From 66f09bac8cf95424f9ea1ae448103044a8787020 Mon Sep 17 00:00:00 2001
From: Roger Leigh <rleigh@dundee.ac.uk>
Date: Fri, 7 Apr 2017 16:10:07 +0100
Subject: [PATCH] ansible: Add roles to upgrade systems

roles/system-base-update: Update base operating system; will
update FreeBSD, Linux (Debian/Ubuntu, RedHat/CentOS), MacOS X
and Windows systems

roles/system-package-update: Update packages using package manager
on systems with a package manager; will update FreeBSD (pkgng),
Linux (apt, yum) and MacOS X (homebrew).  Similar to the base
update for apt and yum, though apt is more conservative here
(safe upgrade only, no new kernel packages etc.).

system-update: New playbook which runs both the above roles.
---
 ansible/roles/system-base-update/README.md    | 24 +++++++++++++++++++
 .../system-base-update/defaults/main.yml      |  2 ++
 .../roles/system-base-update/meta/main.yml    |  1 +
 .../roles/system-base-update/tasks/darwin.yml |  4 ++++
 .../roles/system-base-update/tasks/debian.yml |  8 +++++++
 .../system-base-update/tasks/freebsd.yml      | 12 ++++++++++
 .../roles/system-base-update/tasks/main.yml   | 20 ++++++++++++++++
 .../roles/system-base-update/tasks/redhat.yml |  5 ++++
 .../system-base-update/tasks/windows.yml      |  8 +++++++
 ansible/roles/system-package-update/README.md | 20 ++++++++++++++++
 .../system-package-update/defaults/main.yml   |  2 ++
 .../roles/system-package-update/meta/main.yml |  1 +
 .../roles/system-package-update/tasks/apt.yml |  8 +++++++
 .../system-package-update/tasks/homebrew.yml  | 14 +++++++++++
 .../system-package-update/tasks/main.yml      | 20 ++++++++++++++++
 .../system-package-update/tasks/pkgng.yml     | 12 ++++++++++
 .../roles/system-package-update/tasks/yum.yml |  5 ++++
 ansible/system-update.yml                     |  8 +++++++
 18 files changed, 174 insertions(+)
 create mode 100644 ansible/roles/system-base-update/README.md
 create mode 100644 ansible/roles/system-base-update/defaults/main.yml
 create mode 100644 ansible/roles/system-base-update/meta/main.yml
 create mode 100644 ansible/roles/system-base-update/tasks/darwin.yml
 create mode 100644 ansible/roles/system-base-update/tasks/debian.yml
 create mode 100644 ansible/roles/system-base-update/tasks/freebsd.yml
 create mode 100644 ansible/roles/system-base-update/tasks/main.yml
 create mode 100644 ansible/roles/system-base-update/tasks/redhat.yml
 create mode 100644 ansible/roles/system-base-update/tasks/windows.yml
 create mode 100644 ansible/roles/system-package-update/README.md
 create mode 100644 ansible/roles/system-package-update/defaults/main.yml
 create mode 100644 ansible/roles/system-package-update/meta/main.yml
 create mode 100644 ansible/roles/system-package-update/tasks/apt.yml
 create mode 100644 ansible/roles/system-package-update/tasks/homebrew.yml
 create mode 100644 ansible/roles/system-package-update/tasks/main.yml
 create mode 100644 ansible/roles/system-package-update/tasks/pkgng.yml
 create mode 100644 ansible/roles/system-package-update/tasks/yum.yml
 create mode 100644 ansible/system-update.yml

diff --git a/ansible/roles/system-base-update/README.md b/ansible/roles/system-base-update/README.md
new file mode 100644
index 000000000..d64665cdd
--- /dev/null
+++ b/ansible/roles/system-base-update/README.md
@@ -0,0 +1,24 @@
+System base update
+==================
+
+Update the base operating system components.  Supports the native
+update mechanisms for:
+
+- FreeBSD (freebsd-update)
+- Linux/RedHat (yum)
+- Linux/Debian (apt)
+- MacOS X (softwareupdate)
+- Windows
+
+Note that on systems with a package manager, this may update packages
+in addition to the base system.
+
+Requirements
+------------
+
+None.
+
+Author Information
+------------------
+
+ome-devel@lists.openmicroscopy.org.uk
diff --git a/ansible/roles/system-base-update/defaults/main.yml b/ansible/roles/system-base-update/defaults/main.yml
new file mode 100644
index 000000000..858c8da8f
--- /dev/null
+++ b/ansible/roles/system-base-update/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+# Defaults
diff --git a/ansible/roles/system-base-update/meta/main.yml b/ansible/roles/system-base-update/meta/main.yml
new file mode 100644
index 000000000..ed97d539c
--- /dev/null
+++ b/ansible/roles/system-base-update/meta/main.yml
@@ -0,0 +1 @@
+---
diff --git a/ansible/roles/system-base-update/tasks/darwin.yml b/ansible/roles/system-base-update/tasks/darwin.yml
new file mode 100644
index 000000000..055fb919d
--- /dev/null
+++ b/ansible/roles/system-base-update/tasks/darwin.yml
@@ -0,0 +1,4 @@
+---
+- name: Update MacOS X base system
+  raw: softwareupdate -i -a
+  become: yes
diff --git a/ansible/roles/system-base-update/tasks/debian.yml b/ansible/roles/system-base-update/tasks/debian.yml
new file mode 100644
index 000000000..6b6d0d4d6
--- /dev/null
+++ b/ansible/roles/system-base-update/tasks/debian.yml
@@ -0,0 +1,8 @@
+---
+- name: Update Debian APT repositories
+  apt:
+    update_cache: yes
+
+- name: Upgrade Debian packages
+  apt:
+    upgrade: dist
diff --git a/ansible/roles/system-base-update/tasks/freebsd.yml b/ansible/roles/system-base-update/tasks/freebsd.yml
new file mode 100644
index 000000000..cf1b247d9
--- /dev/null
+++ b/ansible/roles/system-base-update/tasks/freebsd.yml
@@ -0,0 +1,12 @@
+---
+- name: Fetch new FreeBSD updates
+  command: freebsd-update fetch --not-running-from-cron
+  register: result_update
+  changed_when: "'No updates needed' not in result_update.stdout"
+  become: yes
+
+- name: Install FreeBSD updates
+  command: freebsd-update install
+  when: ansible_distribution == 'FreeBSD' and result_update.changed
+  register: result_update_install
+  become: yes
diff --git a/ansible/roles/system-base-update/tasks/main.yml b/ansible/roles/system-base-update/tasks/main.yml
new file mode 100644
index 000000000..d9138fe8b
--- /dev/null
+++ b/ansible/roles/system-base-update/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- include: darwin.yml
+  when: ansible_os_family == 'Darwin'
+  tags: package
+
+- include: debian.yml
+  when: ansible_os_family == 'Debian'
+  tags: package
+
+- include: freebsd.yml
+  when: ansible_os_family == 'FreeBSD'
+  tags: package
+
+- include: redhat.yml
+  when: ansible_os_family == 'RedHat'
+  tags: package
+
+- include: windows.yml
+  when: ansible_os_family == 'Windows'
+  tags: package
diff --git a/ansible/roles/system-base-update/tasks/redhat.yml b/ansible/roles/system-base-update/tasks/redhat.yml
new file mode 100644
index 000000000..6af44a9ce
--- /dev/null
+++ b/ansible/roles/system-base-update/tasks/redhat.yml
@@ -0,0 +1,5 @@
+---
+- name: Upgrade all RPM packages
+  yum:
+    name: '*'
+    state: latest
diff --git a/ansible/roles/system-base-update/tasks/windows.yml b/ansible/roles/system-base-update/tasks/windows.yml
new file mode 100644
index 000000000..db7508e08
--- /dev/null
+++ b/ansible/roles/system-base-update/tasks/windows.yml
@@ -0,0 +1,8 @@
+---
+# Install all security, critical, and rollup updates
+- name: Install Windows updates
+  win_updates:
+    category_names:
+      - SecurityUpdates
+      - CriticalUpdates
+      - UpdateRollups
diff --git a/ansible/roles/system-package-update/README.md b/ansible/roles/system-package-update/README.md
new file mode 100644
index 000000000..fc2f861f9
--- /dev/null
+++ b/ansible/roles/system-package-update/README.md
@@ -0,0 +1,20 @@
+System package update
+=====================
+
+Update packages with the system package manager.  Supports the
+following systems:
+
+- FreeBSD (pkgng)
+- Linux/RedHat (yum)
+- Linux/Debian (apt)
+- MacOS X (homebrew)
+
+Requirements
+------------
+
+None.
+
+Author Information
+------------------
+
+ome-devel@lists.openmicroscopy.org.uk
diff --git a/ansible/roles/system-package-update/defaults/main.yml b/ansible/roles/system-package-update/defaults/main.yml
new file mode 100644
index 000000000..858c8da8f
--- /dev/null
+++ b/ansible/roles/system-package-update/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+# Defaults
diff --git a/ansible/roles/system-package-update/meta/main.yml b/ansible/roles/system-package-update/meta/main.yml
new file mode 100644
index 000000000..ed97d539c
--- /dev/null
+++ b/ansible/roles/system-package-update/meta/main.yml
@@ -0,0 +1 @@
+---
diff --git a/ansible/roles/system-package-update/tasks/apt.yml b/ansible/roles/system-package-update/tasks/apt.yml
new file mode 100644
index 000000000..0374855c2
--- /dev/null
+++ b/ansible/roles/system-package-update/tasks/apt.yml
@@ -0,0 +1,8 @@
+---
+- name: Update Debian APT repositories
+  apt:
+    update_cache: yes
+
+- name: Upgrade Debian packages
+  apt:
+    upgrade: safe
diff --git a/ansible/roles/system-package-update/tasks/homebrew.yml b/ansible/roles/system-package-update/tasks/homebrew.yml
new file mode 100644
index 000000000..065523451
--- /dev/null
+++ b/ansible/roles/system-package-update/tasks/homebrew.yml
@@ -0,0 +1,14 @@
+---
+- name: Update and upgrade homebrew packages
+  homebrew:
+    update_homebrew: yes
+    upgrade_all: yes
+
+- name: Clean up homebrew
+  command: brew cleanup
+
+- name: Prune stale homebrew links
+  command: brew prune
+
+- name: Check homebrew for problems
+  command: brew doctor
diff --git a/ansible/roles/system-package-update/tasks/main.yml b/ansible/roles/system-package-update/tasks/main.yml
new file mode 100644
index 000000000..52cad93b1
--- /dev/null
+++ b/ansible/roles/system-package-update/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- include: homebrew.yml
+  when: ansible_pkg_mgr == 'homebrew'
+  tags: package
+  become: true
+  become_user: "{{homebrew_user}}"
+  environment:
+    PATH: "/usr/local/bin:/usr/local/sbin:{{ ansible_env.PATH }}"
+
+- include: apt.yml
+  when: ansible_pkg_mgr == 'apt'
+  tags: package
+
+- include: pkgng.yml
+  when: ansible_pkg_mgr == 'pkgng'
+  tags: package
+
+- include: yum.yml
+  when: ansible_pkg_mgr == 'yum'
+  tags: package
diff --git a/ansible/roles/system-package-update/tasks/pkgng.yml b/ansible/roles/system-package-update/tasks/pkgng.yml
new file mode 100644
index 000000000..21c4758c2
--- /dev/null
+++ b/ansible/roles/system-package-update/tasks/pkgng.yml
@@ -0,0 +1,12 @@
+---
+- name: Update FreeBSD package list
+  command: pkg update -q
+  become: yes
+
+- name: Upgrade FreeBSD packages
+  command: pkg upgrade -y
+  become: yes
+
+- name: Clean FreeBSD package cache
+  command: pkg clean -qy
+  become: yes
diff --git a/ansible/roles/system-package-update/tasks/yum.yml b/ansible/roles/system-package-update/tasks/yum.yml
new file mode 100644
index 000000000..6af44a9ce
--- /dev/null
+++ b/ansible/roles/system-package-update/tasks/yum.yml
@@ -0,0 +1,5 @@
+---
+- name: Upgrade all RPM packages
+  yum:
+    name: '*'
+    state: latest
diff --git a/ansible/system-update.yml b/ansible/system-update.yml
new file mode 100644
index 000000000..e87d4b199
--- /dev/null
+++ b/ansible/system-update.yml
@@ -0,0 +1,8 @@
+---
+# Apply operating system and package updates
+
+- hosts: all
+  roles:
+    - role: system-base-update
+    - role: system-package-update
+