debian.ansible.autoupdate/autoupdate.yml

---
- name: Autoupdate
  hosts: all
  tasks:

    - name: Create updates dir /usr/local/sbin/autoupdate.d
      ansible.builtin.file:
        path: /usr/local/sbin/autoupdate.d
        owner: root
        group: root
        state: directory
        mode: "0700"

    - name: /usr/local/sbin/autoupdate.sh
      blockinfile:
        path: /usr/local/sbin/autoupdate.sh
        mode: "0500"
        owner: root
        group: root
        create: yes
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          . /etc/bash/gaboshlib.include
          g_nice
          g_lockfile
          g_all-to-syslog
          DISPLAY=""
          set -o pipefail
          for update in $(find /usr/local/sbin/autoupdate.d -name "*.update" -type f | sort)
          do
            g_echo "Running: $update"
            . "$update"
            #sleep 60
          done
        backup: yes
        validate: /bin/bash -n %s

    - name: /usr/local/sbin/autoupdate.sh shebang
      lineinfile:
        path: /usr/local/sbin/autoupdate.sh
        insertbefore: BOF
        line: "#!/bin/bash"

    - name: /usr/local/sbin/autoupdate.d/debian.update
      blockinfile:
        path: /usr/local/sbin/autoupdate.d/debian.update
        mode: "0400"
        owner: root
        group: root
        create: yes
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          g_echo_ok "Checking for systemupdates"
          apt-get update || g_echo_error "apt-get update fehlgeschlagen"
          if ! hostname | grep -q ".mint."
          then
            if ! apt-get -s dist-upgrade 2>&1 | sed -e "s/'/'\\\\''/g; 1s/^/'/; \$s/\$/'/" | tee $g_tmp/sys-updatelist | egrep "^0.+, 0 .+, 0 .+ 0 .+\."
            then
              g_echo_warn "Systemupdate wird eingespielt: $(cat $g_tmp/sys-updatelist)"
              DEBIAN_FRONTEND=noninteractive apt-get -yy dist-upgrade | sed -e "s/'/'\\\\''/g; 1s/^/'/; \$s/\$/'/" | tee $g_tmp/sys-update || g_echo_error "apt-get -yy dist-upgrade failed $($g_tmp/sys-update)"
              DEBIAN_FRONTEND=noninteractive needrestart -b -r a | egrep -q "^NEEDRESTART-KSTA: [2|3]" && g_echo_warn "Server Reboot benötigt"
              g_echo_warn $(DEBIAN_FRONTEND=noninteractive apt-get -yy --purge autoremove 2>&1 | egrep -A10 "^The following packages will be REMOVED:")
              DEBIAN_FRONTEND=noninteractive apt-get -yy autoclean
              g_echo_warn $(find /etc -name '.dpkg-' -o -name '.ucf-' -o -name '*.merge-error')
              DEBIAN_FRONTEND=noninteractive apt-get purge '~o'
              # sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
              # sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list.d/*
              # sed -i 's/non-free/non-free non-free-firmware/g' /etc/apt/sources.list
              # sed -i 's/non-free/non-free non-free-firmware/g' /etc/apt/sources.list.d/*
              # DEBIAN_FRONTEND=noninteractive apt-get -yy upgrade --without-new-pkgs
              # DEBIAN_FRONTEND=noninteractive apt-get -yy full-upgrade
            fi
          fi
          [ -x /usr/bin/flatpak ] && flatpak update --system --noninteractive --force-remove
        backup: yes
        validate: /bin/bash -n %s

    - name: /usr/local/sbin/autoupdate.d/server.update
      blockinfile:
        path: /usr/local/sbin/autoupdate.d/server.update
        mode: "0400"
        owner: root
        group: root
        create: yes
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          # Server-Config in Git
          cd /root
          [ -d /root/server-$(hostname -s) ] && rm -r /root/server-$(hostname -s)
          git clone ssh://git@gitea.ds9.dedyn.io:333/olli/server-$(hostname -s).git >/dev/null 2>&1
          if [ -e /root/server-$(hostname -s)/$(hostname -s).sh ] 
          then
            bash -x /root/server-$(hostname -s)/$(hostname -s).sh >/var/log/server-$(hostname -s)-update.log 2>&1
            g_echo_warn "$(egrep -B1 "^changed" /var/log/server-$(hostname -s)-update.log)"
            g_echo_error "$(egrep -q -B1 -i '^error|^fatal' /var/log/server-$(hostname -s)-update.log && egrep -B50 '^error|^fatal' /var/log/server-$(hostname -s)-update.log)" 
          else
            g_echo "no server-update-script found /root/server-$(hostname -s)/$(hostname -s).sh"
          fi
          [ -x /usr/local/sbin/mint-config-update.sh ] && /usr/local/sbin/mint-config-update.sh
        backup: yes
        validate: /bin/bash -n %s

    - name: /usr/local/sbin/autoupdate.d/client.update
      blockinfile:
        path: /usr/local/sbin/autoupdate.d/client.update
        mode: "0400"
        owner: root
        group: root
        create: yes
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          # individual update script
          updatesrv="update.$(domainname -d)"
          if host ${updatesrv} >/dev/null 2>&1
          then
            [ -s /etc/mymac ] || ip addr show $(ip route list | grep default | cut -d" " -f5) | grep "link/ether " | perl -pe 's/.*link\/ether //; s/:/-/g' | cut -d" " -f1 >/etc/mymac
            mac=$(cat /etc/mymac)
            usr=$(getent passwd 1000 | cut -d: -f1)
            hst=$(hostname | cut -d. -f1 | perl -pe 's/ //g')
            curl -s https://update.$(domainname -f)/${mac}--${usr}--${hst}.sh >${g_tmp}/update.sh
            head -n1 ${g_tmp}/update.sh | grep -q "^#!/bin/bash" && bash ${g_tmp}/update.sh
          fi
        backup: yes
        validate: /bin/bash -n %s

    - name: /etc/cron.d/autoupdate_local
      blockinfile:
        path: /etc/cron.d/autoupdate_local
        mode: "0400"
        owner: root
        group: root
        create: yes
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          ## Auto-Update
          5 6 * * * root /usr/local/sbin/autoupdate.sh
        backup: yes