zerwes/aptupgrade.yml

## aptupgrade.yml
---
# vim: tabstop=2 expandtab shiftwidth=2 softtabstop=2 smartindent nu ft=yaml

# run a upgrade and optional
#   check later if the expected version of a desired package is installed
#   run needrestart
#
# example: ansible-playbook -e run_versioncheck=true -e apt_upgrade=full aptupgrade.yml

- name: run apt upgrade
  hosts: all:!local
  gather_facts: "{{ run_versioncheck | bool }}"
  vars:
    apt_cache_valid_time: 0
    apt_upgrade: dist
    dpkg_options: 'force-confold,force-confdef'
    run_needrestart: false
    reboot_if_required: false
    run_versioncheck: false
    check_quiet: true
    check_packages:
      sudo:
        buster: 1.8.27-1+deb10u5
        bullseye: 1.9.5p2-3+deb11u1
      git:
        bullseye: 1:2.30.2-1+deb11u1
        buster: 1:2.20.1-2+deb10u7
  tasks:
    - name: apt upgrade
      ansible.builtin.apt:
        upgrade: "{{ apt_upgrade }}"
        update_cache: yes
        cache_valid_time: "{{ apt_cache_valid_time }}"
        dpkg_options: "{{ dpkg_options }}"
      tags:
        - apt
        - upgrade

    - name: run needrestart the hard way ...
      ansible.builtin.command: needrestart -f noninteractive -r a
      # adjust the condition here to your needs
      # the goal is to avoid restarting all services in a specific case at once
      # this could be important for cluster devices, dns frontend servers, radius servers etc...
      throttle: "{% if 'galeracluster' in group_names %}1{% else %}0{% endif %}"
      when: run_needrestart | bool

    - name: reboot if required ...
      block:
        - name: check if reboot is required ...
          ansible.builtin.command: needrestart -p
          failed_when: false
          ignore_errors: true
          register: _needrestart
          check_mode: false
        - name: needrestart rc
          ansible.builtin.debug:
            var: _needrestart.rc
        - name: reboot
          ansible.builtin.reboot:
          throttle: 1
          when: _needrestart.rc > 0
      when: reboot_if_required | bool

    - name: assert versions ...
      block:
        - name: Gather the package facts
          ansible.builtin.package_facts:
            manager: auto
        - name: report version installed ...
          ansible.builtin.debug:
            var: ansible_facts.packages['{{ item.key }}'][0]['version']
            verbosity: 1
          with_dict: "{{ check_packages }}"
        - name: check version installed ...
          ansible.builtin.assert:
            that: "ansible_facts.packages['{{ item.key }}'][0]['version'] is version_compare('{{ item.value[ansible_distribution_release] }}', '>=')"
            quiet: "{{ check_quiet | bool }}"
            fail_msg: "package {{ item.key }} version {{ ansible_facts.packages[item.key][0]['version'] }} not safe"
            success_msg: "package {{ item.key }} version {{ ansible_facts.packages[item.key][0]['version'] }} is safe"
          with_dict: "{{ check_packages }}"
          loop_control:
            label: "{{ item.key }}"
      when: run_versioncheck | bool
	---
	# vim: tabstop=2 expandtab shiftwidth=2 softtabstop=2 smartindent nu ft=yaml

	# run a upgrade and optional
	# check later if the expected version of a desired package is installed
	# run needrestart
	#
	# example: ansible-playbook -e run_versioncheck=true -e apt_upgrade=full aptupgrade.yml

	- name: run apt upgrade
	hosts: all:!local
	gather_facts: "{{ run_versioncheck \| bool }}"
	vars:
	apt_cache_valid_time: 0
	apt_upgrade: dist
	dpkg_options: 'force-confold,force-confdef'
	run_needrestart: false
	reboot_if_required: false
	run_versioncheck: false
	check_quiet: true
	check_packages:
	sudo:
	buster: 1.8.27-1+deb10u5
	bullseye: 1.9.5p2-3+deb11u1
	git:
	bullseye: 1:2.30.2-1+deb11u1
	buster: 1:2.20.1-2+deb10u7
	tasks:
	- name: apt upgrade
	ansible.builtin.apt:
	upgrade: "{{ apt_upgrade }}"
	update_cache: yes
	cache_valid_time: "{{ apt_cache_valid_time }}"
	dpkg_options: "{{ dpkg_options }}"
	tags:
	- apt
	- upgrade

	- name: run needrestart the hard way ...
	ansible.builtin.command: needrestart -f noninteractive -r a
	# adjust the condition here to your needs
	# the goal is to avoid restarting all services in a specific case at once
	# this could be important for cluster devices, dns frontend servers, radius servers etc...
	throttle: "{% if 'galeracluster' in group_names %}1{% else %}0{% endif %}"
	when: run_needrestart \| bool

	- name: reboot if required ...
	block:
	- name: check if reboot is required ...
	ansible.builtin.command: needrestart -p
	failed_when: false
	ignore_errors: true
	register: _needrestart
	check_mode: false
	- name: needrestart rc
	ansible.builtin.debug:
	var: _needrestart.rc
	- name: reboot
	ansible.builtin.reboot:
	throttle: 1
	when: _needrestart.rc > 0
	when: reboot_if_required \| bool

	- name: assert versions ...
	block:
	- name: Gather the package facts
	ansible.builtin.package_facts:
	manager: auto
	- name: report version installed ...
	ansible.builtin.debug:
	var: ansible_facts.packages['{{ item.key }}'][0]['version']
	verbosity: 1
	with_dict: "{{ check_packages }}"
	- name: check version installed ...
	ansible.builtin.assert:
	that: "ansible_facts.packages['{{ item.key }}'][0]['version'] is version_compare('{{ item.value[ansible_distribution_release] }}', '>=')"
	quiet: "{{ check_quiet \| bool }}"
	fail_msg: "package {{ item.key }} version {{ ansible_facts.packages[item.key][0]['version'] }} not safe"
	success_msg: "package {{ item.key }} version {{ ansible_facts.packages[item.key][0]['version'] }} is safe"
	with_dict: "{{ check_packages }}"
	loop_control:
	label: "{{ item.key }}"
	when: run_versioncheck \| bool