From d065179e73a1948001217924f0a25628eb81f8cf Mon Sep 17 00:00:00 2001 From: Stephane MAURO Date: Sat, 7 Feb 2026 23:24:54 +0100 Subject: [PATCH] ajout nouveau playbook --- ansible/ansible.cfg | 3 + ansible/playbooks/apt-upgrade_v3.yml | 38 +++-- ansible/playbooks/apt-upgrade_v4.yml | 186 +++++++++++++++++++++++ ansible/playbooks/apt_update_upgrade.yml | 74 +++++++++ 4 files changed, 288 insertions(+), 13 deletions(-) create mode 100644 ansible/playbooks/apt-upgrade_v4.yml create mode 100644 ansible/playbooks/apt_update_upgrade.yml diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index dde5a223a..47ae72b27 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -2,3 +2,6 @@ inventory = ./inventory/hosts.yml remote_user = smauro host_key_checking = False +stdout_callback = ansible.builtin.default +bin_ansible_callbacks = True +callbacks_enabled = profile_tasks,timer diff --git a/ansible/playbooks/apt-upgrade_v3.yml b/ansible/playbooks/apt-upgrade_v3.yml index c40a2f506..77851cfed 100644 --- a/ansible/playbooks/apt-upgrade_v3.yml +++ b/ansible/playbooks/apt-upgrade_v3.yml @@ -103,37 +103,49 @@ # -------------------------------------------------------------------- # APT update + debug si échec # -------------------------------------------------------------------- - - name: Mise à jour du cache APT + + - name: Mise à jour du cache APT (forcée) block: - name: apt update_cache ansible.builtin.apt: update_cache: true - cache_valid_time: 3600 + cache_valid_time: 0 force_apt_get: true - lock_timeout: 600 update_cache_retries: 5 update_cache_retry_max_delay: 15 - environment: - DEBIAN_FRONTEND: noninteractive + lock_timeout: 600 rescue: - - name: Debug (apt-get update) si le module APT échoue + - name: Debug apt-get update ansible.builtin.shell: | - apt-get update 2>&1 | tail -n 160 + apt-get update 2>&1 | tail -n 200 + args: + executable: /bin/bash register: apt_update_debug changed_when: false - failed_when: false - - - name: Échec explicite avec sortie APT - ansible.builtin.fail: + - ansible.builtin.fail: msg: | APT update a échoué sur {{ inventory_hostname }}. - RC apt-get: {{ apt_update_debug.rc }} - Sortie : {{ apt_update_debug.stdout }} # -------------------------------------------------------------------- # Upgrade (avec option pour accepter les downgrades si tu le veux) # -------------------------------------------------------------------- + + - name: Simulation dist-upgrade (détection downgrades) + ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade + register: sim + changed_when: false + + - name: Stopper cet hôte si downgrades détectés + when: sim.stdout is search("DOWNGRADED") + block: + - debug: + msg: | + Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux. + Extrait: + {{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }} + - meta: end_host + - name: Upgrade des paquets (dist-upgrade) + nettoyage ansible.builtin.apt: upgrade: dist diff --git a/ansible/playbooks/apt-upgrade_v4.yml b/ansible/playbooks/apt-upgrade_v4.yml new file mode 100644 index 000000000..bb1bd2e60 --- /dev/null +++ b/ansible/playbooks/apt-upgrade_v4.yml @@ -0,0 +1,186 @@ +--- +- name: Upgrade Debian avec become_pass dynamique (v2) + hosts: debians + gather_facts: false + become: true + become_method: sudo + + pre_tasks: + - name: Charger les variables vault (become_passwords) + ansible.builtin.include_vars: + file: "../group_vars/all/vault.yml" + name: vault_secrets + no_log: true + + - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords) + ansible.builtin.set_fact: + _become_map: >- + {{ vault_secrets.become_passwords + if (vault_secrets is mapping and 'become_passwords' in vault_secrets) + else vault_secrets }} + no_log: true + + - name: Vérifier que le mot de passe existe pour l’hôte courant + ansible.builtin.assert: + that: + - _become_map is mapping + - inventory_hostname in _become_map + fail_msg: >- + Mot de passe manquant pour {{ inventory_hostname }}. + Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} + no_log: true + + - name: Définir le mot de passe sudo (variable officielle) + ansible.builtin.set_fact: + ansible_become_password: "{{ _become_map[inventory_hostname] }}" + no_log: true + + - name: Charger les facts système (setup) + ansible.builtin.setup: + + tasks: + # -------------------------------------------------------------------- + # FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG) + # -------------------------------------------------------------------- + - name: Détecter la présence du dépôt Sury (packages.sury.org/php) + ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d + register: sury_present + changed_when: false + failed_when: false + + - name: Lister les fichiers APT contenant Sury + ansible.builtin.shell: | + grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true + register: sury_files + changed_when: false + when: sury_present.rc == 0 + + - name: Filtrer les fichiers APT Sury à commenter (exclure le fichier géré) + ansible.builtin.set_fact: + sury_files_to_comment: >- + {{ (sury_files.stdout_lines | default([])) + | reject('equalto', '/etc/apt/sources.list.d/sury-php.list') + | list }} + changed_when: false + when: sury_present.rc == 0 + + - name: Installer les prérequis (curl/ca-certificates/lsb-release) + ansible.builtin.apt: + name: + - curl + - ca-certificates + - lsb-release + state: present + update_cache: false + force_apt_get: true + lock_timeout: 600 + environment: + DEBIAN_FRONTEND: noninteractive + when: sury_present.rc == 0 + + - name: Télécharger le keyring Sury (debsuryorg-archive-keyring) + ansible.builtin.get_url: + url: https://packages.sury.org/debsuryorg-archive-keyring.deb + dest: /tmp/debsuryorg-archive-keyring.deb + mode: "0644" + when: sury_present.rc == 0 + + - name: Installer le keyring Sury (.deb) + ansible.builtin.apt: + deb: /tmp/debsuryorg-archive-keyring.deb + force_apt_get: true + lock_timeout: 600 + environment: + DEBIAN_FRONTEND: noninteractive + when: sury_present.rc == 0 + + - name: Commenter les anciennes lignes Sury (si présentes) + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$' + replace: '# \1' + loop: "{{ sury_files_to_comment | default([]) }}" + when: + - sury_present.rc == 0 + - (sury_files_to_comment | default([])) | length > 0 + + - name: Recréer une source Sury propre avec signed-by (fichier dédié) + ansible.builtin.copy: + dest: /etc/apt/sources.list.d/sury-php.list + mode: "0644" + content: | + deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main + when: sury_present.rc == 0 + + # -------------------------------------------------------------------- + # APT update + debug si échec + # -------------------------------------------------------------------- + + - name: Mise à jour du cache APT (forcée) + block: + - name: apt-get update (timeout + IPv4 + timeouts http) + ansible.builtin.command: > + timeout 300s apt-get + -o Acquire::ForceIPv4=true + -o Acquire::http::Timeout=20 + -o Acquire::https::Timeout=20 + update + register: apt_update + changed_when: false + failed_when: apt_update.rc != 0 + rescue: + - name: Debug apt-get update + ansible.builtin.shell: | + apt-get -o Acquire::ForceIPv4=true -o Acquire::http::Timeout=20 -o Acquire::https::Timeout=20 update 2>&1 | tail -n 200 + args: + executable: /bin/bash + register: apt_update_debug + changed_when: false + - ansible.builtin.fail: + msg: | + APT update a échoué sur {{ inventory_hostname }}. + {{ apt_update_debug.stdout }} + + rescue: + - name: Debug apt-get update + ansible.builtin.shell: | + apt-get update 2>&1 | tail -n 200 + args: + executable: /bin/bash + register: apt_update_debug + changed_when: false + - ansible.builtin.fail: + msg: | + APT update a échoué sur {{ inventory_hostname }}. + {{ apt_update_debug.stdout }} + + # -------------------------------------------------------------------- + # Upgrade (avec option pour accepter les downgrades si tu le veux) + # -------------------------------------------------------------------- + - name: Simulation dist-upgrade (détection downgrades) + ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade + register: sim + changed_when: false + + - name: Stopper cet hôte si downgrades détectés + when: sim.stdout is search("DOWNGRADED") + block: + - debug: + msg: | + Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux. + Extrait: + {{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }} + - meta: end_host + + - name: Upgrade des paquets (dist-upgrade) + nettoyage + ansible.builtin.apt: + upgrade: dist + autoremove: true + autoclean: true + force_apt_get: true + lock_timeout: 600 + dpkg_options: "force-confdef,force-confold" + allow_downgrade: "{{ apt_allow_downgrades | default(false) }}" + environment: + DEBIAN_FRONTEND: noninteractive + diff --git a/ansible/playbooks/apt_update_upgrade.yml b/ansible/playbooks/apt_update_upgrade.yml new file mode 100644 index 000000000..12e283824 --- /dev/null +++ b/ansible/playbooks/apt_update_upgrade.yml @@ -0,0 +1,74 @@ +--- +- name: APT update + dist-upgrade (minimal + vault become) + hosts: debians + gather_facts: false + become: true + become_method: sudo + + vars: + apt_update_timeout_seconds: 300 + apt_http_timeout_seconds: 20 + apt_force_ipv4: true + + pre_tasks: + - name: Charger les variables vault (become_passwords) + ansible.builtin.include_vars: + file: "../group_vars/all/vault.yml" + name: vault_secrets + + - name: Normaliser la map des mots de passe + ansible.builtin.set_fact: + _become_map: >- + {{ vault_secrets.become_passwords + if (vault_secrets is mapping and 'become_passwords' in vault_secrets) + else vault_secrets }} + + - name: Vérifier que le mot de passe existe pour l’hôte courant + ansible.builtin.assert: + that: + - _become_map is mapping + - inventory_hostname in _become_map + fail_msg: >- + Mot de passe manquant pour {{ inventory_hostname }}. + Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} + + - name: Définir le mot de passe sudo (variable officielle) + ansible.builtin.set_fact: + ansible_become_password: "{{ _become_map[inventory_hostname] }}" + no_log: true + + tasks: + - name: APT update (apt-get update with timeout) + block: + - ansible.builtin.command: > + timeout {{ apt_update_timeout_seconds }}s + apt-get + -o Acquire::http::Timeout={{ apt_http_timeout_seconds }} + -o Acquire::https::Timeout={{ apt_http_timeout_seconds }} + {% if apt_force_ipv4 %}-o Acquire::ForceIPv4=true{% endif %} + update + register: apt_update + changed_when: false + rescue: + - ansible.builtin.shell: | + apt-get update 2>&1 | tail -n 200 + args: + executable: /bin/bash + register: apt_update_debug + changed_when: false + - ansible.builtin.fail: + msg: | + APT update a échoué sur {{ inventory_hostname }}. + {{ apt_update_debug.stdout }} + + - name: APT dist-upgrade + nettoyage + ansible.builtin.apt: + upgrade: dist + force_apt_get: true + dpkg_options: "force-confdef,force-confold" + autoremove: true + autoclean: true + lock_timeout: 600 + environment: + DEBIAN_FRONTEND: noninteractive +