From 8927a48515420e82bc5c056a83a681dd44a0d3e1 Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Sun, 14 Apr 2024 14:59:49 +0200 Subject: Code improvements: FQCNs, boolean handling, shell/command --- patch.yaml | 2 +- roles/patch_debian/tasks/main.yaml | 46 +++++++++++++++++++++----------------- 2 files changed, 27 insertions(+), 21 deletions(-) diff --git a/patch.yaml b/patch.yaml index 5fa350f..a0e9700 100644 --- a/patch.yaml +++ b/patch.yaml @@ -7,7 +7,7 @@ serial: 666 tasks: - name: Gather necessary facts - setup: + ansible.builtin.setup: filter: "ansible_distribution*" - name: Debian Patches ansible.builtin.import_role: diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml index 6e19050..84bfa9a 100644 --- a/roles/patch_debian/tasks/main.yaml +++ b/roles/patch_debian/tasks/main.yaml @@ -5,11 +5,11 @@ - ansible_distribution_file_variety == 'Debian' no_log: true - name: Update repository cache - apt: + ansible.builtin.apt: update_cache: "yes" become: true - name: Check for upgrades - shell: + ansible.builtin.shell: cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W register: aue @@ -20,74 +20,80 @@ changed_when: false - block: - name: Check for existence of rkhunter - stat: + ansible.builtin.stat: path: /usr/bin/rkhunter register: rkhex ignore_errors: true no_log: true changed_when: false - - name: rkhunter pre-check - shell: rkhunter -c --sk --rwo --ns + - name: RKhunter pre-check + ansible.builtin.command: rkhunter -c --sk --rwo --ns become: true no_log: true + changed_when: false when: - rkhex.stat is defined - rkhex.stat.executable is defined - - rkhex.stat.executable == true + - rkhex.stat.executable|bool == True - name: Clean packages cache - command: apt clean + ansible.builtin.command: apt clean + changed_when: true become: true - name: Upgrade packages (Debian) - apt: + ansible.builtin.apt: upgrade: dist become: true - name: Remove dependencies that are no longer required - apt: + ansible.builtin.apt: autoremove: "yes" purge: "yes" become: true + name: Update and RKhunter checks + when: aue.stdout|int > 0 +- block: - name: Check for existence of needrestart - stat: + ansible.builtin.stat: path: /usr/sbin/needrestart register: nrex ignore_errors: "yes" no_log: true failed_when: false changed_when: false - when: aue.stdout|int > 0 -- block: - name: Check for outdated kernel - shell: /usr/sbin/needrestart -pk + ansible.builtin.command: /usr/sbin/needrestart -pk register: kernout changed_when: false # failed_when necessary to not fail on RC 1 instead of a true failure failed_when: kernout.rc > 2 - name: Check for outdated services - shell: /usr/sbin/needrestart -pl + ansible.builtin.command: /usr/sbin/needrestart -pl register: svcout changed_when: false # failed_when necessary to not fail on RC 1 instead of a true failure failed_when: svcout.rc > 2 become: true + name: Check reboot requirement when: - nrex.stat is defined - nrex.stat.exists == true - - nrex.stat.executable == true + - nrex.stat.executable|bool == True - name: Clean apt cache # ansible's apt module does not have a dedicated action for this yet. So shell it is: - shell: apt clean + ansible.builtin.command: apt clean + changed_when: false become: true # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well) -- name: rkhunter properties update - command: rkhunter --propupd --rwo --ns +- name: RKhunter properties update + ansible.builtin.command: rkhunter --propupd --rwo --ns become: true + changed_when: false when: - rkhex.stat is defined - rkhex.stat.executable is defined - - rkhex.stat.executable == true + - rkhex.stat.executable|bool == True - name: Reboot if required # ignore_errors: yes - reboot: + ansible.builtin.reboot: reboot_timeout: 300 pre_reboot_delay: 5 test_command: uptime -- cgit v1.2.3