diff options
| author | mail_redacted_for_web | 2021-03-29 18:12:45 +0200 | 
|---|---|---|
| committer | mail_redacted_for_web | 2021-03-29 18:12:45 +0200 | 
| commit | 9b16cbc6084f29afc2170228c128fa7c439a3578 (patch) | |
| tree | a11f1523594efa92ea6b3733cd1cc719e8fa2b88 | |
| download | ansible-9b16cbc6084f29afc2170228c128fa7c439a3578.tar.bz2 | |
InComm
| -rw-r--r-- | AUTHORS | 5 | ||||
| -rw-r--r-- | LICENSE | 165 | ||||
| -rw-r--r-- | README.md | 3 | ||||
| -rw-r--r-- | patch.yml | 211 | 
4 files changed, 384 insertions, 0 deletions
| @@ -0,0 +1,5 @@ +Maintainers: +	Harald Pfeiffer <coding@lirion.de> + +Contributors: +	Harald Pfeiffer <coding@lirion.de> @@ -0,0 +1,165 @@ +                   GNU LESSER GENERAL PUBLIC LICENSE +                       Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + +  This version of the GNU Lesser General Public License incorporates +the terms and conditions of version 3 of the GNU General Public +License, supplemented by the additional permissions listed below. + +  0. Additional Definitions. + +  As used herein, "this License" refers to version 3 of the GNU Lesser +General Public License, and the "GNU GPL" refers to version 3 of the GNU +General Public License. + +  "The Library" refers to a covered work governed by this License, +other than an Application or a Combined Work as defined below. + +  An "Application" is any work that makes use of an interface provided +by the Library, but which is not otherwise based on the Library. +Defining a subclass of a class defined by the Library is deemed a mode +of using an interface provided by the Library. + +  A "Combined Work" is a work produced by combining or linking an +Application with the Library.  The particular version of the Library +with which the Combined Work was made is also called the "Linked +Version". + +  The "Minimal Corresponding Source" for a Combined Work means the +Corresponding Source for the Combined Work, excluding any source code +for portions of the Combined Work that, considered in isolation, are +based on the Application, and not on the Linked Version. + +  The "Corresponding Application Code" for a Combined Work means the +object code and/or source code for the Application, including any data +and utility programs needed for reproducing the Combined Work from the +Application, but excluding the System Libraries of the Combined Work. + +  1. Exception to Section 3 of the GNU GPL. + +  You may convey a covered work under sections 3 and 4 of this License +without being bound by section 3 of the GNU GPL. + +  2. Conveying Modified Versions. + +  If you modify a copy of the Library, and, in your modifications, a +facility refers to a function or data to be supplied by an Application +that uses the facility (other than as an argument passed when the +facility is invoked), then you may convey a copy of the modified +version: + +   a) under this License, provided that you make a good faith effort to +   ensure that, in the event an Application does not supply the +   function or data, the facility still operates, and performs +   whatever part of its purpose remains meaningful, or + +   b) under the GNU GPL, with none of the additional permissions of +   this License applicable to that copy. + +  3. Object Code Incorporating Material from Library Header Files. + +  The object code form of an Application may incorporate material from +a header file that is part of the Library.  You may convey such object +code under terms of your choice, provided that, if the incorporated +material is not limited to numerical parameters, data structure +layouts and accessors, or small macros, inline functions and templates +(ten or fewer lines in length), you do both of the following: + +   a) Give prominent notice with each copy of the object code that the +   Library is used in it and that the Library and its use are +   covered by this License. + +   b) Accompany the object code with a copy of the GNU GPL and this license +   document. + +  4. Combined Works. + +  You may convey a Combined Work under terms of your choice that, +taken together, effectively do not restrict modification of the +portions of the Library contained in the Combined Work and reverse +engineering for debugging such modifications, if you also do each of +the following: + +   a) Give prominent notice with each copy of the Combined Work that +   the Library is used in it and that the Library and its use are +   covered by this License. + +   b) Accompany the Combined Work with a copy of the GNU GPL and this license +   document. + +   c) For a Combined Work that displays copyright notices during +   execution, include the copyright notice for the Library among +   these notices, as well as a reference directing the user to the +   copies of the GNU GPL and this license document. + +   d) Do one of the following: + +       0) Convey the Minimal Corresponding Source under the terms of this +       License, and the Corresponding Application Code in a form +       suitable for, and under terms that permit, the user to +       recombine or relink the Application with a modified version of +       the Linked Version to produce a modified Combined Work, in the +       manner specified by section 6 of the GNU GPL for conveying +       Corresponding Source. + +       1) Use a suitable shared library mechanism for linking with the +       Library.  A suitable mechanism is one that (a) uses at run time +       a copy of the Library already present on the user's computer +       system, and (b) will operate properly with a modified version +       of the Library that is interface-compatible with the Linked +       Version. + +   e) Provide Installation Information, but only if you would otherwise +   be required to provide such information under section 6 of the +   GNU GPL, and only to the extent that such information is +   necessary to install and execute a modified version of the +   Combined Work produced by recombining or relinking the +   Application with a modified version of the Linked Version. (If +   you use option 4d0, the Installation Information must accompany +   the Minimal Corresponding Source and Corresponding Application +   Code. If you use option 4d1, you must provide the Installation +   Information in the manner specified by section 6 of the GNU GPL +   for conveying Corresponding Source.) + +  5. Combined Libraries. + +  You may place library facilities that are a work based on the +Library side by side in a single library together with other library +facilities that are not Applications and are not covered by this +License, and convey such a combined library under terms of your +choice, if you do both of the following: + +   a) Accompany the combined library with a copy of the same work based +   on the Library, uncombined with any other library facilities, +   conveyed under the terms of this License. + +   b) Give prominent notice with the combined library that part of it +   is a work based on the Library, and explaining where to find the +   accompanying uncombined form of the same work. + +  6. Revised Versions of the GNU Lesser General Public License. + +  The Free Software Foundation may publish revised and/or new versions +of the GNU Lesser General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + +  Each version is given a distinguishing version number. If the +Library as you received it specifies that a certain numbered version +of the GNU Lesser General Public License "or any later version" +applies to it, you have the option of following the terms and +conditions either of that published version or of any later version +published by the Free Software Foundation. If the Library as you +received it does not specify a version number of the GNU Lesser +General Public License, you may choose any version of the GNU Lesser +General Public License ever published by the Free Software Foundation. + +  If the Library as you received it specifies that a proxy can decide +whether future versions of the GNU Lesser General Public License shall +apply, that proxy's public statement of acceptance of any version is +permanent authorization for you to choose that version for the +Library. diff --git a/README.md b/README.md new file mode 100644 index 0000000..96ee6f6 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# Content + +Well, just some ansible stuff I intend to use for my own entertainment and/or work. For now. diff --git a/patch.yml b/patch.yml new file mode 100644 index 0000000..b377750 --- /dev/null +++ b/patch.yml @@ -0,0 +1,211 @@ +--- +# You may want to change the default to your favourite host (group) you run this on the most. +- hosts: "{{ runtime_hosts | default('CHANGE_ME') }}" +  order: inventory +  gather_facts: false +  # default: all in first step, but that shit requires (int) +  serial: 666 +  tasks: +  - name: Gather necessary facts +    setup: +      filter: "ansible_distribution*" +  - name: Set up Red Hat and derivatives +    debug: +      msg: "System is {{ansible_distribution}}, checking in." +    when: ansible_distribution_file_variety == "RedHat" +    changed_when: true +    notify: "redhat upd" +  - name: Set up Debian and derivatives +    debug: +      msg: "System is {{ansible_distribution}}, checking in." +    when: ansible_distribution_file_variety == "Debian" +    changed_when: true +    notify: "debian upd" +  - name: Set up SUSE and derivatives +    debug: +      msg: "System is {{ansible_distribution}}, checking in." +    # SuSE was "renamed" to SUSE somewhen around SLES 11 (now SLE :-} ), so we'll check for both. Even though generation 11 +    # repositories should be pretty ...deaddish by now. +    when: ansible_distribution_file_variety == "SUSE" or ansible_distribution_file_variety == "SuSE" +    changed_when: true +    notify: "suse upd" +  handlers: +  - name: Update yum/dnf cache (RHEL) +    # We want to see a dedicated failure if the repos cannot be fetched already. +    # Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs - +    # we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with +    # updated cache :-) +    yum: +      state: present +      update_cache: "yes" +      validate_certs: "yes" +    become: true +    listen: "redhat upd" +  - name: Update repository cache (Debian) +    apt: +      update_cache: yes +    become: true +    listen: "debian upd" +  - name: Check for upgrades (RHEL) +    # yum check-upgrade would normally throw an RC 100 if updates are available. +    # But through ansible: RC0! Weeeee +    shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l +    args: +      warn: false +    register: yue +    changed_when: yue.stdout|int > 1 +    become: true +    listen: "redhat upd" +    notify: +      - "redhat updates available" +      - "rkhunter" +  - name: Check for upgrades (Debian) +    shell: +      cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l +    # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W +    register: aue +    # apt will throw an error because it doesn't like piping yet. +    # for our purposes, however, everything has already been sufficiently implemented. +    failed_when: false +    changed_when: aue.stdout|int > 0 +    notify: +      - "debian updates available" +      - "rkhunter" +    listen: "debian upd" +  - name: Check for existence of rkhunter +    stat: +      path: /usr/bin/rkhunter +    register: rkhex +    ignore_errors: true +    no_log: true +    # yum always tosses this arbitrary extra line at you, a simple tr -s does not eradicate it, so - well, +    # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible. +    listen: "rkhunter" +    changed_when: +      - rkhex.stat is defined +      - rkhex.stat.executable is defined +      - rkhex.stat.executable == true +    notify: "rkhunter execution" +  - name: rkhunter pre-check +    shell: rkhunter -c --sk --rwo --ns +    become: true +    no_log: true +    listen: "rkhunter execution" +  - name: Upgrade all installed packages (RHEL) +    yum: +      name: '*' +      state: latest +      validate_certs: "yes" +      skip_broken: "yes" +    become: true +    listen: "redhat updates available" +  # Auto-removal is broken and will nuke packages we previously selected through e.g. ansible. +  # See ansible issue #60349. Leaving commented out. -- pff +  # - name: Auto-removal of orphaned dependencies (RHEL) +  #   yum: +  #     autoremove: "yes" +  #   when: (ansible_distribution_file_variety == "RedHat") or (ansible_distribution == "Red Hat Enterprise Linux") or (ansible_distribution == "CentOS") +  - name: Register requirement for reboot (RHEL) +    command: needs-restarting -r +    ignore_errors: "yes" +    register: nr +    changed_when: "nr.rc > 0" +    failed_when: false +    notify: "Reboot if required" +    become: true +    # we listen to "redhat upd" here in case a previous reboot was not executed. If undesired, change to "redhat updates available". +    listen: "redhat upd" +  - name: Clean packages cache (Debian) +    command: apt clean +    become: true +    listen: "debian upd" +  - name: Upgrade packages (Debian) +    apt: +      upgrade: dist +    become: true +    listen: "debian updates available" +  - name: Remove dependencies that are no longer required (Debian) +    apt: +      autoremove: "yes" +      purge: "yes" +    become: true +    # we listen to "debian upd" here in case a previous cleanup was skipped. Change to "debian updates available" if undesired. +    listen: "debian upd" +  - name: Check for existence of needrestart (Debian) +    stat: +      path: /usr/sbin/needrestart +    register: nrex +    ignore_errors: "yes" +    no_log: true +    failed_when: false +    changed_when: +      - nrex.stat.exists == true +      - nrex.stat.executable == true +    notify: "debian needrestart" +  - name: Check for outdated kernel (Debian) +    shell: /usr/sbin/needrestart -pk +    register: kernout +    when: +      - nrex.stat.exists == true +      - nrex.stat.executable == true +    become: true +    changed_when: "kernout.rc|int == 1" +    listen: "debian needrestart" +    notify: "Reboot if required" +    # failed_when necessary to have a change for RC 1 instead of a failure +    failed_when: kernout.rc > 1 +  - name: Update zypper cache (SUSE) +    # we cannot cheat like we did with yum: we need to update any package to refresh the cache with the zypper module. Hence falling back +    # to shell. +    shell: | +      zypper refs && zypper ref +    become: true +    listen: "suse upd" +  - name: Update all packages (SUSE) +    # we could narrow this down via type:patch, but that's about all. So fire away. +    zypper: +      name: '*' +      state: latest +    become: true +    # TODO: suse not productive yet, so we choose an arbitrary listener here. Change to something meaningful when going to production. +    listen: "bonkadonk" +  - name: Register requirement for reboot (SUSE) +    shell: zypper ps -sss +    register: zyppout +    changed_when: "zyppout.rc == 102" +    notify: "Reboot if required" +    # we listen to "suse upd" here in case a previous reboot was skipped. Change to "suse updates available" if undesired. +    listen: "suse upd" +  - name: Clean packages cache (RHEL) +    # ansible's yum module does not have a dedicated action for this. So shell it is. +    # CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf. +    # Also, despite yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off. +    args: +      warn: false +    shell: yum clean packages +    become: true +    # we listen to "redhat upd" here in case a previous cleanup was skipped. Change to "redhat updates available" if undesired. +    listen: "redhat upd" +  - name: Clean apt cache (Debian) +    # ansible's apt module does not have a dedicated action for this yet. So shell it is: +    shell: apt clean +    become: true +    # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well) +    listen: "debian updates available" +  - name: Clean packages cache (SUSE) +    # ansible's zypper module does not have a dedicated action for this yet. So shell it is: +    shell: zypper clean +    become: true +    # we listen to "suse upd" here in case a previous cleanup was skipped. Change to "suse updates available" if undesired. +    listen: "suse upd" +  - name: rkhunter properties update +    command: rkhunter --propupd --rwo --ns +    become: true +    listen: "rkhunter execution" +  - name: Reboot if required +    # ignore_errors: yes +    reboot: +      reboot_timeout: 300 +      pre_reboot_delay: 5 +      test_command: uptime +    become: true | 
