Nettoyage des playbook
This commit is contained in:
parent
5cb61227fd
commit
80be1748d9
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
- name: Upgrade Debian avec become_pass dynamique
|
- name: Upgrade Debian avec become_pass dynamique (v2)
|
||||||
hosts: all
|
hosts: debians
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
become: true
|
become: true
|
||||||
become_method: sudo
|
become_method: sudo
|
||||||
@ -10,23 +10,177 @@
|
|||||||
ansible.builtin.include_vars:
|
ansible.builtin.include_vars:
|
||||||
file: "../group_vars/all/vault.yml"
|
file: "../group_vars/all/vault.yml"
|
||||||
name: vault_secrets
|
name: vault_secrets
|
||||||
|
no_log: true
|
||||||
|
|
||||||
- name: Définir le mot de passe sudo
|
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
ansible_become_pass: "{{ vault_secrets.become_passwords[inventory_hostname] }}"
|
_become_map: >-
|
||||||
|
{{ vault_secrets.become_passwords
|
||||||
|
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
|
||||||
|
else vault_secrets }}
|
||||||
|
no_log: true
|
||||||
|
|
||||||
|
- name: Vérifier que le mot de passe existe pour l’hôte courant
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- _become_map is mapping
|
||||||
|
- inventory_hostname in _become_map
|
||||||
|
fail_msg: >-
|
||||||
|
Mot de passe manquant pour {{ inventory_hostname }}.
|
||||||
|
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
|
||||||
|
no_log: true
|
||||||
|
|
||||||
|
- name: Définir le mot de passe sudo (variable officielle)
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
|
||||||
|
no_log: true
|
||||||
|
|
||||||
- name: Charger les facts système (setup)
|
- name: Charger les facts système (setup)
|
||||||
ansible.builtin.setup:
|
ansible.builtin.setup:
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Mise à jour du cache APT
|
# --------------------------------------------------------------------
|
||||||
ansible.builtin.apt:
|
# FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
|
||||||
update_cache: yes
|
# --------------------------------------------------------------------
|
||||||
cache_valid_time: 3600
|
- name: Détecter la présence du dépôt Sury (packages.sury.org/php)
|
||||||
|
ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
|
||||||
|
register: sury_present
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
|
||||||
- name: Upgrade des paquets
|
- name: Lister les fichiers APT contenant Sury
|
||||||
|
ansible.builtin.shell: |
|
||||||
|
grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
|
||||||
|
register: sury_files
|
||||||
|
changed_when: false
|
||||||
|
when: sury_present.rc == 0
|
||||||
|
|
||||||
|
- name: Filtrer les fichiers APT Sury à commenter (exclure le fichier géré)
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
sury_files_to_comment: >-
|
||||||
|
{{ (sury_files.stdout_lines | default([]))
|
||||||
|
| reject('equalto', '/etc/apt/sources.list.d/sury-php.list')
|
||||||
|
| list }}
|
||||||
|
changed_when: false
|
||||||
|
when: sury_present.rc == 0
|
||||||
|
|
||||||
|
- name: Installer les prérequis (curl/ca-certificates/lsb-release)
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- curl
|
||||||
|
- ca-certificates
|
||||||
|
- lsb-release
|
||||||
|
state: present
|
||||||
|
update_cache: false
|
||||||
|
force_apt_get: true
|
||||||
|
lock_timeout: 600
|
||||||
|
environment:
|
||||||
|
DEBIAN_FRONTEND: noninteractive
|
||||||
|
when: sury_present.rc == 0
|
||||||
|
|
||||||
|
- name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: https://packages.sury.org/debsuryorg-archive-keyring.deb
|
||||||
|
dest: /tmp/debsuryorg-archive-keyring.deb
|
||||||
|
mode: "0644"
|
||||||
|
when: sury_present.rc == 0
|
||||||
|
|
||||||
|
- name: Installer le keyring Sury (.deb)
|
||||||
|
ansible.builtin.apt:
|
||||||
|
deb: /tmp/debsuryorg-archive-keyring.deb
|
||||||
|
force_apt_get: true
|
||||||
|
lock_timeout: 600
|
||||||
|
environment:
|
||||||
|
DEBIAN_FRONTEND: noninteractive
|
||||||
|
when: sury_present.rc == 0
|
||||||
|
|
||||||
|
- name: Commenter les anciennes lignes Sury (si présentes)
|
||||||
|
ansible.builtin.replace:
|
||||||
|
path: "{{ item }}"
|
||||||
|
regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
|
||||||
|
replace: '# \1'
|
||||||
|
loop: "{{ sury_files_to_comment | default([]) }}"
|
||||||
|
when:
|
||||||
|
- sury_present.rc == 0
|
||||||
|
- (sury_files_to_comment | default([])) | length > 0
|
||||||
|
|
||||||
|
- name: Recréer une source Sury propre avec signed-by (fichier dédié)
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: /etc/apt/sources.list.d/sury-php.list
|
||||||
|
mode: "0644"
|
||||||
|
content: |
|
||||||
|
deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
|
||||||
|
when: sury_present.rc == 0
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------
|
||||||
|
# APT update + debug si échec
|
||||||
|
# --------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Mise à jour du cache APT (forcée)
|
||||||
|
block:
|
||||||
|
- name: apt-get update (timeout + IPv4 + timeouts http)
|
||||||
|
ansible.builtin.command: >
|
||||||
|
timeout 300s apt-get
|
||||||
|
-o Acquire::ForceIPv4=true
|
||||||
|
-o Acquire::http::Timeout=20
|
||||||
|
-o Acquire::https::Timeout=20
|
||||||
|
update
|
||||||
|
register: apt_update
|
||||||
|
changed_when: false
|
||||||
|
failed_when: apt_update.rc != 0
|
||||||
|
rescue:
|
||||||
|
- name: Debug apt-get update
|
||||||
|
ansible.builtin.shell: |
|
||||||
|
apt-get -o Acquire::ForceIPv4=true -o Acquire::http::Timeout=20 -o Acquire::https::Timeout=20 update 2>&1 | tail -n 200
|
||||||
|
args:
|
||||||
|
executable: /bin/bash
|
||||||
|
register: apt_update_debug
|
||||||
|
changed_when: false
|
||||||
|
- ansible.builtin.fail:
|
||||||
|
msg: |
|
||||||
|
APT update a échoué sur {{ inventory_hostname }}.
|
||||||
|
{{ apt_update_debug.stdout }}
|
||||||
|
|
||||||
|
rescue:
|
||||||
|
- name: Debug apt-get update
|
||||||
|
ansible.builtin.shell: |
|
||||||
|
apt-get update 2>&1 | tail -n 200
|
||||||
|
args:
|
||||||
|
executable: /bin/bash
|
||||||
|
register: apt_update_debug
|
||||||
|
changed_when: false
|
||||||
|
- ansible.builtin.fail:
|
||||||
|
msg: |
|
||||||
|
APT update a échoué sur {{ inventory_hostname }}.
|
||||||
|
{{ apt_update_debug.stdout }}
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------
|
||||||
|
# Upgrade (avec option pour accepter les downgrades si tu le veux)
|
||||||
|
# --------------------------------------------------------------------
|
||||||
|
- name: Simulation dist-upgrade (détection downgrades)
|
||||||
|
ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
|
||||||
|
register: sim
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Stopper cet hôte si downgrades détectés
|
||||||
|
when: sim.stdout is search("DOWNGRADED")
|
||||||
|
block:
|
||||||
|
- debug:
|
||||||
|
msg: |
|
||||||
|
Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
|
||||||
|
Extrait:
|
||||||
|
{{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
|
||||||
|
- meta: end_host
|
||||||
|
|
||||||
|
- name: Upgrade des paquets (dist-upgrade) + nettoyage
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
upgrade: dist
|
upgrade: dist
|
||||||
autoremove: yes
|
autoremove: true
|
||||||
autoclean: yes
|
autoclean: true
|
||||||
|
force_apt_get: true
|
||||||
|
lock_timeout: 600
|
||||||
|
dpkg_options: "force-confdef,force-confold"
|
||||||
|
allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
|
||||||
|
environment:
|
||||||
|
DEBIAN_FRONTEND: noninteractive
|
||||||
|
|
||||||
|
|||||||
@ -1,53 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Upgrade Debian avec become_pass dynamique (v2)
|
|
||||||
hosts: debians
|
|
||||||
gather_facts: false
|
|
||||||
become: true
|
|
||||||
become_method: sudo
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Charger les variables vault (become_passwords)
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
file: "../group_vars/all/vault.yml"
|
|
||||||
name: vault_secrets
|
|
||||||
|
|
||||||
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
_become_map: >-
|
|
||||||
{{ vault_secrets.become_passwords
|
|
||||||
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
|
|
||||||
else vault_secrets }}
|
|
||||||
|
|
||||||
- name: Vérifier que le mot de passe existe pour l’hôte courant
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- _become_map is mapping
|
|
||||||
- inventory_hostname in _become_map
|
|
||||||
fail_msg: >-
|
|
||||||
Mot de passe manquant pour {{ inventory_hostname }}.
|
|
||||||
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
|
|
||||||
|
|
||||||
- name: Définir le mot de passe sudo (variable officielle)
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Charger les facts système (setup)
|
|
||||||
ansible.builtin.setup:
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- name: Mise à jour du cache APT
|
|
||||||
ansible.builtin.apt:
|
|
||||||
update_cache: true
|
|
||||||
cache_valid_time: 3600
|
|
||||||
|
|
||||||
- name: Upgrade des paquets (dist-upgrade) + nettoyage
|
|
||||||
ansible.builtin.apt:
|
|
||||||
upgrade: dist
|
|
||||||
autoremove: true
|
|
||||||
autoclean: true
|
|
||||||
|
|
||||||
# Optionnel : pour limiter le run à ton groupe via la CLI:
|
|
||||||
# Exécution conseillée :
|
|
||||||
# ansible-playbook -i inventory/inventory.ini playbooks/apt-upgrade_v2.yml --ask-vault-pass -l debians
|
|
||||||
|
|
||||||
@ -1,160 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Upgrade Debian avec become_pass dynamique (v2)
|
|
||||||
hosts: debians
|
|
||||||
gather_facts: false
|
|
||||||
become: true
|
|
||||||
become_method: sudo
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Charger les variables vault (become_passwords)
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
file: "../group_vars/all/vault.yml"
|
|
||||||
name: vault_secrets
|
|
||||||
|
|
||||||
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
_become_map: >-
|
|
||||||
{{ vault_secrets.become_passwords
|
|
||||||
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
|
|
||||||
else vault_secrets }}
|
|
||||||
|
|
||||||
- name: Vérifier que le mot de passe existe pour l’hôte courant
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- _become_map is mapping
|
|
||||||
- inventory_hostname in _become_map
|
|
||||||
fail_msg: >-
|
|
||||||
Mot de passe manquant pour {{ inventory_hostname }}.
|
|
||||||
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
|
|
||||||
|
|
||||||
- name: Définir le mot de passe sudo (variable officielle)
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Charger les facts système (setup)
|
|
||||||
ansible.builtin.setup:
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
# FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
- name: Détecter la présence du dépôt Sury (packages.sury.org/php)
|
|
||||||
ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
|
|
||||||
register: sury_present
|
|
||||||
changed_when: false
|
|
||||||
failed_when: false
|
|
||||||
|
|
||||||
- name: Lister les fichiers APT contenant Sury
|
|
||||||
ansible.builtin.shell: |
|
|
||||||
grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
|
|
||||||
register: sury_files
|
|
||||||
changed_when: false
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
- name: Installer les prérequis (curl/ca-certificates/lsb-release)
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name:
|
|
||||||
- curl
|
|
||||||
- ca-certificates
|
|
||||||
- lsb-release
|
|
||||||
state: present
|
|
||||||
update_cache: false
|
|
||||||
force_apt_get: true
|
|
||||||
lock_timeout: 600
|
|
||||||
environment:
|
|
||||||
DEBIAN_FRONTEND: noninteractive
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
- name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
|
|
||||||
ansible.builtin.get_url:
|
|
||||||
url: https://packages.sury.org/debsuryorg-archive-keyring.deb
|
|
||||||
dest: /tmp/debsuryorg-archive-keyring.deb
|
|
||||||
mode: "0644"
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
- name: Installer le keyring Sury (.deb)
|
|
||||||
ansible.builtin.apt:
|
|
||||||
deb: /tmp/debsuryorg-archive-keyring.deb
|
|
||||||
force_apt_get: true
|
|
||||||
lock_timeout: 600
|
|
||||||
environment:
|
|
||||||
DEBIAN_FRONTEND: noninteractive
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
- name: Commenter les anciennes lignes Sury (si présentes)
|
|
||||||
ansible.builtin.replace:
|
|
||||||
path: "{{ item }}"
|
|
||||||
regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
|
|
||||||
replace: '# \1'
|
|
||||||
loop: "{{ sury_files.stdout_lines | default([]) }}"
|
|
||||||
when:
|
|
||||||
- sury_present.rc == 0
|
|
||||||
- (sury_files.stdout | default('')) | length > 0
|
|
||||||
|
|
||||||
- name: Recréer une source Sury propre avec signed-by (fichier dédié)
|
|
||||||
ansible.builtin.copy:
|
|
||||||
dest: /etc/apt/sources.list.d/sury-php.list
|
|
||||||
mode: "0644"
|
|
||||||
content: |
|
|
||||||
deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
# APT update + debug si échec
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Mise à jour du cache APT (forcée)
|
|
||||||
block:
|
|
||||||
- name: apt update_cache
|
|
||||||
ansible.builtin.apt:
|
|
||||||
update_cache: true
|
|
||||||
cache_valid_time: 0
|
|
||||||
force_apt_get: true
|
|
||||||
update_cache_retries: 5
|
|
||||||
update_cache_retry_max_delay: 15
|
|
||||||
lock_timeout: 600
|
|
||||||
rescue:
|
|
||||||
- name: Debug apt-get update
|
|
||||||
ansible.builtin.shell: |
|
|
||||||
apt-get update 2>&1 | tail -n 200
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
register: apt_update_debug
|
|
||||||
changed_when: false
|
|
||||||
- ansible.builtin.fail:
|
|
||||||
msg: |
|
|
||||||
APT update a échoué sur {{ inventory_hostname }}.
|
|
||||||
{{ apt_update_debug.stdout }}
|
|
||||||
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
# Upgrade (avec option pour accepter les downgrades si tu le veux)
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Simulation dist-upgrade (détection downgrades)
|
|
||||||
ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
|
|
||||||
register: sim
|
|
||||||
changed_when: false
|
|
||||||
|
|
||||||
- name: Stopper cet hôte si downgrades détectés
|
|
||||||
when: sim.stdout is search("DOWNGRADED")
|
|
||||||
block:
|
|
||||||
- debug:
|
|
||||||
msg: |
|
|
||||||
Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
|
|
||||||
Extrait:
|
|
||||||
{{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
|
|
||||||
- meta: end_host
|
|
||||||
|
|
||||||
- name: Upgrade des paquets (dist-upgrade) + nettoyage
|
|
||||||
ansible.builtin.apt:
|
|
||||||
upgrade: dist
|
|
||||||
autoremove: true
|
|
||||||
autoclean: true
|
|
||||||
force_apt_get: true
|
|
||||||
lock_timeout: 600
|
|
||||||
dpkg_options: "force-confdef,force-confold"
|
|
||||||
allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
|
|
||||||
environment:
|
|
||||||
DEBIAN_FRONTEND: noninteractive
|
|
||||||
|
|
||||||
@ -1,186 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Upgrade Debian avec become_pass dynamique (v2)
|
|
||||||
hosts: debians
|
|
||||||
gather_facts: false
|
|
||||||
become: true
|
|
||||||
become_method: sudo
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Charger les variables vault (become_passwords)
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
file: "../group_vars/all/vault.yml"
|
|
||||||
name: vault_secrets
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
_become_map: >-
|
|
||||||
{{ vault_secrets.become_passwords
|
|
||||||
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
|
|
||||||
else vault_secrets }}
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Vérifier que le mot de passe existe pour l’hôte courant
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- _become_map is mapping
|
|
||||||
- inventory_hostname in _become_map
|
|
||||||
fail_msg: >-
|
|
||||||
Mot de passe manquant pour {{ inventory_hostname }}.
|
|
||||||
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Définir le mot de passe sudo (variable officielle)
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Charger les facts système (setup)
|
|
||||||
ansible.builtin.setup:
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
# FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
- name: Détecter la présence du dépôt Sury (packages.sury.org/php)
|
|
||||||
ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
|
|
||||||
register: sury_present
|
|
||||||
changed_when: false
|
|
||||||
failed_when: false
|
|
||||||
|
|
||||||
- name: Lister les fichiers APT contenant Sury
|
|
||||||
ansible.builtin.shell: |
|
|
||||||
grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
|
|
||||||
register: sury_files
|
|
||||||
changed_when: false
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
- name: Filtrer les fichiers APT Sury à commenter (exclure le fichier géré)
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
sury_files_to_comment: >-
|
|
||||||
{{ (sury_files.stdout_lines | default([]))
|
|
||||||
| reject('equalto', '/etc/apt/sources.list.d/sury-php.list')
|
|
||||||
| list }}
|
|
||||||
changed_when: false
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
- name: Installer les prérequis (curl/ca-certificates/lsb-release)
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name:
|
|
||||||
- curl
|
|
||||||
- ca-certificates
|
|
||||||
- lsb-release
|
|
||||||
state: present
|
|
||||||
update_cache: false
|
|
||||||
force_apt_get: true
|
|
||||||
lock_timeout: 600
|
|
||||||
environment:
|
|
||||||
DEBIAN_FRONTEND: noninteractive
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
- name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
|
|
||||||
ansible.builtin.get_url:
|
|
||||||
url: https://packages.sury.org/debsuryorg-archive-keyring.deb
|
|
||||||
dest: /tmp/debsuryorg-archive-keyring.deb
|
|
||||||
mode: "0644"
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
- name: Installer le keyring Sury (.deb)
|
|
||||||
ansible.builtin.apt:
|
|
||||||
deb: /tmp/debsuryorg-archive-keyring.deb
|
|
||||||
force_apt_get: true
|
|
||||||
lock_timeout: 600
|
|
||||||
environment:
|
|
||||||
DEBIAN_FRONTEND: noninteractive
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
- name: Commenter les anciennes lignes Sury (si présentes)
|
|
||||||
ansible.builtin.replace:
|
|
||||||
path: "{{ item }}"
|
|
||||||
regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
|
|
||||||
replace: '# \1'
|
|
||||||
loop: "{{ sury_files_to_comment | default([]) }}"
|
|
||||||
when:
|
|
||||||
- sury_present.rc == 0
|
|
||||||
- (sury_files_to_comment | default([])) | length > 0
|
|
||||||
|
|
||||||
- name: Recréer une source Sury propre avec signed-by (fichier dédié)
|
|
||||||
ansible.builtin.copy:
|
|
||||||
dest: /etc/apt/sources.list.d/sury-php.list
|
|
||||||
mode: "0644"
|
|
||||||
content: |
|
|
||||||
deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
|
|
||||||
when: sury_present.rc == 0
|
|
||||||
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
# APT update + debug si échec
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
|
|
||||||
- name: Mise à jour du cache APT (forcée)
|
|
||||||
block:
|
|
||||||
- name: apt-get update (timeout + IPv4 + timeouts http)
|
|
||||||
ansible.builtin.command: >
|
|
||||||
timeout 300s apt-get
|
|
||||||
-o Acquire::ForceIPv4=true
|
|
||||||
-o Acquire::http::Timeout=20
|
|
||||||
-o Acquire::https::Timeout=20
|
|
||||||
update
|
|
||||||
register: apt_update
|
|
||||||
changed_when: false
|
|
||||||
failed_when: apt_update.rc != 0
|
|
||||||
rescue:
|
|
||||||
- name: Debug apt-get update
|
|
||||||
ansible.builtin.shell: |
|
|
||||||
apt-get -o Acquire::ForceIPv4=true -o Acquire::http::Timeout=20 -o Acquire::https::Timeout=20 update 2>&1 | tail -n 200
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
register: apt_update_debug
|
|
||||||
changed_when: false
|
|
||||||
- ansible.builtin.fail:
|
|
||||||
msg: |
|
|
||||||
APT update a échoué sur {{ inventory_hostname }}.
|
|
||||||
{{ apt_update_debug.stdout }}
|
|
||||||
|
|
||||||
rescue:
|
|
||||||
- name: Debug apt-get update
|
|
||||||
ansible.builtin.shell: |
|
|
||||||
apt-get update 2>&1 | tail -n 200
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
register: apt_update_debug
|
|
||||||
changed_when: false
|
|
||||||
- ansible.builtin.fail:
|
|
||||||
msg: |
|
|
||||||
APT update a échoué sur {{ inventory_hostname }}.
|
|
||||||
{{ apt_update_debug.stdout }}
|
|
||||||
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
# Upgrade (avec option pour accepter les downgrades si tu le veux)
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
- name: Simulation dist-upgrade (détection downgrades)
|
|
||||||
ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
|
|
||||||
register: sim
|
|
||||||
changed_when: false
|
|
||||||
|
|
||||||
- name: Stopper cet hôte si downgrades détectés
|
|
||||||
when: sim.stdout is search("DOWNGRADED")
|
|
||||||
block:
|
|
||||||
- debug:
|
|
||||||
msg: |
|
|
||||||
Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
|
|
||||||
Extrait:
|
|
||||||
{{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
|
|
||||||
- meta: end_host
|
|
||||||
|
|
||||||
- name: Upgrade des paquets (dist-upgrade) + nettoyage
|
|
||||||
ansible.builtin.apt:
|
|
||||||
upgrade: dist
|
|
||||||
autoremove: true
|
|
||||||
autoclean: true
|
|
||||||
force_apt_get: true
|
|
||||||
lock_timeout: 600
|
|
||||||
dpkg_options: "force-confdef,force-confold"
|
|
||||||
allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
|
|
||||||
environment:
|
|
||||||
DEBIAN_FRONTEND: noninteractive
|
|
||||||
|
|
||||||
@ -1,21 +1,43 @@
|
|||||||
- hosts: debians
|
---
|
||||||
vars:
|
- name: APT update + dist-upgrade (minimal + vault become)
|
||||||
user: "smauro"
|
hosts: debians
|
||||||
become: yes
|
gather_facts: false
|
||||||
#root_password: "testtest"
|
become: true
|
||||||
tasks:
|
become_method: sudo
|
||||||
# 4. Mettre à jour les paquets
|
|
||||||
- name: Mettre à jour les paquets
|
|
||||||
apt:
|
|
||||||
update_cache: yes
|
|
||||||
become: yes
|
|
||||||
|
|
||||||
# 11. Mettre à jour et upgrader le système
|
vars:
|
||||||
- name: Mettre à jour et upgrader le système
|
apt_update_timeout_seconds: 300
|
||||||
apt:
|
apt_http_timeout_seconds: 20
|
||||||
update_cache: yes
|
apt_force_ipv4: true
|
||||||
upgrade: dist
|
|
||||||
become: yes
|
pre_tasks:
|
||||||
|
- name: Charger les variables vault (become_passwords)
|
||||||
|
ansible.builtin.include_vars:
|
||||||
|
file: "../group_vars/all/vault.yml"
|
||||||
|
name: vault_secrets
|
||||||
|
|
||||||
|
- name: Normaliser la map des mots de passe
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
_become_map: >-
|
||||||
|
{{ vault_secrets.become_passwords
|
||||||
|
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
|
||||||
|
else vault_secrets }}
|
||||||
|
|
||||||
|
- name: Vérifier que le mot de passe existe pour l’hôte courant
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- _become_map is mapping
|
||||||
|
- inventory_hostname in _become_map
|
||||||
|
fail_msg: >-
|
||||||
|
Mot de passe manquant pour {{ inventory_hostname }}.
|
||||||
|
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
|
||||||
|
|
||||||
|
- name: Définir le mot de passe sudo (variable officielle)
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
|
||||||
|
no_log: true
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
|
||||||
- name: Déployer le script MOTD personnalisé
|
- name: Déployer le script MOTD personnalisé
|
||||||
copy:
|
copy:
|
||||||
|
|||||||
@ -1,49 +0,0 @@
|
|||||||
---
|
|
||||||
- name: APT update + dist-upgrade (minimal + vault become)
|
|
||||||
hosts: debians
|
|
||||||
gather_facts: false
|
|
||||||
become: true
|
|
||||||
become_method: sudo
|
|
||||||
|
|
||||||
vars:
|
|
||||||
apt_update_timeout_seconds: 300
|
|
||||||
apt_http_timeout_seconds: 20
|
|
||||||
apt_force_ipv4: true
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Charger les variables vault (become_passwords)
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
file: "../group_vars/all/vault.yml"
|
|
||||||
name: vault_secrets
|
|
||||||
|
|
||||||
- name: Normaliser la map des mots de passe
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
_become_map: >-
|
|
||||||
{{ vault_secrets.become_passwords
|
|
||||||
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
|
|
||||||
else vault_secrets }}
|
|
||||||
|
|
||||||
- name: Vérifier que le mot de passe existe pour l’hôte courant
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- _become_map is mapping
|
|
||||||
- inventory_hostname in _become_map
|
|
||||||
fail_msg: >-
|
|
||||||
Mot de passe manquant pour {{ inventory_hostname }}.
|
|
||||||
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
|
|
||||||
|
|
||||||
- name: Définir le mot de passe sudo (variable officielle)
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
|
|
||||||
- name: Déployer le script MOTD personnalisé
|
|
||||||
copy:
|
|
||||||
src: ../sources/99-motd # Chemin relatif depuis où tu exécutes le playbook
|
|
||||||
dest: /etc/update-motd.d/99-motd
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0755'
|
|
||||||
become: yes
|
|
||||||
Loading…
x
Reference in New Issue
Block a user