ansible/security.yaml

# vim:ts=2:sw=2:et:filetype=ansible
---

- name: FreeBSD patches
  hosts: all
  become: true
  serial: 4
  order: shuffle
  vars_files:
    - ~/.ansible/my_vault.yml

  vars:
    restart_files: []
    restart_files_packages: []
    restart_services: []

  tasks:
    - block:
        - name: Send alert to operators that patching caused alarms
          fail:
            msg: 'Not patching EOL system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_release}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version'
          when: "ansible_distribution == 'Debian' and ansible_distribution_release not in ['bullseye','buster','stretch']"

        - name: Use update task for debian
          import_tasks: tasks/update_all_debian.yml
      when: "ansible_facts['os_family']|lower == 'debian'"

    - block:
        - name: Send alert to operators that patching caused alarms
          fail:
            msg: 'Not patching EOL system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_major_version}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version'
          when: "ansible_distribution == 'FreeBSD' and ansible_distribution_major_version not in ['13','14']"

        - name: Use update task for debian
          import_tasks: tasks/update_all_freebsd.yml
      when: "ansible_facts['os_family']|lower == 'freebsd'"

    - name: Flush handlers
      meta: flush_handlers

    - name: Check whether the remote node is still reachable
      ansible.builtin.wait_for_connection:
First iteration of update playbooks that work for FreeBSD/Debian 2024-06-12 11:22:54 +02:00			`# vim:ts=2:sw=2:et:filetype=ansible`
			`---`

			`- name: FreeBSD patches`
			`hosts: all`
			`become: true`
			`serial: 4`
			`order: shuffle`
			`vars_files:`
			`- ~/.ansible/my_vault.yml`

			`vars:`
			`restart_files: []`
			`restart_files_packages: []`
			`restart_services: []`

			`tasks:`
			`- block:`
			`- name: Send alert to operators that patching caused alarms`
			`fail:`
			`msg: 'Not patching EOL system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_release}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version'`
			`when: "ansible_distribution == 'Debian' and ansible_distribution_release not in ['bullseye','buster','stretch']"`

			`- name: Use update task for debian`
			`import_tasks: tasks/update_all_debian.yml`
			`when: "ansible_facts['os_family']\|lower == 'debian'"`

			`- block:`
			`- name: Send alert to operators that patching caused alarms`
			`fail:`
			`msg: 'Not patching EOL system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_major_version}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version'`
			`when: "ansible_distribution == 'FreeBSD' and ansible_distribution_major_version not in ['13','14']"`

			`- name: Use update task for debian`
			`import_tasks: tasks/update_all_freebsd.yml`
			`when: "ansible_facts['os_family']\|lower == 'freebsd'"`

			`- name: Flush handlers`
			`meta: flush_handlers`

			`- name: Check whether the remote node is still reachable`
			`ansible.builtin.wait_for_connection:`