---
- hosts: all
  pre_tasks:
  tasks:
    - name: "Verifier le système d'exploitation"
      ansible.builtin.set_fact:
        is_rhel: "{{ ansible_distribution in ['Rocky', 'AlmaLinux', 'Fedora'] }}"
        is_debian: "{{ ansible_distribution in ['Debian', 'Ubuntu'] }}"
        is_centos: "{{ ansible_distribution in ['CentOS', 'RedHat'] }}"
        repo_path: "{{ '/etc/yum.repos.d/' if ansible_os_family == 'RedHat' else '/etc/apt/sources.list.d/' }}"
        depot_filename: "{{ 'redhat.repo' if ansible_os_family == 'RedHat' else 'ubuntu.list' }}"

    - name: "Créer le répertoire de sauvegarde"
      ansible.builtin.file:
        path: "{{ repo_path }}backup_repo"
        state: directory
        mode: '0755'

    - name: "Lister les fichiers à déplacer (exclure redhat.repo)"
      ansible.builtin.find:
        paths: "{{ repo_path }}"
        patterns: '*'
        file_type: file
        excludes:
          - '{{ depot_filename }}'
          - 'backup_repo'
      register: files_to_move

    - name: Déplacer les fichiers vers backup_repo
      ansible.builtin.command:
        cmd: "mv {{ item.path }} {{ repo_path }}backup_repo/"
      loop: "{{ files_to_move.files }}"
      when: files_to_move.files | length > 0


    - name: "Mettre à jour uniquement les patchs de sécurité - RHEL"
      ansible.builtin.dnf:
        name: "*"
        security: yes
        bugfix: no
        state: latest
      when: is_rhel

    - name:  "Clean repo list Ubuntu"
      ansible.builtin.apt:
        clean: yes
      when: is_debian	

    - name:  "Update repo list Ubuntu"
      ansible.builtin.apt:
        update_cache: yes
      when: is_debian

    - name: "Resolve Unmet dependencies"
      ansible.builtin.shell: apt install --fix-broken -y
      when: is_debian	

    - name: "Remove dependencies that are no longer required"
      ansible.builtin.shell: export TMPDIR=/root && apt-get -o DPkg::Options::=--force-confdef autoremove -y
      when: is_debian	

    - name: "Remove old kernel modules that are no longer required"  
      ansible.builtin.shell: apt purge $(dpkg -l | grep "^rc\s*linux" | awk '{print $2}') -y -f
      when: is_debian	

    - name: "Purge old kernel modules that are no longer required"  
      ansible.builtin.shell: for f in $(apt-mark showmanual | grep linux-); do apt-mark auto $f; done; apt-get -y autoremove --purge -f
      when: is_debian

    - name: "Remove package cloud-init"
      ansible.builtin.apt:
        name: cloud-init
        state: absent
        purge: true
      when: is_debian	

    - name: "Exécuter uniquement les mises à jour de sécurité - Debian/Ubuntu"
      ansible.builtin.shell: export TMPDIR=/root && apt-get -o DPkg::Options::=--force-confdef -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " {'print $2'} | xargs apt-get install -y --fix-broken
      when: is_debian

    - name: "Remontée des informations système"
      ansible.builtin.shell: subscription-manager facts --update && subscription-manager refresh

    - name: "Planifier le redémarrage"
      ansible.builtin.reboot:
        msg: "Redémarrage programmé suite au patching de sécurité"
        pre_reboot_delay: 120
        reboot_timeout: 420
        test_command: subscription-manager facts --update