From 5bc6f33c93e8541743e27ed111a422c671c72010 Mon Sep 17 00:00:00 2001
From: Stephane MAURO <stephane.mauro@evotechsphere.fr>
Date: Sat, 7 Feb 2026 21:58:10 +0100
Subject: [PATCH] Update playbooks

---
 ansible/group_vars/all/vault.yml     |  97 +++++++++---------
 ansible/playbooks/apt-upgrade_v3.yml | 148 +++++++++++++++++++++++++++
 2 files changed, 196 insertions(+), 49 deletions(-)
 create mode 100644 ansible/playbooks/apt-upgrade_v3.yml

diff --git a/ansible/group_vars/all/vault.yml b/ansible/group_vars/all/vault.yml
index e6e6e7035..4e686ca8d 100644
--- a/ansible/group_vars/all/vault.yml
+++ b/ansible/group_vars/all/vault.yml
@@ -1,50 +1,49 @@
 $ANSIBLE_VAULT;1.1;AES256
-38663632393739306364373664336662353262363363323738363966383833363932383138623461
-3465383939363037306335373462323732343331323033370a333739323233373766653062633861
-35623334333934633438663166383666353963656162323063356435373838613164376264373562
-3235333638383430610a383661323139353131646533303830313965626333396130373537626335
-36303034356461383063353138633665306637393939343036316438653865383461333632323664
-33333864633037313832313866633862333238313333393164333839353736623633303637656264
-30366663353133396632313362363534396134353339636236306662393335643633666161343738
-64393139626566616161616439333164666461663938356137343638666465343039316536303932
-39363734343637343631333935653664376437633762646438363232633237313932386536306235
-66353961336331393937663463393631336338643663303732316466336132646366646135616434
-35343463313839666463623435313130323563306333306138366439353066346633343764613234
-64336336313733303439643231666239366135633132393036656361373464363366396365633231
-38353738303931306235316232643430363135373063636435306562636638363835393732383435
-33346232316235383761623238343333356135363931623363643034613139666235313763306135
-35666563646438663463646238343332653437396463633565663961643434316132646231353430
-39636331636363353732376363306437616234613763346438346361626436393934366535316365
-31326430343531366337636165353762353664626332343637326362323161376635323861626361
-37343436373263663766643365376465626338653362663831383239336133636130616237626530
-36303432633635346332626266323138386166633230643966653839343335646564326239633162
-34336665323164373832616265666330323864396365633331383765356364656139663436626664
-63396139663961656565333032636662316661363831646564353764383037316333303732663931
-37303266373032663265623931336365613163336463383763636333363361356664306333316630
-33663232646436346139353239313166393836643863353335353264343530393463303134383932
-64393435613065353664303738313335633832333136386334373739626133303239633165366430
-66613830363761356337636138633261616537343730336139396164363565343835383135656135
-39623135346637626339306363613535333230376264316265613062613164383331353365316633
-38386237343561363265303132323262386361643834346234343063323262656261333765666561
-38633666653836666361306636656133356335316130633835376565643131323465363537383165
-62666666306437323430383130326232366632356135306436323739343732343538616664616139
-33306130363433636137633561643961366235623163653930313363393835386233336663303636
-64386162666166336362316566616234353934616438646337353731356434323562643930303863
-62336464623264383965316133653136316363363665653337326132306666363465383266316239
-63653737333437343866613032623466646465623136346536636263346337333165653033306266
-34646432363562303331366335313134343064323531363532356366343633383963386665346135
-39386136666161353934613665313864636165363561303130393966396532323138326231356232
-30333736623838386137626666323038373034333730316238336265396463333838373935383666
-38376465353961626232363239363838613166336262386264323537613137363333363565306135
-35643137616362633461356134303233346663373233633237303734326561303439633261373937
-31623335323931626635383930336562303039333235323338346336636437653738316631333964
-32363033663865303338613764663766366133383964643336393764353630666666303239623539
-31613562323366346362336436626464613834303863393931663032666361643434366131626161
-35363135363431636333663534333965313030316262353037663236376666643464313163333239
-66353264616366636165343162323934326434323636633065383164663866323332306438633662
-35623936656666363264313363643765326564363239663636663361666564623233316461666138
-35616432663234343762393334636437623333626266613761336462353461393263353734333638
-36646263343662313861663163616133623730653262396162313439336138643932346335316438
-64633838363134306630663231316635653363666336666666396236333233383138303433376466
-64646163663436333434356438656562336239386238613637346233393861653561323330313566
-63316436623736666539386535363136393232616339393364353837363535383232
+31353265663565306664316138303264373462636438613230663664303435343230646338383933
+3061363836346132623364323361633565663531653765320a653138326435646130303336366535
+35663761363433666562616232306134633630356436633061316362646233313162336237646363
+3336616534376638340a313261336335616439333837343964623239643164653038626435663538
+34643833353034616531616336356337663932393939623136346636383335646165646333393930
+34303234626163333434373662373363356235326665623466393035366263616363653838613139
+36383039333066333066396536393966323161396339393836306662386663316532336237643533
+39386433626230326664643861383632653264626430356163363435613462356463363230383263
+38366265346336666361323937346664363734363738646430376132313565383931396233336638
+39383163633239663133326562356661356139393261366565316635633630643864343963333737
+38366238396662393864303133333335316466623232626333383738303961376431363166353031
+61333132346130633866653435386664343137646330353930313565386130386134356232393034
+30373232653734646134643863303833383634643231333866353165386366353036326536323730
+36663364626339333230363337383935663132343433626239373661643438633930383032306265
+65313931613934646436333865336132326439343361666266663134356262633930343138393166
+66663532343965613237616236323234653966353466613830633438366335373566383436386261
+30383238356539363836396639663137373736613536313733613937333136373866386465336236
+65653136653065613238633836386632393365343839636464383465363337363335663665363036
+36666265613831306664323164333536356364383931656231373765656161303037323633356535
+36383730653366376563623235336632353137373866333230626530393030353465376163613339
+37383631663932303561336539383238393734333231363039303331643131346563643136343436
+36326233343039393764616633666431653163313136373962653062376239356666386137306131
+62636566383632383135356261653934623037306533353665343662663136383335363035316664
+31353232636561636162353835373838353136633165643834613239323230353533613234643466
+66303463313832313063356564393666356461366662326537323733646233376131373364373537
+39353864656464636632633238383863393532643063616336363738376236323565633833306230
+66373865633431396437353365333437643332393432643238393530646565636635363666633562
+31356366623239383463353931393437343265636563386534323263396638366463636536353164
+32336365396361306639386531373566643161633465363766376533326461323066643338376237
+61323639646461333535303366633337636261313532306362656138623162333038616234333834
+64633831343634626532393361633335353337323835313763646434376532316232343964323362
+66303366383332666361386330613664313566323733383961623034623536663439653062306632
+32383863643330383636383138666634626464336337656631366238666461353732306635633037
+63366536363763363038656239323666306630366431356332346535383132626631323831323639
+34306566316435613937316631626432626366646339313834323666373538306462396631666166
+30663636666335666534323965643332383363373834316439643134326163666338656531373761
+34633835633936633564346534333837303032373764323039313531376664353433303939636535
+30313861643763623932653539663737306461643839366233633962303633376236396131666432
+64363130386133626635666633326266653735313363633563396363386262626630323565663037
+39666230613466386436626335323665393166623131353566323366616466376364373664373731
+36666238396365623163353766613133353532613835656631623738343838303166313938396336
+36613738653765616432646566323539363535336236373334303762316662646564636236626361
+34333935643039623838366630356533646232343937636330393330636330393930363836363633
+31626565656264303531643233646238363566656537316562383531313733316432643836623739
+61626239306434383566646233393934663065326236323065653034623033643539363632313230
+65383438663765363666626239333637643139646132393337333032393035643065633530373863
+39646365376133363236393435316563346338643463633136326264623331353834323036636434
+63396363336562346431
diff --git a/ansible/playbooks/apt-upgrade_v3.yml b/ansible/playbooks/apt-upgrade_v3.yml
new file mode 100644
index 000000000..c40a2f506
--- /dev/null
+++ b/ansible/playbooks/apt-upgrade_v3.yml
@@ -0,0 +1,148 @@
+---
+- name: Upgrade Debian avec become_pass dynamique (v2)
+  hosts: debians
+  gather_facts: false
+  become: true
+  become_method: sudo
+
+  pre_tasks:
+    - name: Charger les variables vault (become_passwords)
+      ansible.builtin.include_vars:
+        file: "../group_vars/all/vault.yml"
+        name: vault_secrets
+
+    - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
+      ansible.builtin.set_fact:
+        _become_map: >-
+          {{ vault_secrets.become_passwords
+             if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
+             else vault_secrets }}
+
+    - name: Vérifier que le mot de passe existe pour l’hôte courant
+      ansible.builtin.assert:
+        that:
+          - _become_map is mapping
+          - inventory_hostname in _become_map
+        fail_msg: >-
+          Mot de passe manquant pour {{ inventory_hostname }}.
+          Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
+
+    - name: Définir le mot de passe sudo (variable officielle)
+      ansible.builtin.set_fact:
+        ansible_become_password: "{{ _become_map[inventory_hostname] }}"
+      no_log: true
+
+    - name: Charger les facts système (setup)
+      ansible.builtin.setup:
+
+  tasks:
+    # --------------------------------------------------------------------
+    # FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
+    # --------------------------------------------------------------------
+    - name: Détecter la présence du dépôt Sury (packages.sury.org/php)
+      ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
+      register: sury_present
+      changed_when: false
+      failed_when: false
+
+    - name: Lister les fichiers APT contenant Sury
+      ansible.builtin.shell: |
+        grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
+      register: sury_files
+      changed_when: false
+      when: sury_present.rc == 0
+
+    - name: Installer les prérequis (curl/ca-certificates/lsb-release)
+      ansible.builtin.apt:
+        name:
+          - curl
+          - ca-certificates
+          - lsb-release
+        state: present
+        update_cache: false
+        force_apt_get: true
+        lock_timeout: 600
+      environment:
+        DEBIAN_FRONTEND: noninteractive
+      when: sury_present.rc == 0
+
+    - name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
+      ansible.builtin.get_url:
+        url: https://packages.sury.org/debsuryorg-archive-keyring.deb
+        dest: /tmp/debsuryorg-archive-keyring.deb
+        mode: "0644"
+      when: sury_present.rc == 0
+
+    - name: Installer le keyring Sury (.deb)
+      ansible.builtin.apt:
+        deb: /tmp/debsuryorg-archive-keyring.deb
+        force_apt_get: true
+        lock_timeout: 600
+      environment:
+        DEBIAN_FRONTEND: noninteractive
+      when: sury_present.rc == 0
+
+    - name: Commenter les anciennes lignes Sury (si présentes)
+      ansible.builtin.replace:
+        path: "{{ item }}"
+        regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
+        replace: '# \1'
+      loop: "{{ sury_files.stdout_lines | default([]) }}"
+      when:
+        - sury_present.rc == 0
+        - (sury_files.stdout | default('')) | length > 0
+
+    - name: Recréer une source Sury propre avec signed-by (fichier dédié)
+      ansible.builtin.copy:
+        dest: /etc/apt/sources.list.d/sury-php.list
+        mode: "0644"
+        content: |
+          deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
+      when: sury_present.rc == 0
+
+    # --------------------------------------------------------------------
+    # APT update + debug si échec
+    # --------------------------------------------------------------------
+    - name: Mise à jour du cache APT
+      block:
+        - name: apt update_cache
+          ansible.builtin.apt:
+            update_cache: true
+            cache_valid_time: 3600
+            force_apt_get: true
+            lock_timeout: 600
+            update_cache_retries: 5
+            update_cache_retry_max_delay: 15
+          environment:
+            DEBIAN_FRONTEND: noninteractive
+      rescue:
+        - name: Debug (apt-get update) si le module APT échoue
+          ansible.builtin.shell: |
+            apt-get update 2>&1 | tail -n 160
+          register: apt_update_debug
+          changed_when: false
+          failed_when: false
+
+        - name: Échec explicite avec sortie APT
+          ansible.builtin.fail:
+            msg: |
+              APT update a échoué sur {{ inventory_hostname }}.
+              RC apt-get: {{ apt_update_debug.rc }}
+              Sortie :
+              {{ apt_update_debug.stdout }}
+
+    # --------------------------------------------------------------------
+    # Upgrade (avec option pour accepter les downgrades si tu le veux)
+    # --------------------------------------------------------------------
+    - name: Upgrade des paquets (dist-upgrade) + nettoyage
+      ansible.builtin.apt:
+        upgrade: dist
+        autoremove: true
+        autoclean: true
+        force_apt_get: true
+        lock_timeout: 600
+        dpkg_options: "force-confdef,force-confold"
+        allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
+      environment:
+        DEBIAN_FRONTEND: noninteractive
+