smauro/prod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
prod/ansible/playbooks/apt-upgrade.yml

187 lines
6.7 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
- name: Upgrade Debian avec become_pass dynamique (v2)
hosts: debians
gather_facts: false
become: true
become_method: sudo
pre_tasks:
- name: Charger les variables vault (become_passwords)
ansible.builtin.include_vars:
file: "../group_vars/all/vault.yml"
name: vault_secrets
no_log: true
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
ansible.builtin.set_fact:
_become_map: >-
{{ vault_secrets.become_passwords
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
else vault_secrets }}
no_log: true
- name: Vérifier que le mot de passe existe pour lhôte courant
ansible.builtin.assert:
that:
- _become_map is mapping
- inventory_hostname in _become_map
fail_msg: >-
Mot de passe manquant pour {{ inventory_hostname }}.
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
no_log: true
- name: Définir le mot de passe sudo (variable officielle)
ansible.builtin.set_fact:
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
no_log: true
- name: Charger les facts système (setup)
ansible.builtin.setup:
tasks:
# --------------------------------------------------------------------
# FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
# --------------------------------------------------------------------
- name: Détecter la présence du dépôt Sury (packages.sury.org/php)
ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
register: sury_present
changed_when: false
failed_when: false
- name: Lister les fichiers APT contenant Sury
ansible.builtin.shell: |
grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
register: sury_files
changed_when: false
when: sury_present.rc == 0
- name: Filtrer les fichiers APT Sury à commenter (exclure le fichier géré)
ansible.builtin.set_fact:
sury_files_to_comment: >-
{{ (sury_files.stdout_lines | default([]))
| reject('equalto', '/etc/apt/sources.list.d/sury-php.list')
| list }}
changed_when: false
when: sury_present.rc == 0
- name: Installer les prérequis (curl/ca-certificates/lsb-release)
ansible.builtin.apt:
name:
- curl
- ca-certificates
- lsb-release
state: present
update_cache: false
force_apt_get: true
lock_timeout: 600
environment:
DEBIAN_FRONTEND: noninteractive
when: sury_present.rc == 0
- name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
ansible.builtin.get_url:
url: https://packages.sury.org/debsuryorg-archive-keyring.deb
dest: /tmp/debsuryorg-archive-keyring.deb
mode: "0644"
when: sury_present.rc == 0
- name: Installer le keyring Sury (.deb)
ansible.builtin.apt:
deb: /tmp/debsuryorg-archive-keyring.deb
force_apt_get: true
lock_timeout: 600
environment:
DEBIAN_FRONTEND: noninteractive
when: sury_present.rc == 0
- name: Commenter les anciennes lignes Sury (si présentes)
ansible.builtin.replace:
path: "{{ item }}"
regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
replace: '# \1'
loop: "{{ sury_files_to_comment | default([]) }}"
when:
- sury_present.rc == 0
- (sury_files_to_comment | default([])) | length > 0
- name: Recréer une source Sury propre avec signed-by (fichier dédié)
ansible.builtin.copy:
dest: /etc/apt/sources.list.d/sury-php.list
mode: "0644"
content: |
deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
when: sury_present.rc == 0
# --------------------------------------------------------------------
# APT update + debug si échec
# --------------------------------------------------------------------
- name: Mise à jour du cache APT (forcée)
block:
- name: apt-get update (timeout + IPv4 + timeouts http)
ansible.builtin.command: >
timeout 300s apt-get
-o Acquire::ForceIPv4=true
-o Acquire::http::Timeout=20
-o Acquire::https::Timeout=20
update
register: apt_update
changed_when: false
failed_when: apt_update.rc != 0
rescue:
- name: Debug apt-get update
ansible.builtin.shell: |
apt-get -o Acquire::ForceIPv4=true -o Acquire::http::Timeout=20 -o Acquire::https::Timeout=20 update 2>&1 | tail -n 200
args:
executable: /bin/bash
register: apt_update_debug
changed_when: false
- ansible.builtin.fail:
msg: |
APT update a échoué sur {{ inventory_hostname }}.
{{ apt_update_debug.stdout }}
rescue:
- name: Debug apt-get update
ansible.builtin.shell: |
apt-get update 2>&1 | tail -n 200
args:
executable: /bin/bash
register: apt_update_debug
changed_when: false
- ansible.builtin.fail:
msg: |
APT update a échoué sur {{ inventory_hostname }}.
{{ apt_update_debug.stdout }}
# --------------------------------------------------------------------
# Upgrade (avec option pour accepter les downgrades si tu le veux)
# --------------------------------------------------------------------
- name: Simulation dist-upgrade (détection downgrades)
ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
register: sim
changed_when: false
- name: Stopper cet hôte si downgrades détectés
when: sim.stdout is search("DOWNGRADED")
block:
- debug:
msg: |
Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
Extrait:
{{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
- meta: end_host
- name: Upgrade des paquets (dist-upgrade) + nettoyage
ansible.builtin.apt:
upgrade: dist
autoremove: true
autoclean: true
force_apt_get: true
lock_timeout: 600
dpkg_options: "force-confdef,force-confold"
allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
environment:
DEBIAN_FRONTEND: noninteractive
Reference in New Issue View Git Blame Copy Permalink