ajout nouveau playbook

ansible/ansible.cfg

@@ -2,3 +2,6 @@
 inventory = ./inventory/hosts.yml
 remote_user = smauro
 host_key_checking = False
+stdout_callback	= ansible.builtin.default
+bin_ansible_callbacks = True
+callbacks_enabled = profile_tasks,timer

ansible/playbooks/apt-upgrade_v3.yml

@@ -103,37 +103,49 @@
     # --------------------------------------------------------------------
     # APT update + debug si échec
     # --------------------------------------------------------------------
-    - name: Mise à jour du cache APT
+    
+    - name: Mise à jour du cache APT (forcée)
       block:
         - name: apt update_cache
           ansible.builtin.apt:
             update_cache: true
-            cache_valid_time: 3600
+            cache_valid_time: 0
             force_apt_get: true
-            lock_timeout: 600
             update_cache_retries: 5
             update_cache_retry_max_delay: 15
-          environment:
+            lock_timeout: 600
-            DEBIAN_FRONTEND: noninteractive
       rescue:
-        - name: Debug (apt-get update) si le module APT échoue
+        - name: Debug apt-get update
           ansible.builtin.shell: |
-            apt-get update 2>&1 | tail -n 160
+            apt-get update 2>&1 | tail -n 200
+          args:
+            executable: /bin/bash
           register: apt_update_debug
           changed_when: false
-          failed_when: false
+        - ansible.builtin.fail:
-
-        - name: Échec explicite avec sortie APT
-          ansible.builtin.fail:
             msg: |
               APT update a échoué sur {{ inventory_hostname }}.
-              RC apt-get: {{ apt_update_debug.rc }}
-              Sortie :
               {{ apt_update_debug.stdout }}
 
     # --------------------------------------------------------------------
     # Upgrade (avec option pour accepter les downgrades si tu le veux)
     # --------------------------------------------------------------------
+
+    - name: Simulation dist-upgrade (détection downgrades)
+      ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
+      register: sim
+      changed_when: false
+
+    - name: Stopper cet hôte si downgrades détectés
+      when: sim.stdout is search("DOWNGRADED")
+      block:
+        - debug:
+            msg: |
+              Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
+              Extrait:
+              {{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
+        - meta: end_host
+
     - name: Upgrade des paquets (dist-upgrade) + nettoyage
       ansible.builtin.apt:
         upgrade: dist

ansible/playbooks/apt-upgrade_v4.yml

@@ -0,0 +1,186 @@
+---
+- name: Upgrade Debian avec become_pass dynamique (v2)
+  hosts: debians
+  gather_facts: false
+  become: true
+  become_method: sudo
+
+  pre_tasks:
+    - name: Charger les variables vault (become_passwords)
+      ansible.builtin.include_vars:
+        file: "../group_vars/all/vault.yml"
+        name: vault_secrets
+      no_log: true
+
+    - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
+      ansible.builtin.set_fact:
+        _become_map: >-
+          {{ vault_secrets.become_passwords
+             if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
+             else vault_secrets }}
+      no_log: true
+
+    - name: Vérifier que le mot de passe existe pour l’hôte courant
+      ansible.builtin.assert:
+        that:
+          - _become_map is mapping
+          - inventory_hostname in _become_map
+        fail_msg: >-
+          Mot de passe manquant pour {{ inventory_hostname }}.
+          Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
+      no_log: true
+
+    - name: Définir le mot de passe sudo (variable officielle)
+      ansible.builtin.set_fact:
+        ansible_become_password: "{{ _become_map[inventory_hostname] }}"
+      no_log: true
+
+    - name: Charger les facts système (setup)
+      ansible.builtin.setup:
+
+  tasks:
+    # --------------------------------------------------------------------
+    # FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
+    # --------------------------------------------------------------------
+    - name: Détecter la présence du dépôt Sury (packages.sury.org/php)
+      ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
+      register: sury_present
+      changed_when: false
+      failed_when: false
+
+    - name: Lister les fichiers APT contenant Sury
+      ansible.builtin.shell: |
+        grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
+      register: sury_files
+      changed_when: false
+      when: sury_present.rc == 0
+
+    - name: Filtrer les fichiers APT Sury à commenter (exclure le fichier géré)
+      ansible.builtin.set_fact:
+        sury_files_to_comment: >-
+          {{ (sury_files.stdout_lines | default([]))
+             | reject('equalto', '/etc/apt/sources.list.d/sury-php.list')
+             | list }}
+      changed_when: false
+      when: sury_present.rc == 0
+
+    - name: Installer les prérequis (curl/ca-certificates/lsb-release)
+      ansible.builtin.apt:
+        name:
+          - curl
+          - ca-certificates
+          - lsb-release
+        state: present
+        update_cache: false
+        force_apt_get: true
+        lock_timeout: 600
+      environment:
+        DEBIAN_FRONTEND: noninteractive
+      when: sury_present.rc == 0
+
+    - name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
+      ansible.builtin.get_url:
+        url: https://packages.sury.org/debsuryorg-archive-keyring.deb
+        dest: /tmp/debsuryorg-archive-keyring.deb
+        mode: "0644"
+      when: sury_present.rc == 0
+
+    - name: Installer le keyring Sury (.deb)
+      ansible.builtin.apt:
+        deb: /tmp/debsuryorg-archive-keyring.deb
+        force_apt_get: true
+        lock_timeout: 600
+      environment:
+        DEBIAN_FRONTEND: noninteractive
+      when: sury_present.rc == 0
+
+    - name: Commenter les anciennes lignes Sury (si présentes)
+      ansible.builtin.replace:
+        path: "{{ item }}"
+        regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
+        replace: '# \1'
+      loop: "{{ sury_files_to_comment | default([]) }}"
+      when:
+        - sury_present.rc == 0
+        - (sury_files_to_comment | default([])) | length > 0
+
+    - name: Recréer une source Sury propre avec signed-by (fichier dédié)
+      ansible.builtin.copy:
+        dest: /etc/apt/sources.list.d/sury-php.list
+        mode: "0644"
+        content: |
+          deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
+      when: sury_present.rc == 0
+
+    # --------------------------------------------------------------------
+    # APT update + debug si échec
+    # --------------------------------------------------------------------
+    
+    - name: Mise à jour du cache APT (forcée)
+      block:
+        - name: apt-get update (timeout + IPv4 + timeouts http)
+          ansible.builtin.command: >
+            timeout 300s apt-get
+            -o Acquire::ForceIPv4=true
+            -o Acquire::http::Timeout=20
+            -o Acquire::https::Timeout=20
+            update
+          register: apt_update
+          changed_when: false
+          failed_when: apt_update.rc != 0
+      rescue:
+        - name: Debug apt-get update
+          ansible.builtin.shell: |
+            apt-get -o Acquire::ForceIPv4=true -o Acquire::http::Timeout=20 -o Acquire::https::Timeout=20 update 2>&1 | tail -n 200
+          args:
+            executable: /bin/bash
+          register: apt_update_debug
+          changed_when: false
+        - ansible.builtin.fail:
+            msg: |
+              APT update a échoué sur {{ inventory_hostname }}.
+              {{ apt_update_debug.stdout }}
+
+      rescue:
+        - name: Debug apt-get update
+          ansible.builtin.shell: |
+            apt-get update 2>&1 | tail -n 200
+          args:
+            executable: /bin/bash
+          register: apt_update_debug
+          changed_when: false
+        - ansible.builtin.fail:
+            msg: |
+              APT update a échoué sur {{ inventory_hostname }}.
+              {{ apt_update_debug.stdout }}
+
+    # --------------------------------------------------------------------
+    # Upgrade (avec option pour accepter les downgrades si tu le veux)
+    # --------------------------------------------------------------------
+    - name: Simulation dist-upgrade (détection downgrades)
+      ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
+      register: sim
+      changed_when: false
+
+    - name: Stopper cet hôte si downgrades détectés
+      when: sim.stdout is search("DOWNGRADED")
+      block:
+        - debug:
+            msg: |
+              Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
+              Extrait:
+              {{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
+        - meta: end_host
+
+    - name: Upgrade des paquets (dist-upgrade) + nettoyage
+      ansible.builtin.apt:
+        upgrade: dist
+        autoremove: true
+        autoclean: true
+        force_apt_get: true
+        lock_timeout: 600
+        dpkg_options: "force-confdef,force-confold"
+        allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
+      environment:
+        DEBIAN_FRONTEND: noninteractive
+

ansible/playbooks/apt_update_upgrade.yml

@@ -0,0 +1,74 @@
+---
+- name: APT update + dist-upgrade (minimal + vault become)
+  hosts: debians
+  gather_facts: false
+  become: true
+  become_method: sudo
+
+  vars:
+    apt_update_timeout_seconds: 300
+    apt_http_timeout_seconds: 20
+    apt_force_ipv4: true
+
+  pre_tasks:
+    - name: Charger les variables vault (become_passwords)
+      ansible.builtin.include_vars:
+        file: "../group_vars/all/vault.yml"
+        name: vault_secrets
+
+    - name: Normaliser la map des mots de passe
+      ansible.builtin.set_fact:
+        _become_map: >-
+          {{ vault_secrets.become_passwords
+             if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
+             else vault_secrets }}
+
+    - name: Vérifier que le mot de passe existe pour l’hôte courant
+      ansible.builtin.assert:
+        that:
+          - _become_map is mapping
+          - inventory_hostname in _become_map
+        fail_msg: >-
+          Mot de passe manquant pour {{ inventory_hostname }}.
+          Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
+
+    - name: Définir le mot de passe sudo (variable officielle)
+      ansible.builtin.set_fact:
+        ansible_become_password: "{{ _become_map[inventory_hostname] }}"
+      no_log: true
+
+  tasks:
+    - name: APT update (apt-get update with timeout)
+      block:
+        - ansible.builtin.command: >
+            timeout {{ apt_update_timeout_seconds }}s
+            apt-get
+            -o Acquire::http::Timeout={{ apt_http_timeout_seconds }}
+            -o Acquire::https::Timeout={{ apt_http_timeout_seconds }}
+            {% if apt_force_ipv4 %}-o Acquire::ForceIPv4=true{% endif %}
+            update
+          register: apt_update
+          changed_when: false
+      rescue:
+        - ansible.builtin.shell: |
+            apt-get update 2>&1 | tail -n 200
+          args:
+            executable: /bin/bash
+          register: apt_update_debug
+          changed_when: false
+        - ansible.builtin.fail:
+            msg: |
+              APT update a échoué sur {{ inventory_hostname }}.
+              {{ apt_update_debug.stdout }}
+
+    - name: APT dist-upgrade + nettoyage
+      ansible.builtin.apt:
+        upgrade: dist
+        force_apt_get: true
+        dpkg_options: "force-confdef,force-confold"
+        autoremove: true
+        autoclean: true
+        lock_timeout: 600
+      environment:
+        DEBIAN_FRONTEND: noninteractive
+