From a720d67f2c69192cb9d9bd26287b8ef9a180cc81 Mon Sep 17 00:00:00 2001
From: Colin Copeland <copelco@caktusgroup.com>
Date: Wed, 15 Feb 2023 16:20:31 -0500
Subject: [PATCH] Add `os_updates` role (#43)

Co-authored-by: Tobias McNulty <tobiasmcnulty@users.noreply.github.com>
---
 README.md                          | 22 ++++++++++++
 roles/os_updates/defaults/main.yml |  6 ++++
 roles/os_updates/tasks/main.yml    | 54 ++++++++++++++++++++++++++++++
 3 files changed, 82 insertions(+)
 create mode 100644 roles/os_updates/defaults/main.yml
 create mode 100644 roles/os_updates/tasks/main.yml

diff --git a/README.md b/README.md
index 89e947b..8f96d1a 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,28 @@ roles:
     src: https://github.com/Oefenweb/ansible-postfix
 ```
 
+## `hosting_services.os_updates`
+
+Runs operating system updates and reboots the server, if needed.
+
+```yaml
+# playbook.yaml
+- hosts: all
+  become: yes
+  tags: os_updates
+  roles:
+    - caktus.hosting_services.os_updates
+```
+
+```yaml
+# vars file
+aws_profile: ""
+
+os_updates_reboot: true
+os_updates_salt_hold: false
+os_updates_ec2_instances: false
+```
+
 ## `hosting_services.rsyslog_forwarding`
 
 Forwards logs to an external syslog server via rsyslog.
diff --git a/roles/os_updates/defaults/main.yml b/roles/os_updates/defaults/main.yml
new file mode 100644
index 0000000..9b9e1f7
--- /dev/null
+++ b/roles/os_updates/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+aws_profile: ""
+
+os_updates_reboot: false
+os_updates_salt_hold: false
+os_updates_ec2_instances: false
diff --git a/roles/os_updates/tasks/main.yml b/roles/os_updates/tasks/main.yml
new file mode 100644
index 0000000..b611a47
--- /dev/null
+++ b/roles/os_updates/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: Hold salt packages
+  shell: "echo {{ item }} hold | sudo dpkg --set-selections"
+  loop:
+    - salt-common
+    - salt-master
+    - salt-minion
+  tags: os_updates
+  when: os_updates_salt_hold
+
+- name: Remove useless packages from the cache
+  apt:
+    autoclean: yes
+  tags: os_updates
+
+# clean out old kernels to make room in /boot before an upgrade
+- name: Remove dependencies that are no longer required
+  apt:
+    autoremove: yes
+  tags: os_updates
+
+- name: Run updates
+  apt:
+    upgrade: dist
+    cache_valid_time: 3600
+  tags: os_updates
+
+- name: Check if a reboot is required
+  register: needs_reboot
+  stat:
+    path: /var/run/
+    get_md5: no
+  changed_when: needs_reboot.stat.exists
+  when: os_updates_reboot
+
+- debug:
+    msg: "{{ ansible_host }} : scheduled for reboot"
+  when: os_updates_reboot and needs_reboot.stat.exists
+
+- name: Rebooting
+  reboot:
+    msg: "rebooting {{ ansible_host }}"
+  when: os_updates_reboot and needs_reboot.stat.exists and not os_updates_ec2_instances
+
+# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-reboot.html
+- name: Rebooting via Amazon EC2 API
+  community.aws.ec2_instance:
+    state: restarted
+    instance_ids:
+      - "{{ hostvars[inventory_hostname].instance_id }}"
+    profile: "{{ aws_profile }}"
+  become: no
+  delegate_to: 127.0.0.1
+  when: os_updates_reboot and needs_reboot.stat.exists and os_updates_ec2_instances