added os-update playbook for debian

2024-11-22 22:03:31 +01:00
parent ba83e096b8
commit da473e67ff
8 changed files with 123 additions and 0 deletions
--- a/playbooks/os-update.yml
+++ b/playbooks/os-update.yml
@@ -0,0 +1,16 @@
 - hosts: all
  tasks:
    - name: Verify if system is Debian
      debug:
        msg: "This playbook is running on a Debian system."
      when: ansible_os_family == "Debian"
    - name: Stop playbook if system is not Debian
      fail:
        msg: "This playbook only supports Debian."
      when: ansible_os_family != "Debian"
    - name: Include OS update role
      include_role:
        name: os-updates
      when: ansible_os_family == "Debian"
--- a/roles/os-updates/defaults/main.yml
+++ b/roles/os-updates/defaults/main.yml
@@ -0,0 +1,9 @@
 # Standardwerte, die überschrieben werden können
 os_update_auto_upgrade: true
 os_also_update_mirror: false # Can either be true or false | Use this to enable mirror changes. Useful for first runs.
 os_update_mirrors:
  # Role needs two mirros to use for the sources.list.j2 Template
  - "http://mirror.tinc.gmbh/debian" # Enter a main mirror here (not security)
  - "http://mirror.tinc.gmbh/debian-security" # Enter a security mirror here
 os_update_major_version: false # Can either be true or false | To toggle if systems need to be upgraded to newer codename
 os_update_version_codename: "{{ ansible_distribution_release }}" # KEEP UNTOUCHED!! | Used for jinja2 Template fill in as it determines the current codename of system where ansible is run on
--- a/roles/os-updates/handlers/main.yml
+++ b/roles/os-updates/handlers/main.yml
@@ -0,0 +1,11 @@
 - name: apt cleanup
  apt:
    clean: yes
    autoclean: yes
 - name: Reboot system
  command: /sbin/reboot
  async: 1
  poll: 0
  ignore_errors: true
  when: reboot_required.stdout == "yes"
--- a/roles/os-updates/tasks/main.yml
+++ b/roles/os-updates/tasks/main.yml
@@ -0,0 +1,9 @@
 - name: Update mirrors if necessary
  include_tasks: update_mirrors.yaml
 - name: Upgrade to new major version if enabled
  when: os_update_major_version
  include_tasks: update_major_version.yaml
 - name: Upgrade all packages
  include_tasks: upgrade_packages.yaml
--- a/roles/os-updates/tasks/update_major_version.yaml
+++ b/roles/os-updates/tasks/update_major_version.yaml
@@ -0,0 +1,34 @@
 - name: Backup existing sources in /etc/apt
  copy:
    src: "{{ item }}"
    dest: "{{ item }}.bak"
    remote_src: yes
  loop: "{{ lookup('ansible.builtin.fileglob', '/etc/apt/sources.list.d/*.list') + ['/etc/apt/sources.list'] }}"
  when: item | file
 - name: Update sources.list for new major version
  template:
    src: sources.list.j2
    dest: /etc/apt/sources.list
  vars:
    os_update_version_codename: "{{ new_version_codename }}" # Variable gets passed by main.yml task
 - name: Update additional repositories in /etc/apt/sources.list.d
  lineinfile:
    path: "{{ item }}"
    regexp: '^(deb .* )({{ os_update_version_codename }})'
    line: '\1{{ new_version_codename }}'
  loop: "{{ lookup('ansible.builtin.fileglob', '/etc/apt/sources.list.d/*.list') }}"
  when: item | file
 - name: Update apt cache
  apt:
    update_cache: yes
 - name: Perform distribution upgrade
  apt:
    upgrade: yes
    allow_unauthenticated: yes
  notify:
    - Reboot system
    - apt cleanup
--- a/roles/os-updates/tasks/update_mirrors.yaml
+++ b/roles/os-updates/tasks/update_mirrors.yaml
@@ -0,0 +1,16 @@
 - name: Backup existing sources.list
  copy:
    src: /etc/apt/sources.list
    dest: /etc/apt/sources.list.bak
    remote_src: yes
    force: yes
 - name: Update sources.list with new mirrors
  template:
    src: sources.list.j2
    dest: /etc/apt/sources.list
 - name: Update apt cache
  apt:
    update_cache: yes
--- a/roles/os-updates/tasks/upgrade_packages.yml
+++ b/roles/os-updates/tasks/upgrade_packages.yml
@@ -0,0 +1,23 @@
 - name: Upgrade all installed packages
  apt:
    upgrade: full
    update_cache: yes
  notify: 
    - apt cleanup
 - name: Check if a kernel update is available
  shell: |
    dpkg -l | grep -E '^ii' | grep 'linux-image-[0-9]' | awk '{print $2}' | sort | tail -n 1
  register: latest_kernel
 - name: Check if running kernel matches the latest installed kernel
  shell: |
    echo "{{ latest_kernel.stdout }}" | grep -c $(uname -r)
  register: kernel_match
  changed_when: false
  ignore_errors: true
 - name: Mark reboot required if a new kernel is installed
  set_fact:
    reboot_required: "yes"
  when: kernel_match.stdout == "0"
--- a/roles/os-updates/templates/sources.list.j2
+++ b/roles/os-updates/templates/sources.list.j2
@@ -0,0 +1,5 @@
 # {{ ansible_managed }}
 deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }} main contrib non-free non-free-firmware
 deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }}-updates main contrib non-free non-free-firmware
 deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }}-backports main contrib non-free non-free-firmware
 deb {{ os_update_mirrors[1] }} {{ os_update_version_codename }}-security main contrib non-free non-free-firmware