# vim:ts=2:sw=2:et:filetype=ansible
---
- name: Check security status
  command:
    cmd: /usr/sbin/pkg audit -Rjson-compact
  register: security_status
  # Need to have this working in check mode
  check_mode: false
  # non zero exit code does not mean "failure" but "action needed"
  ignore_errors: true
  changed_when: security_status.rc != 0
  failed_when: security_status.rc > 2

- name: show results of security_status
  debug:
    verbosity: 1
    msg: '{{security_status.stdout | from_json | to_json(indent=4, sort_keys=True) }}'

- name: Perform pre update commands
  import_tasks: tasks/patch_pre_exec.yml
  when: patch_pre_exec is defined

- block:
    - name: Update all packages to their latest version
      command:
        cmd: /usr/sbin/pkg upgrade -vy
        # async: '{{ ansible_check_mode | ternary(0, (downtime_minutes | int * 60) - 60)}}'
      register: pkg_data
    - name: Update all packages to their latest version (dry run)
      command:
        cmd: /usr/sbin/pkg upgrade -vyn
      # Need to have this working in check mode
      check_mode: false
      ignore_errors: true
      changed_when: pkg_data.rc != 0
      failed_when: "'FAILED' in pkg_data.stderr"
      register: pkg_data
      when: ansible_check_mode
  rescue:
    - name: pkg failed, try to recover if possible
      debug:
        msg: "Something went wrong, attempting recovery.."

  always:
    - name: Log output from pkg run
      check_mode: false  # Need to have this working in check mode
      ansible.builtin.copy:
        content: |
          Result of pkg on {{inventory_hostname}}

          {% if pkg_data.msg is defined %}
          {{ pkg_data.msg }}
          {% endif %}

          {% if pkg_data.stdout is defined %}
          stdout of pkg

          {{ pkg_data.stdout }}
          {% endif %}

          {% if pkg_data.stderr is defined %}
          stderr of pkg

          {{ pkg_data.stderr }}
          {% endif %}
        dest: "/var/tmp/security-patch-{{'%FT%T' | strftime}}.log"


    - name: Perform post update commands
      import_tasks: tasks/patch_post_exec.yml
      when: patch_post_exec is defined

    - name: Check restart status
      command:
        cmd: /usr/local/bin/checkrestart -j 0 --libxo json
      register: check_restart_status
      check_mode: false # Need to have this working in check mode
      changed_when: check_restart_status.rc != 0
      failed_when: check_restart_status.rc > 2
      ignore_errors: true # non zero exit code does not mean "failure" but "action needed"

    - name: set restart_files
      ansible.builtin.set_fact:
        restart_files: '{{ check_restart_status.stdout | from_json | community.general.json_query("checkrestart.process[].arguments") | unique}}'

    - name: find packages for restart_files
      ansible.builtin.command:
        cmd: '/usr/sbin/pkg which -q {{ item }}'
      register: pkg_which_output
      loop: '{{ restart_files }}'

    - name: list package contents
      ansible.builtin.command:
        cmd: '/usr/sbin/pkg info -ql {{ item }}'
      register: pkg_info_output
      loop: '{{ pkg_which_output.results  | map(attribute="stdout")}}'

    - name: set services to be restarted due to stale libraries
      ansible.builtin.set_fact:
        restart_services: '{{ restart_services + (item)  }}'
      loop: '{{ pkg_info_output.results | map(attribute="stdout_lines") | select("search","\/rc\.d\/([^\/]+)$") | map("basename")}}'
      loop_control:
        label: '{{ item }}'

    - name: show services to be restarted
      ansible.builtin.debug:
        verbosity: 1
        var: restart_services

    - name: restart service(s)
      ansible.builtin.service:
        name: '{{ item }}'
        state: restarted
      loop: '{{ restart_services }}'
  when: security_status.rc != 0 or ansible_check_mode