ruben/ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Ansible lint fixes

Browse Source
This commit is contained in:
Ruben van Staveren 2024-06-12 14:47:43 +02:00
parent 460802d02e
commit df1b2dbcfe
Signed by: ruben
GPG Key ID: 886F6BECD477A93F
11 changed files with 91 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
debian-distupgrade.yml
View File

@ -22,11 +22,11 @@
pre_tasks: pre_tasks:
- name: Abort automated dist-upgrade non Debian systems - name: Abort automated dist-upgrade non Debian systems
fail: ansible.builtin.fail:
msg: 'Not dist-upgrading non-Debian system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_release}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version' msg: 'Not dist-upgrading non-Debian system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_release}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version'
when: "ansible_facts['os_family']|lower != 'debian'" when: "ansible_facts['os_family']|lower != 'debian'"
- name: Abort automated dist-upgrade for EOL systems - name: Abort automated dist-upgrade for EOL systems
fail: ansible.builtin.fail:
msg: 'Not dist-upgrading EOL system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_release}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version' msg: 'Not dist-upgrading EOL system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_release}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version'
when: "ansible_distribution == 'Debian' and ansible_distribution_release not in debian_supported" when: "ansible_distribution == 'Debian' and ansible_distribution_release not in debian_supported"
- name: Check available space - name: Check available space
@ -38,12 +38,12 @@
pkg: '{{ required_pkgs }}' pkg: '{{ required_pkgs }}'
- name: Tell we are not going to do dist-upgrade, if not in the upgrade matrix - name: Tell we are not going to do dist-upgrade, if not in the upgrade matrix
fail: ansible.builtin.fail:
msg: 'Upgrading {{ ansible_distribution_release }} is not possible, upgrade path not seen in upgrade matrix' msg: 'Upgrading {{ ansible_distribution_release }} is not possible, upgrade path not seen in upgrade matrix'
when: "ansible_distribution_release not in debian_upgrade_matrix" when: "ansible_distribution_release not in debian_upgrade_matrix"
- name: Tell we are going to do dist-upgrade - name: Tell we are going to do dist-upgrade
debug: ansible.builtin.debug:
msg: 'Upgrade {{ ansible_distribution_release }} to {{ debian_upgrade_matrix[ansible_distribution_release] }}' msg: 'Upgrade {{ ansible_distribution_release }} to {{ debian_upgrade_matrix[ansible_distribution_release] }}'
when: "ansible_distribution_release in debian_upgrade_matrix" when: "ansible_distribution_release in debian_upgrade_matrix"
- name: Find apt sources mentioning Debian distribution name - name: Find apt sources mentioning Debian distribution name
@ -59,7 +59,7 @@
apt_sources_files: '{{ ["/etc/apt/sources.list"] + (apt_sources.files | map(attribute="path") )}}' apt_sources_files: '{{ ["/etc/apt/sources.list"] + (apt_sources.files | map(attribute="path") )}}'
- name: Record current selections - name: Record current selections
command: ansible.builtin.command:
cmd: '/usr/bin/dpkg --get-selections "*"' cmd: '/usr/bin/dpkg --get-selections "*"'
register: dpkg_selections_all_pre register: dpkg_selections_all_pre
check_mode: false # Need to have this working in check mode check_mode: false # Need to have this working in check mode
@ -87,7 +87,7 @@
import_tasks: tasks/dist_upgrade_debian.yml import_tasks: tasks/dist_upgrade_debian.yml
- name: Show found apt source file - name: Show found apt source file
debug: ansible.builtin.debug:
msg: 'Adjusting {{ item }}' msg: 'Adjusting {{ item }}'
loop: '{{ apt_sources_files }}' loop: '{{ apt_sources_files }}'
@ -112,14 +112,14 @@
register: apt_sources_files_replacements register: apt_sources_files_replacements
- name: Show replacements - name: Show replacements
debug: ansible.builtin.debug:
var: apt_sources_files_replacements var: apt_sources_files_replacements
- name: Dist upgrade on to get to the new release - name: Dist upgrade on to get to the new release
import_tasks: tasks/dist_upgrade_debian.yml import_tasks: tasks/dist_upgrade_debian.yml
- name: Record current selections after upgrade - name: Record current selections after upgrade
command: ansible.builtin.command:
cmd: '/usr/bin/dpkg --get-selections "*"' cmd: '/usr/bin/dpkg --get-selections "*"'
register: dpkg_selections_all_post register: dpkg_selections_all_post
check_mode: false # Need to have this working in check mode check_mode: false # Need to have this working in check mode

28
freebsd-update.yml
View File

@ -11,20 +11,21 @@
tasks: tasks:
- name: Fetch updates - name: Fetch updates
command: ansible.builtin.command:
cmd: /usr/sbin/freebsd-update fetch --not-running-from-cron cmd: /usr/sbin/freebsd-update fetch --not-running-from-cron
environment: environment:
PAGER: cat PAGER: cat
changed_when: '"No updates needed to update" not in fetchupdates.stdout'
register: fetchupdates register: fetchupdates
# Need to have this working in check mode # Need to have this working in check mode
check_mode: false check_mode: false
- name: show results of fetch updates - name: Show results of fetch updates
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
msg: '{{ fetchupdates.stdout }}' msg: '{{ fetchupdates.stdout }}'
- name: Check if updates are ready to install - name: Check if updates are ready to install
command: ansible.builtin.command:
cmd: /usr/sbin/freebsd-update updatesready cmd: /usr/sbin/freebsd-update updatesready
register: updatesready register: updatesready
# Need to have this working in check mode # Need to have this working in check mode
@ -34,32 +35,33 @@
changed_when: updatesready.rc == 0 changed_when: updatesready.rc == 0
failed_when: updatesready.rc == 1 failed_when: updatesready.rc == 1
- name: show results of updatesready - name: Show results of updatesready
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
msg: '{{ updatesready.stdout }}' msg: '{{ updatesready.stdout }}'
- name: Update when updates can be installed - name: Update when updates can be installed
when: updatesready.rc == 0
block: block:
- name: Perform system updates - name: Perform system updates
import_tasks: tasks/update_install_freebsd.yml ansible.builtin.import_tasks: tasks/update_install_freebsd.yml
- name: Perform ezjail updates - name: Perform ezjail updates
import_tasks: tasks/update_ezjail_freebsd.yml ansible.builtin.import_tasks: tasks/update_ezjail_freebsd.yml
- name: Perform iocage updates - name: Perform iocage updates
import_tasks: tasks/update_iocage_freebsd.yml ansible.builtin.import_tasks: tasks/update_iocage_freebsd.yml
- name: Record installed kernel version - name: Record installed kernel version
command: ansible.builtin.command:
cmd: /bin/freebsd-version -k cmd: /bin/freebsd-version -k
changed_when: false
check_mode: false check_mode: false
register: installedkernel register: installedkernel
- name: Reboot system if newer kernel is found - name: Reboot system if newer kernel is found
import_tasks: tasks/reboot_system.yml ansible.builtin.import_tasks: tasks/reboot_system.yml
when: ansible_kernel != installedkernel.stdout when: ansible_kernel != installedkernel.stdout
- name: Perform system updates post reboot - name: Perform system updates post reboot
import_tasks: tasks/update_install_freebsd.yml ansible.builtin.import_tasks: tasks/update_install_freebsd.yml
when: updatesready.rc == 0

6
tasks/check-disk-free.yml
View File

@ -1,7 +1,7 @@
# vim:ts=2:sw=2:et:filetype=ansible # vim:ts=2:sw=2:et:filetype=ansible
--- ---
- name: test for available disk space - name: Test for available disk space
assert: ansible.builtin.assert:
quiet: true quiet: true
that: that:
- not (item.mount == '/' and ( item.size_available < item.size_total - ( item.size_total|float * ((100 - (disk_free_percentage|default(15)))/100) ) ) ) - not (item.mount == '/' and ( item.size_available < item.size_total - ( item.size_total|float * ((100 - (disk_free_percentage|default(15)))/100) ) ) )
@ -17,7 +17,7 @@
register: disk_free register: disk_free
- name: Not enough free disk space - name: Not enough free disk space
fail: ansible.builtin.fail:
msg: | msg: |
Not enough free space on system: Not enough free space on system:
{% for failed_space in (disk_free.results | selectattr('failed')) %} {% for failed_space in (disk_free.results | selectattr('failed')) %}

6
tasks/dist_upgrade_debian.yml
View File

@ -6,7 +6,7 @@
update_cache: true update_cache: true
- name: Check restart status - name: Check restart status
command: ansible.builtin.command:
cmd: /usr/sbin/needrestart -pk cmd: /usr/sbin/needrestart -pk
register: restart_status register: restart_status
check_mode: false # Need to have this working in check mode check_mode: false # Need to have this working in check mode
@ -14,8 +14,8 @@
failed_when: restart_status.rc > 2 failed_when: restart_status.rc > 2
ignore_errors: true # non zero exit code does not mean "failure" but "action needed" ignore_errors: true # non zero exit code does not mean "failure" but "action needed"
- name: show results of needrestart / check_restart_required - name: Show results of needrestart / check_restart_required
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
var: restart_status.stdout_lines var: restart_status.stdout_lines

6
tasks/patch_post_exec.yml
View File

@ -1,12 +1,12 @@
# vim:ts=2:sw=2:et:filetype=ansible # vim:ts=2:sw=2:et:filetype=ansible
--- ---
- name: Execute post patch commands - name: Execute post patch commands
shell: ansible.builtin.shell:
cmd: '{{ item }}' cmd: '{{ item }}'
loop: '{{ patch_post_exec }}' loop: '{{ patch_post_exec }}'
register: patch_post_exec_res register: patch_post_exec_res
- name: show results of patch_post_exec actions - name: Show results of patch_post_exec actions
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
var: patch_post_exec_res var: patch_post_exec_res

6
tasks/patch_pre_exec.yml
View File

@ -1,12 +1,12 @@
# vim:ts=2:sw=2:et:filetype=ansible # vim:ts=2:sw=2:et:filetype=ansible
--- ---
- name: Execute pre patch commands - name: Execute pre patch commands
shell: ansible.builtin.shell:
cmd: '{{ item }}' cmd: '{{ item }}'
loop: '{{ patch_pre_exec }}' loop: '{{ patch_pre_exec }}'
register: patch_pre_exec_res register: patch_pre_exec_res
- name: show results of patch_pre_exec actions - name: Show results of patch_pre_exec actions
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
var: patch_pre_exec_res var: patch_pre_exec_res

6
tasks/reboot_system.yml
View File

@ -1,11 +1,11 @@
# vim:ts=2:sw=2:et:filetype=ansible # vim:ts=2:sw=2:et:filetype=ansible
--- ---
- name: Reboot system for patches - name: Reboot system for patches
reboot: ansible.builtin.reboot:
msg: 'Rebooting for patches' msg: 'Rebooting for patches'
register: system_reboot register: system_reboot
- name: show results of reboot - name: Show results of reboot
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
var: system_reboot var: system_reboot

47
tasks/update_all_freebsd.yml
View File

@ -1,7 +1,7 @@
# vim:ts=2:sw=2:et:filetype=ansible # vim:ts=2:sw=2:et:filetype=ansible
--- ---
- name: Check security status - name: Check security status
command: ansible.builtin.command:
cmd: /usr/sbin/pkg audit -Rjson-compact cmd: /usr/sbin/pkg audit -Rjson-compact
register: security_status register: security_status
# Need to have this working in check mode # Need to have this working in check mode
@ -11,23 +11,27 @@
changed_when: security_status.rc != 0 changed_when: security_status.rc != 0
failed_when: security_status.rc > 2 failed_when: security_status.rc > 2
- name: show results of security_status - name: Show results of security_status
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
msg: '{{security_status.stdout | from_json | to_json(indent=4, sort_keys=True) }}' msg: '{{ security_status.stdout | from_json | to_json(indent=4, sort_keys=True) }}'
- name: Perform pre update commands - name: Perform pre update commands
import_tasks: tasks/patch_pre_exec.yml ansible.builtin.import_tasks: tasks/patch_pre_exec.yml
when: patch_pre_exec is defined when: patch_pre_exec is defined
- block: - name: Perform security updates when outstanding (or check mode)
when: security_status.rc != 0 or ansible_check_mode
block:
- name: Update all packages to their latest version - name: Update all packages to their latest version
command: ansible.builtin.command:
cmd: /usr/sbin/pkg upgrade -vy cmd: /usr/sbin/pkg upgrade -vy
# async: '{{ ansible_check_mode | ternary(0, (downtime_minutes | int * 60) - 60)}}' # async: '{{ ansible_check_mode | ternary(0, (downtime_minutes | int * 60) - 60)}}'
changed_when: pkg_data.rc != 0
failed_when: "'FAILED' in pkg_data.stderr"
register: pkg_data register: pkg_data
- name: Update all packages to their latest version (dry run) - name: Update all packages to their latest version (dry run)
command: ansible.builtin.command:
cmd: /usr/sbin/pkg upgrade -vyn cmd: /usr/sbin/pkg upgrade -vyn
# Need to have this working in check mode # Need to have this working in check mode
check_mode: false check_mode: false
@ -37,8 +41,8 @@
register: pkg_data register: pkg_data
when: ansible_check_mode when: ansible_check_mode
rescue: rescue:
- name: pkg failed, try to recover if possible - name: Pkg failed, try to recover if possible
debug: ansible.builtin.debug:
msg: "Something went wrong, attempting recovery.." msg: "Something went wrong, attempting recovery.."
always: always:
@ -67,11 +71,11 @@
- name: Perform post update commands - name: Perform post update commands
import_tasks: tasks/patch_post_exec.yml ansible.builtin.import_tasks: tasks/patch_post_exec.yml
when: patch_post_exec is defined when: patch_post_exec is defined
- name: Check restart status - name: Check restart status
command: ansible.builtin.command:
cmd: /usr/local/bin/checkrestart -j 0 --libxo json cmd: /usr/local/bin/checkrestart -j 0 --libxo json
register: check_restart_status register: check_restart_status
check_mode: false # Need to have this working in check mode check_mode: false # Need to have this working in check mode
@ -79,37 +83,36 @@
failed_when: check_restart_status.rc > 2 failed_when: check_restart_status.rc > 2
ignore_errors: true # non zero exit code does not mean "failure" but "action needed" ignore_errors: true # non zero exit code does not mean "failure" but "action needed"
- name: set restart_files - name: Set restart_files
ansible.builtin.set_fact: ansible.builtin.set_fact:
restart_files: '{{ check_restart_status.stdout | from_json | community.general.json_query("checkrestart.process[].arguments") | unique}}' restart_files: '{{ check_restart_status.stdout | from_json | community.general.json_query("checkrestart.process[].arguments") | unique}}'
- name: find packages for restart_files - name: Find packages for restart_files
ansible.builtin.command: ansible.builtin.ansible.builtin.command:
cmd: '/usr/sbin/pkg which -q {{ item }}' cmd: '/usr/sbin/pkg which -q {{ item }}'
register: pkg_which_output register: pkg_which_output
loop: '{{ restart_files }}' loop: '{{ restart_files }}'
- name: list package contents - name: List package contents
ansible.builtin.command: ansible.builtin.ansible.builtin.command:
cmd: '/usr/sbin/pkg info -ql {{ item }}' cmd: '/usr/sbin/pkg info -ql {{ item }}'
register: pkg_info_output register: pkg_info_output
loop: '{{ pkg_which_output.results | map(attribute="stdout")}}' loop: '{{ pkg_which_output.results | map(attribute="stdout")}}'
- name: set services to be restarted due to stale libraries - name: Set services to be restarted due to stale libraries
ansible.builtin.set_fact: ansible.builtin.set_fact:
restart_services: '{{ restart_services + (item) }}' restart_services: '{{ restart_services + (item) }}'
loop: '{{ pkg_info_output.results | map(attribute="stdout_lines") | select("search","\/rc\.d\/([^\/]+)$") | map("basename")}}' loop: '{{ pkg_info_output.results | map(attribute="stdout_lines") | select("search","\/rc\.d\/([^\/]+)$") | map("basename")}}'
loop_control: loop_control:
label: '{{ item }}' label: '{{ item }}'
- name: show services to be restarted - name: Show services to be restarted
ansible.builtin.debug: ansible.builtin.ansible.builtin.debug:
verbosity: 1 verbosity: 1
var: restart_services var: restart_services
- name: restart service(s) - name: Restart service(s)
ansible.builtin.service: ansible.builtin.service:
name: '{{ item }}' name: '{{ item }}'
state: restarted state: restarted
loop: '{{ restart_services }}' loop: '{{ restart_services }}'
when: security_status.rc != 0 or ansible_check_mode

15
tasks/update_ezjail_freebsd.yml
View File

@ -1,22 +1,25 @@
# vim:ts=2:sw=2:et:filetype=ansible
--- ---
- name: Check if ezjail is available - name: Check if ezjail is available
stat: ansible.builtin.stat:
path: /usr/local/bin/ezjail-admin path: /usr/local/bin/ezjail-admin
tags: tags:
- always - always
register: ezjail_available register: ezjail_available
- block: - name: Perform ezjail updates when ezjail-admin is available
when: ezjail_available.stat.exists
block:
- name: Install updates (ezjail) - name: Install updates (ezjail)
command: ansible.builtin.command:
cmd: /usr/local/bin/ezjail-admin update -u cmd: /usr/local/bin/ezjail-admin update -u
changed_when: true
register: installupdates_ezjail register: installupdates_ezjail
- name: show results of install updates (ezjail) - name: Show results of install updates (ezjail)
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
msg: '{{ installupdates_ezjail.stdout }}' msg: '{{ installupdates_ezjail.stdout }}'
# XXX etcupdate in blind mode / certificate stuff # XXX etcupdate in blind mode / certificate stuff
# #
when: ezjail_available.stat.exists

8
tasks/update_install_freebsd.yml
View File

@ -1,12 +1,14 @@
# vim:ts=2:sw=2:et:filetype=ansible
--- ---
- name: Install updates - name: Install updates
command: ansible.builtin.command:
cmd: /usr/sbin/freebsd-update install cmd: /usr/sbin/freebsd-update install
changed_when: true
environment: environment:
PAGER: cat PAGER: cat
register: installupdates register: installupdates
- name: show results of install updates - name: Show results of install updates
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
msg: '{{ installupdates.stdout }}' msg: '{{ installupdates.stdout }}'

24
tasks/update_iocage_freebsd.yml
View File

@ -1,40 +1,45 @@
# vim:ts=2:sw=2:et:filetype=ansible
--- ---
- name: Check if iocage is available - name: Check if iocage is available
stat: ansible.builtin.stat:
path: /usr/local/bin/iocage path: /usr/local/bin/iocage
tags: tags:
- always - always
register: iocage_available register: iocage_available
- block: - name: Perform iocage updates when iocage is available
when: iocage_available.stat.exists
block:
- name: List iocage jails - name: List iocage jails
command: ansible.builtin.command:
cmd: /usr/local/bin/iocage list -H cmd: /usr/local/bin/iocage list -H
changed_when: false
check_mode: false check_mode: false
register: iocage_list_jails register: iocage_list_jails
- name: show results of list jails (iocage) - name: Show results of list jails (iocage)
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
var: iocage_list_jails var: iocage_list_jails
- name: set iocage jails - name: Set iocage jails
ansible.builtin.set_fact: ansible.builtin.set_fact:
iocage_jails: '{{ iocage_list_jails.stdout_lines | map("split") }}' iocage_jails: '{{ iocage_list_jails.stdout_lines | map("split") }}'
- name: Install updates (iocage) - name: Install updates (iocage)
command: ansible.builtin.command:
cmd: '/usr/local/bin/iocage update {{ item.1 }}' cmd: '/usr/local/bin/iocage update {{ item.1 }}'
environment: environment:
PAGER: cat PAGER: cat
changed_when: true
when: item.2 == 'up' and item.3 == ansible_distribution_version + '-RELEASE' when: item.2 == 'up' and item.3 == ansible_distribution_version + '-RELEASE'
loop: '{{ iocage_jails }}' loop: '{{ iocage_jails }}'
loop_control: loop_control:
label: 'iocage update {{ item.1 }}' label: 'iocage update {{ item.1 }}'
register: installupdates_iocage register: installupdates_iocage
- name: show results of install updates (iocage) - name: Show results of install updates (iocage)
debug: ansible.builtin.debug:
verbosity: 1 verbosity: 1
msg: | msg: |
{% if item.false_condition is not defined -%} {% if item.false_condition is not defined -%}
@ -49,4 +54,3 @@
loop_control: loop_control:
label: 'Update of {{ item.item.1 }}' label: 'Update of {{ item.item.1 }}'
when: installupdates_iocage when: installupdates_iocage
when: iocage_available.stat.exists