54 lines
1.7 KiB
YAML
54 lines
1.7 KiB
YAML
---
|
||
- name: Upgrade Debian avec become_pass dynamique (v2)
|
||
hosts: all
|
||
gather_facts: false
|
||
become: true
|
||
become_method: sudo
|
||
|
||
pre_tasks:
|
||
- name: Charger les variables vault (become_passwords)
|
||
ansible.builtin.include_vars:
|
||
file: "../group_vars/all/vault.yml"
|
||
name: vault_secrets
|
||
|
||
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
|
||
ansible.builtin.set_fact:
|
||
_become_map: >-
|
||
{{ vault_secrets.become_passwords
|
||
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
|
||
else vault_secrets }}
|
||
|
||
- name: Vérifier que le mot de passe existe pour l’hôte courant
|
||
ansible.builtin.assert:
|
||
that:
|
||
- _become_map is mapping
|
||
- inventory_hostname in _become_map
|
||
fail_msg: >-
|
||
Mot de passe manquant pour {{ inventory_hostname }}.
|
||
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
|
||
|
||
- name: Définir le mot de passe sudo (variable officielle)
|
||
ansible.builtin.set_fact:
|
||
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
|
||
no_log: true
|
||
|
||
- name: Charger les facts système (setup)
|
||
ansible.builtin.setup:
|
||
|
||
tasks:
|
||
- name: Mise à jour du cache APT
|
||
ansible.builtin.apt:
|
||
update_cache: true
|
||
cache_valid_time: 3600
|
||
|
||
- name: Upgrade des paquets (dist-upgrade) + nettoyage
|
||
ansible.builtin.apt:
|
||
upgrade: dist
|
||
autoremove: true
|
||
autoclean: true
|
||
|
||
# Optionnel : pour limiter le run à ton groupe via la CLI:
|
||
# Exécution conseillée :
|
||
# ansible-playbook -i inventory/inventory.ini playbooks/apt-upgrade_v2.yml --ask-vault-pass -l debians
|
||
|