Ansible playbook to upgrade Ubuntu/Debian servers and reboot if needed

I realized I've never posted this playbook to my blog... I needed to grab it for a project I'm working on, so I figured I'd post it here for future reference.

Basically, I need a playbook I can run whenever, that will ensure all packages are upgraded, then checks if a reboot is required, and if so, reboots the server. Afterwards, it removes any dependencies no longer required.

---
- hosts: all
  gather_facts: yes
  become: yes

  tasks:
    - name: Perform a dist-upgrade.
      ansible.builtin.apt:
        upgrade: dist
        update_cache: yes

    - name: Check if a reboot is required.
      ansible.builtin.stat:
        path: /var/run/reboot-required
        get_md5: no
      register: reboot_required_file

    - name: Reboot the server (if required).
      ansible.builtin.reboot:
      when: reboot_required_file.stat.exists == true

    - name: Remove dependencies that are no longer required.
      ansible.builtin.apt:
        autoremove: yes

Comments

This might reboot Ubuntu servers where not applicable (those running Canonical Livepatch service) and misses needed reboots on UCS servers (Univention Corporate Server – groupware server based on Debian and most probably not known outside of Europe/Germany).

That's why I ended up writing an own check whether Ubuntu/Debian servers really need a reboot or not :)

https://github.com/ThomasKaiser/Check_MK/blob/master/mrpe/check-for-reb…

Do you have any good solutions for notifying the admin that a reboot is needed instead of blindly rebooting?

I have some servers that is a bit more reboot sensitive but I have not found a good solution.

Yeah that could work.

I already use Telegram-bots for Nagios notifications and found the community.general.telegram module for Ansible.
So I just added a task that sends me a Telegram message when a server should be rebooted.

What about the /etc/apt/sources.list file? Shouldn't that be updated to reflect the new debian/ubuntu version?

imo, this has to be added. at least i built a more complex role for this. consider checking the debian wiki [0] also, i am sending notifications using plain old email using `community.general.mail` [1]

[0]: https: wiki.debian.org/DebianUpgrade
[1]: https: docs.ansible.com/ansible/latest/collections/community/general/mail_module.html

*edit:* can't paste links...