smauro/prod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Nettoyage des playbook

Browse Source
This commit is contained in:
Stephane MAURO 2026-02-07 23:38:18 +01:00
parent 5cb61227fd
commit 80be1748d9
6 changed files with 204 additions and 476 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
ansible/playbooks/apt-upgrade.yml
View File

@ -1,6 +1,6 @@
---
- name: Upgrade Debian avec become_pass dynamique
hosts: all
- name: Upgrade Debian avec become_pass dynamique (v2)
hosts: debians
gather_facts: false
become: true
become_method: sudo
@ -10,23 +10,177 @@
ansible.builtin.include_vars:
file: "../group_vars/all/vault.yml"
name: vault_secrets
no_log: true
- name: Définir le mot de passe sudo
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
ansible.builtin.set_fact:
ansible_become_pass: "{{ vault_secrets.become_passwords[inventory_hostname] }}"
_become_map: >-
{{ vault_secrets.become_passwords
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
else vault_secrets }}
no_log: true
- name: Vérifier que le mot de passe existe pour lhôte courant
ansible.builtin.assert:
that:
- _become_map is mapping
- inventory_hostname in _become_map
fail_msg: >-
Mot de passe manquant pour {{ inventory_hostname }}.
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
no_log: true
- name: Définir le mot de passe sudo (variable officielle)
ansible.builtin.set_fact:
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
no_log: true
- name: Charger les facts système (setup)
ansible.builtin.setup:
tasks:
- name: Mise à jour du cache APT
ansible.builtin.apt:
update_cache: yes
cache_valid_time: 3600
# --------------------------------------------------------------------
# FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
# --------------------------------------------------------------------
- name: Détecter la présence du dépôt Sury (packages.sury.org/php)
ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
register: sury_present
changed_when: false
failed_when: false
- name: Upgrade des paquets
- name: Lister les fichiers APT contenant Sury
ansible.builtin.shell: |
grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
register: sury_files
changed_when: false
when: sury_present.rc == 0
- name: Filtrer les fichiers APT Sury à commenter (exclure le fichier géré)
ansible.builtin.set_fact:
sury_files_to_comment: >-
{{ (sury_files.stdout_lines | default([]))
| reject('equalto', '/etc/apt/sources.list.d/sury-php.list')
| list }}
changed_when: false
when: sury_present.rc == 0
- name: Installer les prérequis (curl/ca-certificates/lsb-release)
ansible.builtin.apt:
name:
- curl
- ca-certificates
- lsb-release
state: present
update_cache: false
force_apt_get: true
lock_timeout: 600
environment:
DEBIAN_FRONTEND: noninteractive
when: sury_present.rc == 0
- name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
ansible.builtin.get_url:
url: https://packages.sury.org/debsuryorg-archive-keyring.deb
dest: /tmp/debsuryorg-archive-keyring.deb
mode: "0644"
when: sury_present.rc == 0
- name: Installer le keyring Sury (.deb)
ansible.builtin.apt:
deb: /tmp/debsuryorg-archive-keyring.deb
force_apt_get: true
lock_timeout: 600
environment:
DEBIAN_FRONTEND: noninteractive
when: sury_present.rc == 0
- name: Commenter les anciennes lignes Sury (si présentes)
ansible.builtin.replace:
path: "{{ item }}"
regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
replace: '# \1'
loop: "{{ sury_files_to_comment | default([]) }}"
when:
- sury_present.rc == 0
- (sury_files_to_comment | default([])) | length > 0
- name: Recréer une source Sury propre avec signed-by (fichier dédié)
ansible.builtin.copy:
dest: /etc/apt/sources.list.d/sury-php.list
mode: "0644"
content: |
deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
when: sury_present.rc == 0
# --------------------------------------------------------------------
# APT update + debug si échec
# --------------------------------------------------------------------
- name: Mise à jour du cache APT (forcée)
block:
- name: apt-get update (timeout + IPv4 + timeouts http)
ansible.builtin.command: >
timeout 300s apt-get
-o Acquire::ForceIPv4=true
-o Acquire::http::Timeout=20
-o Acquire::https::Timeout=20
update
register: apt_update
changed_when: false
failed_when: apt_update.rc != 0
rescue:
- name: Debug apt-get update
ansible.builtin.shell: |
apt-get -o Acquire::ForceIPv4=true -o Acquire::http::Timeout=20 -o Acquire::https::Timeout=20 update 2>&1 | tail -n 200
args:
executable: /bin/bash
register: apt_update_debug
changed_when: false
- ansible.builtin.fail:
msg: |
APT update a échoué sur {{ inventory_hostname }}.
{{ apt_update_debug.stdout }}
rescue:
- name: Debug apt-get update
ansible.builtin.shell: |
apt-get update 2>&1 | tail -n 200
args:
executable: /bin/bash
register: apt_update_debug
changed_when: false
- ansible.builtin.fail:
msg: |
APT update a échoué sur {{ inventory_hostname }}.
{{ apt_update_debug.stdout }}
# --------------------------------------------------------------------
# Upgrade (avec option pour accepter les downgrades si tu le veux)
# --------------------------------------------------------------------
- name: Simulation dist-upgrade (détection downgrades)
ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
register: sim
changed_when: false
- name: Stopper cet hôte si downgrades détectés
when: sim.stdout is search("DOWNGRADED")
block:
- debug:
msg: |
Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
Extrait:
{{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
- meta: end_host
- name: Upgrade des paquets (dist-upgrade) + nettoyage
ansible.builtin.apt:
upgrade: dist
autoremove: yes
autoclean: yes
autoremove: true
autoclean: true
force_apt_get: true
lock_timeout: 600
dpkg_options: "force-confdef,force-confold"
allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
environment:
DEBIAN_FRONTEND: noninteractive

53
ansible/playbooks/apt-upgrade_v2.yml
View File

@ -1,53 +0,0 @@
---
- name: Upgrade Debian avec become_pass dynamique (v2)
hosts: debians
gather_facts: false
become: true
become_method: sudo
pre_tasks:
- name: Charger les variables vault (become_passwords)
ansible.builtin.include_vars:
file: "../group_vars/all/vault.yml"
name: vault_secrets
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
ansible.builtin.set_fact:
_become_map: >-
{{ vault_secrets.become_passwords
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
else vault_secrets }}
- name: Vérifier que le mot de passe existe pour lhôte courant
ansible.builtin.assert:
that:
- _become_map is mapping
- inventory_hostname in _become_map
fail_msg: >-
Mot de passe manquant pour {{ inventory_hostname }}.
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
- name: Définir le mot de passe sudo (variable officielle)
ansible.builtin.set_fact:
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
no_log: true
- name: Charger les facts système (setup)
ansible.builtin.setup:
tasks:
- name: Mise à jour du cache APT
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
- name: Upgrade des paquets (dist-upgrade) + nettoyage
ansible.builtin.apt:
upgrade: dist
autoremove: true
autoclean: true
# Optionnel : pour limiter le run à ton groupe via la CLI:
# Exécution conseillée :
# ansible-playbook -i inventory/inventory.ini playbooks/apt-upgrade_v2.yml --ask-vault-pass -l debians

160
ansible/playbooks/apt-upgrade_v3.yml
View File

@ -1,160 +0,0 @@
---
- name: Upgrade Debian avec become_pass dynamique (v2)
hosts: debians
gather_facts: false
become: true
become_method: sudo
pre_tasks:
- name: Charger les variables vault (become_passwords)
ansible.builtin.include_vars:
file: "../group_vars/all/vault.yml"
name: vault_secrets
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
ansible.builtin.set_fact:
_become_map: >-
{{ vault_secrets.become_passwords
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
else vault_secrets }}
- name: Vérifier que le mot de passe existe pour lhôte courant
ansible.builtin.assert:
that:
- _become_map is mapping
- inventory_hostname in _become_map
fail_msg: >-
Mot de passe manquant pour {{ inventory_hostname }}.
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
- name: Définir le mot de passe sudo (variable officielle)
ansible.builtin.set_fact:
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
no_log: true
- name: Charger les facts système (setup)
ansible.builtin.setup:
tasks:
# --------------------------------------------------------------------
# FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
# --------------------------------------------------------------------
- name: Détecter la présence du dépôt Sury (packages.sury.org/php)
ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
register: sury_present
changed_when: false
failed_when: false
- name: Lister les fichiers APT contenant Sury
ansible.builtin.shell: |
grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
register: sury_files
changed_when: false
when: sury_present.rc == 0
- name: Installer les prérequis (curl/ca-certificates/lsb-release)
ansible.builtin.apt:
name:
- curl
- ca-certificates
- lsb-release
state: present
update_cache: false
force_apt_get: true
lock_timeout: 600
environment:
DEBIAN_FRONTEND: noninteractive
when: sury_present.rc == 0
- name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
ansible.builtin.get_url:
url: https://packages.sury.org/debsuryorg-archive-keyring.deb
dest: /tmp/debsuryorg-archive-keyring.deb
mode: "0644"
when: sury_present.rc == 0
- name: Installer le keyring Sury (.deb)
ansible.builtin.apt:
deb: /tmp/debsuryorg-archive-keyring.deb
force_apt_get: true
lock_timeout: 600
environment:
DEBIAN_FRONTEND: noninteractive
when: sury_present.rc == 0
- name: Commenter les anciennes lignes Sury (si présentes)
ansible.builtin.replace:
path: "{{ item }}"
regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
replace: '# \1'
loop: "{{ sury_files.stdout_lines | default([]) }}"
when:
- sury_present.rc == 0
- (sury_files.stdout | default('')) | length > 0
- name: Recréer une source Sury propre avec signed-by (fichier dédié)
ansible.builtin.copy:
dest: /etc/apt/sources.list.d/sury-php.list
mode: "0644"
content: |
deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
when: sury_present.rc == 0
# --------------------------------------------------------------------
# APT update + debug si échec
# --------------------------------------------------------------------
- name: Mise à jour du cache APT (forcée)
block:
- name: apt update_cache
ansible.builtin.apt:
update_cache: true
cache_valid_time: 0
force_apt_get: true
update_cache_retries: 5
update_cache_retry_max_delay: 15
lock_timeout: 600
rescue:
- name: Debug apt-get update
ansible.builtin.shell: |
apt-get update 2>&1 | tail -n 200
args:
executable: /bin/bash
register: apt_update_debug
changed_when: false
- ansible.builtin.fail:
msg: |
APT update a échoué sur {{ inventory_hostname }}.
{{ apt_update_debug.stdout }}
# --------------------------------------------------------------------
# Upgrade (avec option pour accepter les downgrades si tu le veux)
# --------------------------------------------------------------------
- name: Simulation dist-upgrade (détection downgrades)
ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
register: sim
changed_when: false
- name: Stopper cet hôte si downgrades détectés
when: sim.stdout is search("DOWNGRADED")
block:
- debug:
msg: |
Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
Extrait:
{{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
- meta: end_host
- name: Upgrade des paquets (dist-upgrade) + nettoyage
ansible.builtin.apt:
upgrade: dist
autoremove: true
autoclean: true
force_apt_get: true
lock_timeout: 600
dpkg_options: "force-confdef,force-confold"
allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
environment:
DEBIAN_FRONTEND: noninteractive

186
ansible/playbooks/apt-upgrade_v4.yml
View File

@ -1,186 +0,0 @@
---
- name: Upgrade Debian avec become_pass dynamique (v2)
hosts: debians
gather_facts: false
become: true
become_method: sudo
pre_tasks:
- name: Charger les variables vault (become_passwords)
ansible.builtin.include_vars:
file: "../group_vars/all/vault.yml"
name: vault_secrets
no_log: true
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
ansible.builtin.set_fact:
_become_map: >-
{{ vault_secrets.become_passwords
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
else vault_secrets }}
no_log: true
- name: Vérifier que le mot de passe existe pour lhôte courant
ansible.builtin.assert:
that:
- _become_map is mapping
- inventory_hostname in _become_map
fail_msg: >-
Mot de passe manquant pour {{ inventory_hostname }}.
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
no_log: true
- name: Définir le mot de passe sudo (variable officielle)
ansible.builtin.set_fact:
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
no_log: true
- name: Charger les facts système (setup)
ansible.builtin.setup:
tasks:
# --------------------------------------------------------------------
# FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
# --------------------------------------------------------------------
- name: Détecter la présence du dépôt Sury (packages.sury.org/php)
ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
register: sury_present
changed_when: false
failed_when: false
- name: Lister les fichiers APT contenant Sury
ansible.builtin.shell: |
grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
register: sury_files
changed_when: false
when: sury_present.rc == 0
- name: Filtrer les fichiers APT Sury à commenter (exclure le fichier géré)
ansible.builtin.set_fact:
sury_files_to_comment: >-
{{ (sury_files.stdout_lines | default([]))
| reject('equalto', '/etc/apt/sources.list.d/sury-php.list')
| list }}
changed_when: false
when: sury_present.rc == 0
- name: Installer les prérequis (curl/ca-certificates/lsb-release)
ansible.builtin.apt:
name:
- curl
- ca-certificates
- lsb-release
state: present
update_cache: false
force_apt_get: true
lock_timeout: 600
environment:
DEBIAN_FRONTEND: noninteractive
when: sury_present.rc == 0
- name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
ansible.builtin.get_url:
url: https://packages.sury.org/debsuryorg-archive-keyring.deb
dest: /tmp/debsuryorg-archive-keyring.deb
mode: "0644"
when: sury_present.rc == 0
- name: Installer le keyring Sury (.deb)
ansible.builtin.apt:
deb: /tmp/debsuryorg-archive-keyring.deb
force_apt_get: true
lock_timeout: 600
environment:
DEBIAN_FRONTEND: noninteractive
when: sury_present.rc == 0
- name: Commenter les anciennes lignes Sury (si présentes)
ansible.builtin.replace:
path: "{{ item }}"
regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
replace: '# \1'
loop: "{{ sury_files_to_comment | default([]) }}"
when:
- sury_present.rc == 0
- (sury_files_to_comment | default([])) | length > 0
- name: Recréer une source Sury propre avec signed-by (fichier dédié)
ansible.builtin.copy:
dest: /etc/apt/sources.list.d/sury-php.list
mode: "0644"
content: |
deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
when: sury_present.rc == 0
# --------------------------------------------------------------------
# APT update + debug si échec
# --------------------------------------------------------------------
- name: Mise à jour du cache APT (forcée)
block:
- name: apt-get update (timeout + IPv4 + timeouts http)
ansible.builtin.command: >
timeout 300s apt-get
-o Acquire::ForceIPv4=true
-o Acquire::http::Timeout=20
-o Acquire::https::Timeout=20
update
register: apt_update
changed_when: false
failed_when: apt_update.rc != 0
rescue:
- name: Debug apt-get update
ansible.builtin.shell: |
apt-get -o Acquire::ForceIPv4=true -o Acquire::http::Timeout=20 -o Acquire::https::Timeout=20 update 2>&1 | tail -n 200
args:
executable: /bin/bash
register: apt_update_debug
changed_when: false
- ansible.builtin.fail:
msg: |
APT update a échoué sur {{ inventory_hostname }}.
{{ apt_update_debug.stdout }}
rescue:
- name: Debug apt-get update
ansible.builtin.shell: |
apt-get update 2>&1 | tail -n 200
args:
executable: /bin/bash
register: apt_update_debug
changed_when: false
- ansible.builtin.fail:
msg: |
APT update a échoué sur {{ inventory_hostname }}.
{{ apt_update_debug.stdout }}
# --------------------------------------------------------------------
# Upgrade (avec option pour accepter les downgrades si tu le veux)
# --------------------------------------------------------------------
- name: Simulation dist-upgrade (détection downgrades)
ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
register: sim
changed_when: false
- name: Stopper cet hôte si downgrades détectés
when: sim.stdout is search("DOWNGRADED")
block:
- debug:
msg: |
Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
Extrait:
{{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
- meta: end_host
- name: Upgrade des paquets (dist-upgrade) + nettoyage
ansible.builtin.apt:
upgrade: dist
autoremove: true
autoclean: true
force_apt_get: true
lock_timeout: 600
dpkg_options: "force-confdef,force-confold"
allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
environment:
DEBIAN_FRONTEND: noninteractive

56
ansible/playbooks/motd.yml
View File

@ -1,21 +1,43 @@
- hosts: debians
vars:
user: "smauro"
become: yes
#root_password: "testtest"
tasks:
# 4. Mettre à jour les paquets
- name: Mettre à jour les paquets
apt:
update_cache: yes
become: yes
---
- name: APT update + dist-upgrade (minimal + vault become)
hosts: debians
gather_facts: false
become: true
become_method: sudo
# 11. Mettre à jour et upgrader le système
- name: Mettre à jour et upgrader le système
apt:
update_cache: yes
upgrade: dist
become: yes
vars:
apt_update_timeout_seconds: 300
apt_http_timeout_seconds: 20
apt_force_ipv4: true
pre_tasks:
- name: Charger les variables vault (become_passwords)
ansible.builtin.include_vars:
file: "../group_vars/all/vault.yml"
name: vault_secrets
- name: Normaliser la map des mots de passe
ansible.builtin.set_fact:
_become_map: >-
{{ vault_secrets.become_passwords
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
else vault_secrets }}
- name: Vérifier que le mot de passe existe pour lhôte courant
ansible.builtin.assert:
that:
- _become_map is mapping
- inventory_hostname in _become_map
fail_msg: >-
Mot de passe manquant pour {{ inventory_hostname }}.
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
- name: Définir le mot de passe sudo (variable officielle)
ansible.builtin.set_fact:
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
no_log: true
tasks:
- name: Déployer le script MOTD personnalisé
copy:

49
ansible/playbooks/motd_v2.yml
View File

@ -1,49 +0,0 @@
---
- name: APT update + dist-upgrade (minimal + vault become)
hosts: debians
gather_facts: false
become: true
become_method: sudo
vars:
apt_update_timeout_seconds: 300
apt_http_timeout_seconds: 20
apt_force_ipv4: true
pre_tasks:
- name: Charger les variables vault (become_passwords)
ansible.builtin.include_vars:
file: "../group_vars/all/vault.yml"
name: vault_secrets
- name: Normaliser la map des mots de passe
ansible.builtin.set_fact:
_become_map: >-
{{ vault_secrets.become_passwords
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
else vault_secrets }}
- name: Vérifier que le mot de passe existe pour lhôte courant
ansible.builtin.assert:
that:
- _become_map is mapping
- inventory_hostname in _become_map
fail_msg: >-
Mot de passe manquant pour {{ inventory_hostname }}.
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
- name: Définir le mot de passe sudo (variable officielle)
ansible.builtin.set_fact:
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
no_log: true
tasks:
- name: Déployer le script MOTD personnalisé
copy:
src: ../sources/99-motd # Chemin relatif depuis où tu exécutes le playbook
dest: /etc/update-motd.d/99-motd
owner: root
group: root
mode: '0755'
become: yes