--- - name: APT update + dist-upgrade (minimal + vault become) hosts: debians gather_facts: false become: true become_method: sudo vars: apt_update_timeout_seconds: 300 apt_http_timeout_seconds: 20 apt_force_ipv4: true pre_tasks: - name: Charger les variables vault (become_passwords) ansible.builtin.include_vars: file: "../group_vars/all/vault.yml" name: vault_secrets - name: Normaliser la map des mots de passe ansible.builtin.set_fact: _become_map: >- {{ vault_secrets.become_passwords if (vault_secrets is mapping and 'become_passwords' in vault_secrets) else vault_secrets }} - name: Vérifier que le mot de passe existe pour l’hôte courant ansible.builtin.assert: that: - _become_map is mapping - inventory_hostname in _become_map fail_msg: >- Mot de passe manquant pour {{ inventory_hostname }}. Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} - name: Définir le mot de passe sudo (variable officielle) ansible.builtin.set_fact: ansible_become_password: "{{ _become_map[inventory_hostname] }}" no_log: true tasks: - name: APT update (apt-get update with timeout) block: - ansible.builtin.command: > timeout {{ apt_update_timeout_seconds }}s apt-get -o Acquire::http::Timeout={{ apt_http_timeout_seconds }} -o Acquire::https::Timeout={{ apt_http_timeout_seconds }} {% if apt_force_ipv4 %}-o Acquire::ForceIPv4=true{% endif %} update register: apt_update changed_when: false rescue: - ansible.builtin.shell: | apt-get update 2>&1 | tail -n 200 args: executable: /bin/bash register: apt_update_debug changed_when: false - ansible.builtin.fail: msg: | APT update a échoué sur {{ inventory_hostname }}. {{ apt_update_debug.stdout }} - name: APT dist-upgrade + nettoyage ansible.builtin.apt: upgrade: dist force_apt_get: true dpkg_options: "force-confdef,force-confold" autoremove: true autoclean: true lock_timeout: 600 environment: DEBIAN_FRONTEND: noninteractive