161 lines
5.7 KiB
YAML
161 lines
5.7 KiB
YAML
---
|
||
- name: Upgrade Debian avec become_pass dynamique (v2)
|
||
hosts: debians
|
||
gather_facts: false
|
||
become: true
|
||
become_method: sudo
|
||
|
||
pre_tasks:
|
||
- name: Charger les variables vault (become_passwords)
|
||
ansible.builtin.include_vars:
|
||
file: "../group_vars/all/vault.yml"
|
||
name: vault_secrets
|
||
|
||
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
|
||
ansible.builtin.set_fact:
|
||
_become_map: >-
|
||
{{ vault_secrets.become_passwords
|
||
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
|
||
else vault_secrets }}
|
||
|
||
- name: Vérifier que le mot de passe existe pour l’hôte courant
|
||
ansible.builtin.assert:
|
||
that:
|
||
- _become_map is mapping
|
||
- inventory_hostname in _become_map
|
||
fail_msg: >-
|
||
Mot de passe manquant pour {{ inventory_hostname }}.
|
||
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
|
||
|
||
- name: Définir le mot de passe sudo (variable officielle)
|
||
ansible.builtin.set_fact:
|
||
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
|
||
no_log: true
|
||
|
||
- name: Charger les facts système (setup)
|
||
ansible.builtin.setup:
|
||
|
||
tasks:
|
||
# --------------------------------------------------------------------
|
||
# FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
|
||
# --------------------------------------------------------------------
|
||
- name: Détecter la présence du dépôt Sury (packages.sury.org/php)
|
||
ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
|
||
register: sury_present
|
||
changed_when: false
|
||
failed_when: false
|
||
|
||
- name: Lister les fichiers APT contenant Sury
|
||
ansible.builtin.shell: |
|
||
grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
|
||
register: sury_files
|
||
changed_when: false
|
||
when: sury_present.rc == 0
|
||
|
||
- name: Installer les prérequis (curl/ca-certificates/lsb-release)
|
||
ansible.builtin.apt:
|
||
name:
|
||
- curl
|
||
- ca-certificates
|
||
- lsb-release
|
||
state: present
|
||
update_cache: false
|
||
force_apt_get: true
|
||
lock_timeout: 600
|
||
environment:
|
||
DEBIAN_FRONTEND: noninteractive
|
||
when: sury_present.rc == 0
|
||
|
||
- name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
|
||
ansible.builtin.get_url:
|
||
url: https://packages.sury.org/debsuryorg-archive-keyring.deb
|
||
dest: /tmp/debsuryorg-archive-keyring.deb
|
||
mode: "0644"
|
||
when: sury_present.rc == 0
|
||
|
||
- name: Installer le keyring Sury (.deb)
|
||
ansible.builtin.apt:
|
||
deb: /tmp/debsuryorg-archive-keyring.deb
|
||
force_apt_get: true
|
||
lock_timeout: 600
|
||
environment:
|
||
DEBIAN_FRONTEND: noninteractive
|
||
when: sury_present.rc == 0
|
||
|
||
- name: Commenter les anciennes lignes Sury (si présentes)
|
||
ansible.builtin.replace:
|
||
path: "{{ item }}"
|
||
regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
|
||
replace: '# \1'
|
||
loop: "{{ sury_files.stdout_lines | default([]) }}"
|
||
when:
|
||
- sury_present.rc == 0
|
||
- (sury_files.stdout | default('')) | length > 0
|
||
|
||
- name: Recréer une source Sury propre avec signed-by (fichier dédié)
|
||
ansible.builtin.copy:
|
||
dest: /etc/apt/sources.list.d/sury-php.list
|
||
mode: "0644"
|
||
content: |
|
||
deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
|
||
when: sury_present.rc == 0
|
||
|
||
# --------------------------------------------------------------------
|
||
# APT update + debug si échec
|
||
# --------------------------------------------------------------------
|
||
|
||
- name: Mise à jour du cache APT (forcée)
|
||
block:
|
||
- name: apt update_cache
|
||
ansible.builtin.apt:
|
||
update_cache: true
|
||
cache_valid_time: 0
|
||
force_apt_get: true
|
||
update_cache_retries: 5
|
||
update_cache_retry_max_delay: 15
|
||
lock_timeout: 600
|
||
rescue:
|
||
- name: Debug apt-get update
|
||
ansible.builtin.shell: |
|
||
apt-get update 2>&1 | tail -n 200
|
||
args:
|
||
executable: /bin/bash
|
||
register: apt_update_debug
|
||
changed_when: false
|
||
- ansible.builtin.fail:
|
||
msg: |
|
||
APT update a échoué sur {{ inventory_hostname }}.
|
||
{{ apt_update_debug.stdout }}
|
||
|
||
# --------------------------------------------------------------------
|
||
# Upgrade (avec option pour accepter les downgrades si tu le veux)
|
||
# --------------------------------------------------------------------
|
||
|
||
- name: Simulation dist-upgrade (détection downgrades)
|
||
ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
|
||
register: sim
|
||
changed_when: false
|
||
|
||
- name: Stopper cet hôte si downgrades détectés
|
||
when: sim.stdout is search("DOWNGRADED")
|
||
block:
|
||
- debug:
|
||
msg: |
|
||
Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
|
||
Extrait:
|
||
{{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
|
||
- meta: end_host
|
||
|
||
- name: Upgrade des paquets (dist-upgrade) + nettoyage
|
||
ansible.builtin.apt:
|
||
upgrade: dist
|
||
autoremove: true
|
||
autoclean: true
|
||
force_apt_get: true
|
||
lock_timeout: 600
|
||
dpkg_options: "force-confdef,force-confold"
|
||
allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
|
||
environment:
|
||
DEBIAN_FRONTEND: noninteractive
|
||
|