---
- name: "Check whether OS is a Debian derivative"
  ansible.builtin.assert:
    that:
      - ansible_distribution_file_variety == 'Debian'
  no_log: true
- name: Update repository cache
  ansible.builtin.apt:
    update_cache: "yes"
  become: true
- name: Check for upgrades
  ansible.builtin.shell:
    cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l
  # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W
  register: aue
  # apt will throw an error because it doesn't like piping yet.
  # for our purposes, however, everything has already been sufficiently implemented.
  failed_when: false
  #changed_when: aue.stdout|int > 0
  changed_when: false
- block:
    - name: Check for existence of rkhunter
      ansible.builtin.stat:
        path: /usr/bin/rkhunter
      register: rkhex
      ignore_errors: true
      no_log: true
      changed_when: false
    - name: RKhunter pre-check
      ansible.builtin.command: rkhunter -c --sk --rwo --ns
      become: true
      no_log: true
      changed_when: false
      when:
        - rkhex.stat is defined
        - rkhex.stat.executable is defined
        - rkhex.stat.executable|bool == True
    - name: Clean packages cache
      ansible.builtin.command: apt clean
      changed_when: true
      become: true
    - name: Upgrade packages (Debian)
      ansible.builtin.apt:
        upgrade: dist
      become: true
    - name: Remove dependencies that are no longer required
      ansible.builtin.apt:
        autoremove: "yes"
        purge: "yes"
      become: true
  name: Update and RKhunter checks
  when: aue.stdout|int > 0
- block:
    - name: Check for existence of needrestart
      ansible.builtin.stat:
        path: /usr/sbin/needrestart
      register: nrex
    - name: Check for outdated kernel
      ansible.builtin.command: /usr/sbin/needrestart -pk
      register: kernout
      changed_when: false
      # failed_when necessary to not fail on RC 1 instead of a true failure
      failed_when: kernout.rc > 2
    - name: Check for outdated services
      ansible.builtin.command: /usr/sbin/needrestart -pl
      register: svcout
      changed_when: false
      # failed_when necessary to not fail on RC 1 instead of a true failure
      failed_when: svcout.rc > 2
  become: true
  name: Check reboot requirement
  when:
    - nrex.stat is defined
    - nrex.stat.exists == true
    - nrex.stat.executable|bool == True
- name: Clean apt cache
  # ansible's apt module does not have a dedicated action for this yet. So shell it is:
  ansible.builtin.command: apt clean
  changed_when: false
  become: true
  # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well)
- name: RKhunter properties update
  ansible.builtin.command: rkhunter --propupd --rwo --ns
  become: true
  changed_when: true
  when:
    - rkhex.stat is defined
    - rkhex.stat.executable is defined
    - rkhex.stat.executable|bool == True
- name: Reboot if required
  # ignore_errors: yes
  ansible.builtin.reboot:
    reboot_timeout: 300
    pre_reboot_delay: 5
    test_command: uptime
    reboot_command: "/bin/systemctl reboot"
  become: true
  when: ( kernout.rc is defined and kernout.rc|int == 1 ) or ( svcout.rc is defined and svcout.r|int == 1 ) or
        ( kernout.rc is not defined and svcout.rc is not defined )