---
- name: "Check whether OS is a Red Hat derivative"
  ansible.builtin.assert:
    that:
      - ansible_distribution_file_variety == 'RedHat'
  no_log: true
- name: Update yum/dnf cache
  # We want to see a dedicated failure if the repos cannot be fetched already.
  # Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs -
  # we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with
  # updated cache :-)
  ansible.builtin.yum:
    state: present
    update_cache: "yes"
    validate_certs: "yes"
  become: true
- name: Check for upgrades (RHEL)
  # yum check-upgrade would normally throw an RC 100 if updates are available.
  # But through ansible: RC0! Weeeee
  ansible.builtin.shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l
  # args:
  #   warn: false
  register: yue
  changed_when: false
  become: true
- block:
    - name: Check for existence of rkhunter
      ansible.builtin.stat:
        path: /usr/bin/rkhunter
      register: rkhex
    - name: RKhunter pre-check
      ansible.builtin.command: rkhunter -c --sk --rwo --ns
      become: true
      no_log: true
      changed_when: false
      when:
        - rkhex.stat is defined
        - rkhex.stat.executable is defined
        - rkhex.stat.executable
    - name: Upgrade all installed packages (RHEL)
      ansible.builtin.yum:
        name: '*'
        state: latest
        validate_certs: "yes"
        skip_broken: "yes"
      become: true
    # Auto-removal is broken and will nuke packages we previously selected through e.g. ansible.
    # See ansible issue #60349. Leaving commented out. -- pff
    # - name: Auto-removal of orphaned dependencies (RHEL)
    #   ansible.builtin.yum:
    #     autoremove: "yes"
  name: Updates and RKhunter checks
  # yum always tosses an arbitrary extra line at you, a simple tr -s does not eradicate it, so - well,
  # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible.
  when: yue.stdout|int > 1
- block:
    - name: Register requirement for reboot (RHEL)
      # "yum needs-restarting still works on RHEL 8, and "needs-restarting" is obsolete
      # On major releases >= 9 you may want to create an alternative for symlinking yum to dnf
      ansible.builtin.command: yum needs-restarting -r
      register: nr
      changed_when: false
      failed_when: false
      become: true
  name: Check reboot requirement
- name: Clean packages cache (RHEL)
  # ansible's yum module does not have a dedicated action for this. So shell it is.
  # CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf.
  # Also, despite ansible's yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off.
  #args:
  #  warn: false
  ansible.builtin.command: yum clean packages
  changed_when: true
  become: true
- name: RKhunter properties update
  ansible.builtin.command: rkhunter --propupd --rwo --ns
  become: true
  changed_when: true
  when:
    - rkhex.stat is defined
    - rkhex.stat.executable is defined
    - rkhex.stat.executable
- name: Reboot if required
  # ignore_errors: yes
  ansible.builtin.reboot:
    reboot_timeout: 300
    pre_reboot_delay: 5
    test_command: uptime
    reboot_command: "/bin/systemctl reboot"
  become: true
  when: ( nr.rc is defined and nr.rc|int > 0 ) or ( nr.rc is not defined )