From da473e67ff43b2e6f29c8fc98a02e927c9c6a318 Mon Sep 17 00:00:00 2001
From: Ansible Servercow <ansible@servercow.de>
Date: Fri, 22 Nov 2024 22:03:31 +0100
Subject: [PATCH] added os-update playbook for debian

---
 playbooks/os-update.yml                       | 16 +++++++++
 roles/os-updates/defaults/main.yml            |  9 +++++
 roles/os-updates/handlers/main.yml            | 11 ++++++
 roles/os-updates/tasks/main.yml               |  9 +++++
 .../tasks/update_major_version.yaml           | 34 +++++++++++++++++++
 roles/os-updates/tasks/update_mirrors.yaml    | 16 +++++++++
 roles/os-updates/tasks/upgrade_packages.yml   | 23 +++++++++++++
 roles/os-updates/templates/sources.list.j2    |  5 +++
 8 files changed, 123 insertions(+)
 create mode 100644 playbooks/os-update.yml
 create mode 100644 roles/os-updates/defaults/main.yml
 create mode 100644 roles/os-updates/handlers/main.yml
 create mode 100644 roles/os-updates/tasks/main.yml
 create mode 100644 roles/os-updates/tasks/update_major_version.yaml
 create mode 100644 roles/os-updates/tasks/update_mirrors.yaml
 create mode 100644 roles/os-updates/tasks/upgrade_packages.yml
 create mode 100644 roles/os-updates/templates/sources.list.j2

diff --git a/playbooks/os-update.yml b/playbooks/os-update.yml
new file mode 100644
index 0000000..b054ebb
--- /dev/null
+++ b/playbooks/os-update.yml
@@ -0,0 +1,16 @@
+- hosts: all
+  tasks:
+    - name: Verify if system is Debian
+      debug:
+        msg: "This playbook is running on a Debian system."
+      when: ansible_os_family == "Debian"
+
+    - name: Stop playbook if system is not Debian
+      fail:
+        msg: "This playbook only supports Debian."
+      when: ansible_os_family != "Debian"
+
+    - name: Include OS update role
+      include_role:
+        name: os-updates
+      when: ansible_os_family == "Debian"
\ No newline at end of file
diff --git a/roles/os-updates/defaults/main.yml b/roles/os-updates/defaults/main.yml
new file mode 100644
index 0000000..3336cfe
--- /dev/null
+++ b/roles/os-updates/defaults/main.yml
@@ -0,0 +1,9 @@
+# Standardwerte, die überschrieben werden können
+os_update_auto_upgrade: true
+os_also_update_mirror: false # Can either be true or false | Use this to enable mirror changes. Useful for first runs.
+os_update_mirrors:
+  # Role needs two mirros to use for the sources.list.j2 Template
+  - "http://mirror.tinc.gmbh/debian" # Enter a main mirror here (not security)
+  - "http://mirror.tinc.gmbh/debian-security" # Enter a security mirror here
+os_update_major_version: false # Can either be true or false | To toggle if systems need to be upgraded to newer codename
+os_update_version_codename: "{{ ansible_distribution_release }}" # KEEP UNTOUCHED!! | Used for jinja2 Template fill in as it determines the current codename of system where ansible is run on
\ No newline at end of file
diff --git a/roles/os-updates/handlers/main.yml b/roles/os-updates/handlers/main.yml
new file mode 100644
index 0000000..8295fe2
--- /dev/null
+++ b/roles/os-updates/handlers/main.yml
@@ -0,0 +1,11 @@
+- name: apt cleanup
+  apt:
+    clean: yes
+    autoclean: yes
+
+- name: Reboot system
+  command: /sbin/reboot
+  async: 1
+  poll: 0
+  ignore_errors: true
+  when: reboot_required.stdout == "yes"
\ No newline at end of file
diff --git a/roles/os-updates/tasks/main.yml b/roles/os-updates/tasks/main.yml
new file mode 100644
index 0000000..70fa81e
--- /dev/null
+++ b/roles/os-updates/tasks/main.yml
@@ -0,0 +1,9 @@
+- name: Update mirrors if necessary
+  include_tasks: update_mirrors.yaml
+
+- name: Upgrade to new major version if enabled
+  when: os_update_major_version
+  include_tasks: update_major_version.yaml
+
+- name: Upgrade all packages
+  include_tasks: upgrade_packages.yaml
\ No newline at end of file
diff --git a/roles/os-updates/tasks/update_major_version.yaml b/roles/os-updates/tasks/update_major_version.yaml
new file mode 100644
index 0000000..0378f21
--- /dev/null
+++ b/roles/os-updates/tasks/update_major_version.yaml
@@ -0,0 +1,34 @@
+- name: Backup existing sources in /etc/apt
+  copy:
+    src: "{{ item }}"
+    dest: "{{ item }}.bak"
+    remote_src: yes
+  loop: "{{ lookup('ansible.builtin.fileglob', '/etc/apt/sources.list.d/*.list') + ['/etc/apt/sources.list'] }}"
+  when: item | file
+
+- name: Update sources.list for new major version
+  template:
+    src: sources.list.j2
+    dest: /etc/apt/sources.list
+  vars:
+    os_update_version_codename: "{{ new_version_codename }}" # Variable gets passed by main.yml task
+
+- name: Update additional repositories in /etc/apt/sources.list.d
+  lineinfile:
+    path: "{{ item }}"
+    regexp: '^(deb .* )({{ os_update_version_codename }})'
+    line: '\1{{ new_version_codename }}'
+  loop: "{{ lookup('ansible.builtin.fileglob', '/etc/apt/sources.list.d/*.list') }}"
+  when: item | file
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+- name: Perform distribution upgrade
+  apt:
+    upgrade: yes
+    allow_unauthenticated: yes
+  notify:
+    - Reboot system
+    - apt cleanup
\ No newline at end of file
diff --git a/roles/os-updates/tasks/update_mirrors.yaml b/roles/os-updates/tasks/update_mirrors.yaml
new file mode 100644
index 0000000..b2e18e3
--- /dev/null
+++ b/roles/os-updates/tasks/update_mirrors.yaml
@@ -0,0 +1,16 @@
+- name: Backup existing sources.list
+  copy:
+    src: /etc/apt/sources.list
+    dest: /etc/apt/sources.list.bak
+    remote_src: yes
+    force: yes
+
+
+- name: Update sources.list with new mirrors
+  template:
+    src: sources.list.j2
+    dest: /etc/apt/sources.list
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
\ No newline at end of file
diff --git a/roles/os-updates/tasks/upgrade_packages.yml b/roles/os-updates/tasks/upgrade_packages.yml
new file mode 100644
index 0000000..8493d5f
--- /dev/null
+++ b/roles/os-updates/tasks/upgrade_packages.yml
@@ -0,0 +1,23 @@
+- name: Upgrade all installed packages
+  apt:
+    upgrade: full
+    update_cache: yes
+  notify: 
+    - apt cleanup
+
+- name: Check if a kernel update is available
+  shell: |
+    dpkg -l | grep -E '^ii' | grep 'linux-image-[0-9]' | awk '{print $2}' | sort | tail -n 1
+  register: latest_kernel
+
+- name: Check if running kernel matches the latest installed kernel
+  shell: |
+    echo "{{ latest_kernel.stdout }}" | grep -c $(uname -r)
+  register: kernel_match
+  changed_when: false
+  ignore_errors: true
+
+- name: Mark reboot required if a new kernel is installed
+  set_fact:
+    reboot_required: "yes"
+  when: kernel_match.stdout == "0"
diff --git a/roles/os-updates/templates/sources.list.j2 b/roles/os-updates/templates/sources.list.j2
new file mode 100644
index 0000000..eda8338
--- /dev/null
+++ b/roles/os-updates/templates/sources.list.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }} main contrib non-free non-free-firmware
+deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }}-updates main contrib non-free non-free-firmware
+deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }}-backports main contrib non-free non-free-firmware
+deb {{ os_update_mirrors[1] }} {{ os_update_version_codename }}-security main contrib non-free non-free-firmware
\ No newline at end of file