added os-update playbook for debian

roles/os-updates/defaults/main.yml

@@ -0,0 +1,9 @@
+# Standardwerte, die überschrieben werden können
+os_update_auto_upgrade: true
+os_also_update_mirror: false # Can either be true or false | Use this to enable mirror changes. Useful for first runs.
+os_update_mirrors:
+  # Role needs two mirros to use for the sources.list.j2 Template
+  - "http://mirror.tinc.gmbh/debian" # Enter a main mirror here (not security)
+  - "http://mirror.tinc.gmbh/debian-security" # Enter a security mirror here
+os_update_major_version: false # Can either be true or false | To toggle if systems need to be upgraded to newer codename
+os_update_version_codename: "{{ ansible_distribution_release }}" # KEEP UNTOUCHED!! | Used for jinja2 Template fill in as it determines the current codename of system where ansible is run on

roles/os-updates/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: apt cleanup
+  apt:
+    clean: yes
+    autoclean: yes
+
+- name: Reboot system
+  command: /sbin/reboot
+  async: 1
+  poll: 0
+  ignore_errors: true
+  when: reboot_required.stdout == "yes"

roles/os-updates/tasks/main.yml

@@ -0,0 +1,9 @@
+- name: Update mirrors if necessary
+  include_tasks: update_mirrors.yaml
+
+- name: Upgrade to new major version if enabled
+  when: os_update_major_version
+  include_tasks: update_major_version.yaml
+
+- name: Upgrade all packages
+  include_tasks: upgrade_packages.yaml

roles/os-updates/tasks/update_major_version.yaml

@@ -0,0 +1,34 @@
+- name: Backup existing sources in /etc/apt
+  copy:
+    src: "{{ item }}"
+    dest: "{{ item }}.bak"
+    remote_src: yes
+  loop: "{{ lookup('ansible.builtin.fileglob', '/etc/apt/sources.list.d/*.list') + ['/etc/apt/sources.list'] }}"
+  when: item | file
+
+- name: Update sources.list for new major version
+  template:
+    src: sources.list.j2
+    dest: /etc/apt/sources.list
+  vars:
+    os_update_version_codename: "{{ new_version_codename }}" # Variable gets passed by main.yml task
+
+- name: Update additional repositories in /etc/apt/sources.list.d
+  lineinfile:
+    path: "{{ item }}"
+    regexp: '^(deb .* )({{ os_update_version_codename }})'
+    line: '\1{{ new_version_codename }}'
+  loop: "{{ lookup('ansible.builtin.fileglob', '/etc/apt/sources.list.d/*.list') }}"
+  when: item | file
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+- name: Perform distribution upgrade
+  apt:
+    upgrade: yes
+    allow_unauthenticated: yes
+  notify:
+    - Reboot system
+    - apt cleanup

roles/os-updates/tasks/update_mirrors.yaml

@@ -0,0 +1,16 @@
+- name: Backup existing sources.list
+  copy:
+    src: /etc/apt/sources.list
+    dest: /etc/apt/sources.list.bak
+    remote_src: yes
+    force: yes
+
+
+- name: Update sources.list with new mirrors
+  template:
+    src: sources.list.j2
+    dest: /etc/apt/sources.list
+
+- name: Update apt cache
+  apt:
+    update_cache: yes

roles/os-updates/tasks/upgrade_packages.yml

@@ -0,0 +1,23 @@
+- name: Upgrade all installed packages
+  apt:
+    upgrade: full
+    update_cache: yes
+  notify: 
+    - apt cleanup
+
+- name: Check if a kernel update is available
+  shell: |
+    dpkg -l | grep -E '^ii' | grep 'linux-image-[0-9]' | awk '{print $2}' | sort | tail -n 1
+  register: latest_kernel
+
+- name: Check if running kernel matches the latest installed kernel
+  shell: |
+    echo "{{ latest_kernel.stdout }}" | grep -c $(uname -r)
+  register: kernel_match
+  changed_when: false
+  ignore_errors: true
+
+- name: Mark reboot required if a new kernel is installed
+  set_fact:
+    reboot_required: "yes"
+  when: kernel_match.stdout == "0"

roles/os-updates/templates/sources.list.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }} main contrib non-free non-free-firmware
+deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }}-updates main contrib non-free non-free-firmware
+deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }}-backports main contrib non-free non-free-firmware
+deb {{ os_update_mirrors[1] }} {{ os_update_version_codename }}-security main contrib non-free non-free-firmware