failed_when: svcout.rc > 2 + become: true + name: Check reboot requirement + when: + - nrex.stat is defined + - nrex.stat.exists == true + - nrex.stat.executable|bool == True +- name: Clean apt cache + # ansible's apt module does not have a dedicated action for this yet. So shell it is: + ansible.builtin.command: apt clean + changed_when: false + become: true + # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well) +- name: RKhunter properties update + ansible.builtin.command: rkhunter --propupd --rwo --ns + become: true + changed_when: true + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable|bool == True +- name: Reboot if required + # ignore_errors: yes + ansible.builtin.reboot: + reboot_timeout: 300 + pre_reboot_delay: 5 + test_command: uptime + reboot_command: "/bin/systemctl reboot" + become: true + when: ( kernout.rc is defined and kernout.rc|int == 1 ) or ( svcout.rc is defined and svcout.r|int == 1 ) or + ( kernout.rc is not defined and svcout.rc is not defined ) |