diff --git a/ansible/playbooks/apt-upgrade.yml b/ansible/playbooks/apt-upgrade.yml index a437394fa..bb1bd2e60 100644 --- a/ansible/playbooks/apt-upgrade.yml +++ b/ansible/playbooks/apt-upgrade.yml @@ -1,6 +1,6 @@ --- -- name: Upgrade Debian avec become_pass dynamique - hosts: all +- name: Upgrade Debian avec become_pass dynamique (v2) + hosts: debians gather_facts: false become: true become_method: sudo @@ -10,23 +10,177 @@ ansible.builtin.include_vars: file: "../group_vars/all/vault.yml" name: vault_secrets + no_log: true - - name: Définir le mot de passe sudo + - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords) ansible.builtin.set_fact: - ansible_become_pass: "{{ vault_secrets.become_passwords[inventory_hostname] }}" + _become_map: >- + {{ vault_secrets.become_passwords + if (vault_secrets is mapping and 'become_passwords' in vault_secrets) + else vault_secrets }} + no_log: true + + - name: Vérifier que le mot de passe existe pour l’hôte courant + ansible.builtin.assert: + that: + - _become_map is mapping + - inventory_hostname in _become_map + fail_msg: >- + Mot de passe manquant pour {{ inventory_hostname }}. + Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} + no_log: true + + - name: Définir le mot de passe sudo (variable officielle) + ansible.builtin.set_fact: + ansible_become_password: "{{ _become_map[inventory_hostname] }}" + no_log: true - name: Charger les facts système (setup) ansible.builtin.setup: tasks: - - name: Mise à jour du cache APT - ansible.builtin.apt: - update_cache: yes - cache_valid_time: 3600 + # -------------------------------------------------------------------- + # FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG) + # -------------------------------------------------------------------- + - name: Détecter la présence du dépôt Sury (packages.sury.org/php) + ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d + register: sury_present + changed_when: false + failed_when: false - - name: Upgrade des paquets + - name: Lister les fichiers APT contenant Sury + ansible.builtin.shell: | + grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true + register: sury_files + changed_when: false + when: sury_present.rc == 0 + + - name: Filtrer les fichiers APT Sury à commenter (exclure le fichier géré) + ansible.builtin.set_fact: + sury_files_to_comment: >- + {{ (sury_files.stdout_lines | default([])) + | reject('equalto', '/etc/apt/sources.list.d/sury-php.list') + | list }} + changed_when: false + when: sury_present.rc == 0 + + - name: Installer les prérequis (curl/ca-certificates/lsb-release) + ansible.builtin.apt: + name: + - curl + - ca-certificates + - lsb-release + state: present + update_cache: false + force_apt_get: true + lock_timeout: 600 + environment: + DEBIAN_FRONTEND: noninteractive + when: sury_present.rc == 0 + + - name: Télécharger le keyring Sury (debsuryorg-archive-keyring) + ansible.builtin.get_url: + url: https://packages.sury.org/debsuryorg-archive-keyring.deb + dest: /tmp/debsuryorg-archive-keyring.deb + mode: "0644" + when: sury_present.rc == 0 + + - name: Installer le keyring Sury (.deb) + ansible.builtin.apt: + deb: /tmp/debsuryorg-archive-keyring.deb + force_apt_get: true + lock_timeout: 600 + environment: + DEBIAN_FRONTEND: noninteractive + when: sury_present.rc == 0 + + - name: Commenter les anciennes lignes Sury (si présentes) + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$' + replace: '# \1' + loop: "{{ sury_files_to_comment | default([]) }}" + when: + - sury_present.rc == 0 + - (sury_files_to_comment | default([])) | length > 0 + + - name: Recréer une source Sury propre avec signed-by (fichier dédié) + ansible.builtin.copy: + dest: /etc/apt/sources.list.d/sury-php.list + mode: "0644" + content: | + deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main + when: sury_present.rc == 0 + + # -------------------------------------------------------------------- + # APT update + debug si échec + # -------------------------------------------------------------------- + + - name: Mise à jour du cache APT (forcée) + block: + - name: apt-get update (timeout + IPv4 + timeouts http) + ansible.builtin.command: > + timeout 300s apt-get + -o Acquire::ForceIPv4=true + -o Acquire::http::Timeout=20 + -o Acquire::https::Timeout=20 + update + register: apt_update + changed_when: false + failed_when: apt_update.rc != 0 + rescue: + - name: Debug apt-get update + ansible.builtin.shell: | + apt-get -o Acquire::ForceIPv4=true -o Acquire::http::Timeout=20 -o Acquire::https::Timeout=20 update 2>&1 | tail -n 200 + args: + executable: /bin/bash + register: apt_update_debug + changed_when: false + - ansible.builtin.fail: + msg: | + APT update a échoué sur {{ inventory_hostname }}. + {{ apt_update_debug.stdout }} + + rescue: + - name: Debug apt-get update + ansible.builtin.shell: | + apt-get update 2>&1 | tail -n 200 + args: + executable: /bin/bash + register: apt_update_debug + changed_when: false + - ansible.builtin.fail: + msg: | + APT update a échoué sur {{ inventory_hostname }}. + {{ apt_update_debug.stdout }} + + # -------------------------------------------------------------------- + # Upgrade (avec option pour accepter les downgrades si tu le veux) + # -------------------------------------------------------------------- + - name: Simulation dist-upgrade (détection downgrades) + ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade + register: sim + changed_when: false + + - name: Stopper cet hôte si downgrades détectés + when: sim.stdout is search("DOWNGRADED") + block: + - debug: + msg: | + Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux. + Extrait: + {{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }} + - meta: end_host + + - name: Upgrade des paquets (dist-upgrade) + nettoyage ansible.builtin.apt: upgrade: dist - autoremove: yes - autoclean: yes + autoremove: true + autoclean: true + force_apt_get: true + lock_timeout: 600 + dpkg_options: "force-confdef,force-confold" + allow_downgrade: "{{ apt_allow_downgrades | default(false) }}" + environment: + DEBIAN_FRONTEND: noninteractive diff --git a/ansible/playbooks/apt-upgrade_v2.yml b/ansible/playbooks/apt-upgrade_v2.yml deleted file mode 100644 index e95050e7d..000000000 --- a/ansible/playbooks/apt-upgrade_v2.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -- name: Upgrade Debian avec become_pass dynamique (v2) - hosts: debians - gather_facts: false - become: true - become_method: sudo - - pre_tasks: - - name: Charger les variables vault (become_passwords) - ansible.builtin.include_vars: - file: "../group_vars/all/vault.yml" - name: vault_secrets - - - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords) - ansible.builtin.set_fact: - _become_map: >- - {{ vault_secrets.become_passwords - if (vault_secrets is mapping and 'become_passwords' in vault_secrets) - else vault_secrets }} - - - name: Vérifier que le mot de passe existe pour l’hôte courant - ansible.builtin.assert: - that: - - _become_map is mapping - - inventory_hostname in _become_map - fail_msg: >- - Mot de passe manquant pour {{ inventory_hostname }}. - Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} - - - name: Définir le mot de passe sudo (variable officielle) - ansible.builtin.set_fact: - ansible_become_password: "{{ _become_map[inventory_hostname] }}" - no_log: true - - - name: Charger les facts système (setup) - ansible.builtin.setup: - - tasks: - - name: Mise à jour du cache APT - ansible.builtin.apt: - update_cache: true - cache_valid_time: 3600 - - - name: Upgrade des paquets (dist-upgrade) + nettoyage - ansible.builtin.apt: - upgrade: dist - autoremove: true - autoclean: true - - # Optionnel : pour limiter le run à ton groupe via la CLI: - # Exécution conseillée : - # ansible-playbook -i inventory/inventory.ini playbooks/apt-upgrade_v2.yml --ask-vault-pass -l debians - diff --git a/ansible/playbooks/apt-upgrade_v3.yml b/ansible/playbooks/apt-upgrade_v3.yml deleted file mode 100644 index 77851cfed..000000000 --- a/ansible/playbooks/apt-upgrade_v3.yml +++ /dev/null @@ -1,160 +0,0 @@ ---- -- name: Upgrade Debian avec become_pass dynamique (v2) - hosts: debians - gather_facts: false - become: true - become_method: sudo - - pre_tasks: - - name: Charger les variables vault (become_passwords) - ansible.builtin.include_vars: - file: "../group_vars/all/vault.yml" - name: vault_secrets - - - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords) - ansible.builtin.set_fact: - _become_map: >- - {{ vault_secrets.become_passwords - if (vault_secrets is mapping and 'become_passwords' in vault_secrets) - else vault_secrets }} - - - name: Vérifier que le mot de passe existe pour l’hôte courant - ansible.builtin.assert: - that: - - _become_map is mapping - - inventory_hostname in _become_map - fail_msg: >- - Mot de passe manquant pour {{ inventory_hostname }}. - Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} - - - name: Définir le mot de passe sudo (variable officielle) - ansible.builtin.set_fact: - ansible_become_password: "{{ _become_map[inventory_hostname] }}" - no_log: true - - - name: Charger les facts système (setup) - ansible.builtin.setup: - - tasks: - # -------------------------------------------------------------------- - # FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG) - # -------------------------------------------------------------------- - - name: Détecter la présence du dépôt Sury (packages.sury.org/php) - ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d - register: sury_present - changed_when: false - failed_when: false - - - name: Lister les fichiers APT contenant Sury - ansible.builtin.shell: | - grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true - register: sury_files - changed_when: false - when: sury_present.rc == 0 - - - name: Installer les prérequis (curl/ca-certificates/lsb-release) - ansible.builtin.apt: - name: - - curl - - ca-certificates - - lsb-release - state: present - update_cache: false - force_apt_get: true - lock_timeout: 600 - environment: - DEBIAN_FRONTEND: noninteractive - when: sury_present.rc == 0 - - - name: Télécharger le keyring Sury (debsuryorg-archive-keyring) - ansible.builtin.get_url: - url: https://packages.sury.org/debsuryorg-archive-keyring.deb - dest: /tmp/debsuryorg-archive-keyring.deb - mode: "0644" - when: sury_present.rc == 0 - - - name: Installer le keyring Sury (.deb) - ansible.builtin.apt: - deb: /tmp/debsuryorg-archive-keyring.deb - force_apt_get: true - lock_timeout: 600 - environment: - DEBIAN_FRONTEND: noninteractive - when: sury_present.rc == 0 - - - name: Commenter les anciennes lignes Sury (si présentes) - ansible.builtin.replace: - path: "{{ item }}" - regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$' - replace: '# \1' - loop: "{{ sury_files.stdout_lines | default([]) }}" - when: - - sury_present.rc == 0 - - (sury_files.stdout | default('')) | length > 0 - - - name: Recréer une source Sury propre avec signed-by (fichier dédié) - ansible.builtin.copy: - dest: /etc/apt/sources.list.d/sury-php.list - mode: "0644" - content: | - deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main - when: sury_present.rc == 0 - - # -------------------------------------------------------------------- - # APT update + debug si échec - # -------------------------------------------------------------------- - - - name: Mise à jour du cache APT (forcée) - block: - - name: apt update_cache - ansible.builtin.apt: - update_cache: true - cache_valid_time: 0 - force_apt_get: true - update_cache_retries: 5 - update_cache_retry_max_delay: 15 - lock_timeout: 600 - rescue: - - name: Debug apt-get update - ansible.builtin.shell: | - apt-get update 2>&1 | tail -n 200 - args: - executable: /bin/bash - register: apt_update_debug - changed_when: false - - ansible.builtin.fail: - msg: | - APT update a échoué sur {{ inventory_hostname }}. - {{ apt_update_debug.stdout }} - - # -------------------------------------------------------------------- - # Upgrade (avec option pour accepter les downgrades si tu le veux) - # -------------------------------------------------------------------- - - - name: Simulation dist-upgrade (détection downgrades) - ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade - register: sim - changed_when: false - - - name: Stopper cet hôte si downgrades détectés - when: sim.stdout is search("DOWNGRADED") - block: - - debug: - msg: | - Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux. - Extrait: - {{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }} - - meta: end_host - - - name: Upgrade des paquets (dist-upgrade) + nettoyage - ansible.builtin.apt: - upgrade: dist - autoremove: true - autoclean: true - force_apt_get: true - lock_timeout: 600 - dpkg_options: "force-confdef,force-confold" - allow_downgrade: "{{ apt_allow_downgrades | default(false) }}" - environment: - DEBIAN_FRONTEND: noninteractive - diff --git a/ansible/playbooks/apt-upgrade_v4.yml b/ansible/playbooks/apt-upgrade_v4.yml deleted file mode 100644 index bb1bd2e60..000000000 --- a/ansible/playbooks/apt-upgrade_v4.yml +++ /dev/null @@ -1,186 +0,0 @@ ---- -- name: Upgrade Debian avec become_pass dynamique (v2) - hosts: debians - gather_facts: false - become: true - become_method: sudo - - pre_tasks: - - name: Charger les variables vault (become_passwords) - ansible.builtin.include_vars: - file: "../group_vars/all/vault.yml" - name: vault_secrets - no_log: true - - - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords) - ansible.builtin.set_fact: - _become_map: >- - {{ vault_secrets.become_passwords - if (vault_secrets is mapping and 'become_passwords' in vault_secrets) - else vault_secrets }} - no_log: true - - - name: Vérifier que le mot de passe existe pour l’hôte courant - ansible.builtin.assert: - that: - - _become_map is mapping - - inventory_hostname in _become_map - fail_msg: >- - Mot de passe manquant pour {{ inventory_hostname }}. - Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} - no_log: true - - - name: Définir le mot de passe sudo (variable officielle) - ansible.builtin.set_fact: - ansible_become_password: "{{ _become_map[inventory_hostname] }}" - no_log: true - - - name: Charger les facts système (setup) - ansible.builtin.setup: - - tasks: - # -------------------------------------------------------------------- - # FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG) - # -------------------------------------------------------------------- - - name: Détecter la présence du dépôt Sury (packages.sury.org/php) - ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d - register: sury_present - changed_when: false - failed_when: false - - - name: Lister les fichiers APT contenant Sury - ansible.builtin.shell: | - grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true - register: sury_files - changed_when: false - when: sury_present.rc == 0 - - - name: Filtrer les fichiers APT Sury à commenter (exclure le fichier géré) - ansible.builtin.set_fact: - sury_files_to_comment: >- - {{ (sury_files.stdout_lines | default([])) - | reject('equalto', '/etc/apt/sources.list.d/sury-php.list') - | list }} - changed_when: false - when: sury_present.rc == 0 - - - name: Installer les prérequis (curl/ca-certificates/lsb-release) - ansible.builtin.apt: - name: - - curl - - ca-certificates - - lsb-release - state: present - update_cache: false - force_apt_get: true - lock_timeout: 600 - environment: - DEBIAN_FRONTEND: noninteractive - when: sury_present.rc == 0 - - - name: Télécharger le keyring Sury (debsuryorg-archive-keyring) - ansible.builtin.get_url: - url: https://packages.sury.org/debsuryorg-archive-keyring.deb - dest: /tmp/debsuryorg-archive-keyring.deb - mode: "0644" - when: sury_present.rc == 0 - - - name: Installer le keyring Sury (.deb) - ansible.builtin.apt: - deb: /tmp/debsuryorg-archive-keyring.deb - force_apt_get: true - lock_timeout: 600 - environment: - DEBIAN_FRONTEND: noninteractive - when: sury_present.rc == 0 - - - name: Commenter les anciennes lignes Sury (si présentes) - ansible.builtin.replace: - path: "{{ item }}" - regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$' - replace: '# \1' - loop: "{{ sury_files_to_comment | default([]) }}" - when: - - sury_present.rc == 0 - - (sury_files_to_comment | default([])) | length > 0 - - - name: Recréer une source Sury propre avec signed-by (fichier dédié) - ansible.builtin.copy: - dest: /etc/apt/sources.list.d/sury-php.list - mode: "0644" - content: | - deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main - when: sury_present.rc == 0 - - # -------------------------------------------------------------------- - # APT update + debug si échec - # -------------------------------------------------------------------- - - - name: Mise à jour du cache APT (forcée) - block: - - name: apt-get update (timeout + IPv4 + timeouts http) - ansible.builtin.command: > - timeout 300s apt-get - -o Acquire::ForceIPv4=true - -o Acquire::http::Timeout=20 - -o Acquire::https::Timeout=20 - update - register: apt_update - changed_when: false - failed_when: apt_update.rc != 0 - rescue: - - name: Debug apt-get update - ansible.builtin.shell: | - apt-get -o Acquire::ForceIPv4=true -o Acquire::http::Timeout=20 -o Acquire::https::Timeout=20 update 2>&1 | tail -n 200 - args: - executable: /bin/bash - register: apt_update_debug - changed_when: false - - ansible.builtin.fail: - msg: | - APT update a échoué sur {{ inventory_hostname }}. - {{ apt_update_debug.stdout }} - - rescue: - - name: Debug apt-get update - ansible.builtin.shell: | - apt-get update 2>&1 | tail -n 200 - args: - executable: /bin/bash - register: apt_update_debug - changed_when: false - - ansible.builtin.fail: - msg: | - APT update a échoué sur {{ inventory_hostname }}. - {{ apt_update_debug.stdout }} - - # -------------------------------------------------------------------- - # Upgrade (avec option pour accepter les downgrades si tu le veux) - # -------------------------------------------------------------------- - - name: Simulation dist-upgrade (détection downgrades) - ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade - register: sim - changed_when: false - - - name: Stopper cet hôte si downgrades détectés - when: sim.stdout is search("DOWNGRADED") - block: - - debug: - msg: | - Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux. - Extrait: - {{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }} - - meta: end_host - - - name: Upgrade des paquets (dist-upgrade) + nettoyage - ansible.builtin.apt: - upgrade: dist - autoremove: true - autoclean: true - force_apt_get: true - lock_timeout: 600 - dpkg_options: "force-confdef,force-confold" - allow_downgrade: "{{ apt_allow_downgrades | default(false) }}" - environment: - DEBIAN_FRONTEND: noninteractive - diff --git a/ansible/playbooks/motd.yml b/ansible/playbooks/motd.yml index a4f34712f..6fbfc3c1b 100644 --- a/ansible/playbooks/motd.yml +++ b/ansible/playbooks/motd.yml @@ -1,21 +1,43 @@ -- hosts: debians - vars: - user: "smauro" - become: yes - #root_password: "testtest" - tasks: - # 4. Mettre à jour les paquets - - name: Mettre à jour les paquets - apt: - update_cache: yes - become: yes +--- +- name: APT update + dist-upgrade (minimal + vault become) + hosts: debians + gather_facts: false + become: true + become_method: sudo - # 11. Mettre à jour et upgrader le système - - name: Mettre à jour et upgrader le système - apt: - update_cache: yes - upgrade: dist - become: yes + vars: + apt_update_timeout_seconds: 300 + apt_http_timeout_seconds: 20 + apt_force_ipv4: true + + pre_tasks: + - name: Charger les variables vault (become_passwords) + ansible.builtin.include_vars: + file: "../group_vars/all/vault.yml" + name: vault_secrets + + - name: Normaliser la map des mots de passe + ansible.builtin.set_fact: + _become_map: >- + {{ vault_secrets.become_passwords + if (vault_secrets is mapping and 'become_passwords' in vault_secrets) + else vault_secrets }} + + - name: Vérifier que le mot de passe existe pour l’hôte courant + ansible.builtin.assert: + that: + - _become_map is mapping + - inventory_hostname in _become_map + fail_msg: >- + Mot de passe manquant pour {{ inventory_hostname }}. + Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} + + - name: Définir le mot de passe sudo (variable officielle) + ansible.builtin.set_fact: + ansible_become_password: "{{ _become_map[inventory_hostname] }}" + no_log: true + + tasks: - name: Déployer le script MOTD personnalisé copy: diff --git a/ansible/playbooks/motd_v2.yml b/ansible/playbooks/motd_v2.yml deleted file mode 100644 index 6fbfc3c1b..000000000 --- a/ansible/playbooks/motd_v2.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -- name: APT update + dist-upgrade (minimal + vault become) - hosts: debians - gather_facts: false - become: true - become_method: sudo - - vars: - apt_update_timeout_seconds: 300 - apt_http_timeout_seconds: 20 - apt_force_ipv4: true - - pre_tasks: - - name: Charger les variables vault (become_passwords) - ansible.builtin.include_vars: - file: "../group_vars/all/vault.yml" - name: vault_secrets - - - name: Normaliser la map des mots de passe - ansible.builtin.set_fact: - _become_map: >- - {{ vault_secrets.become_passwords - if (vault_secrets is mapping and 'become_passwords' in vault_secrets) - else vault_secrets }} - - - name: Vérifier que le mot de passe existe pour l’hôte courant - ansible.builtin.assert: - that: - - _become_map is mapping - - inventory_hostname in _become_map - fail_msg: >- - Mot de passe manquant pour {{ inventory_hostname }}. - Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} - - - name: Définir le mot de passe sudo (variable officielle) - ansible.builtin.set_fact: - ansible_become_password: "{{ _become_map[inventory_hostname] }}" - no_log: true - - tasks: - - - name: Déployer le script MOTD personnalisé - copy: - src: ../sources/99-motd # Chemin relatif depuis où tu exécutes le playbook - dest: /etc/update-motd.d/99-motd - owner: root - group: root - mode: '0755' - become: yes