Added pfsense upgrade roles

2026-04-27 13:15:56 -07:00
parent 1e26dd304b
commit 03e889051e
35 changed files with 956 additions and 8 deletions
--- a/roles/pfsense_upgrade/tasks/update_check.yml
+++ b/roles/pfsense_upgrade/tasks/update_check.yml
@@ -0,0 +1,149 @@
+---
+# roles/pfsense_upgrade/tasks/update_check.yml
+# Checks for available upgrades using pfSense-upgrade -c and pkg version.
+# Also queries upstream for the latest stable release on this branch.
+
+# ---------------------------------------------------------------------------
+# 1. Refresh the local pkg repository metadata
+# ---------------------------------------------------------------------------
+- name: Update pkg repository metadata
+  ansible.builtin.raw: pkg update -f 2>&1
+  register: _pkg_update
+  changed_when: false
+  when: pkg_repo_update | bool
+  timeout: "{{ upgrade_check_timeout }}"
+
+# ---------------------------------------------------------------------------
+# 2. Run pfSense-upgrade in check-only mode
+# ---------------------------------------------------------------------------
+- name: Run pfSense-upgrade --check (dry run)
+  ansible.builtin.raw: >
+    {{ pfsense_upgrade_bin }} -d -c 2>&1
+  register: _upgrade_check
+  changed_when: false
+  timeout: "{{ upgrade_check_timeout }}"
+  # pfSense-upgrade exits 0 when up-to-date, non-zero when upgrade available.
+  # We capture both cases.
+  failed_when: false
+
+- name: Parse upgrade check output
+  ansible.builtin.set_fact:
+    upgrade_check_stdout: "{{ _upgrade_check.stdout | trim }}"
+    upgrade_check_rc: "{{ _upgrade_check.rc }}"
+    # True if the tool reports an update is available
+    upgrade_available: >-
+      {{
+        _upgrade_check.rc != 0 or
+        'Upgraded' in _upgrade_check.stdout or
+        'update' in _upgrade_check.stdout | lower and
+        'up to date' not in _upgrade_check.stdout | lower
+      }}
+    # Attempt to extract the new version string from the upgrade check output
+    # pfSense-upgrade typically prints: "pfSense-upgrade: New version available: 2.7.3-RELEASE"
+    upgrade_available_version: >-
+      {{
+        _upgrade_check.stdout
+        | regex_search('(\d+\.\d+\.\d+[-a-zA-Z0-9]*)', '\1')
+        | first | default('unknown')
+      }}
+
+# ---------------------------------------------------------------------------
+# 3. Check pkg for pending package updates (captures sub-component updates)
+# ---------------------------------------------------------------------------
+- name: Check for pending pkg upgrades (outdated packages)
+  ansible.builtin.raw: pkg version -l '<' 2>&1 | head -40
+  register: _pkg_outdated
+  changed_when: false
+  failed_when: false
+
+- name: Count outdated packages
+  ansible.builtin.set_fact:
+    pkg_outdated_count: "{{ _pkg_outdated.stdout_lines | reject('match', '^\\s*$') | list | length }}"
+    pkg_outdated_list: "{{ _pkg_outdated.stdout | trim }}"
+
+# ---------------------------------------------------------------------------
+# 4. Detect the latest stable release for this branch via GitHub
+# ---------------------------------------------------------------------------
+- name: Fetch latest stable release version from Netgate/pfSense repo
+  ansible.builtin.raw: >
+    fetch -q -o - "{{ pfsense_release_url }}" 2>/dev/null || echo "fetch_failed"
+  register: _upstream_version_raw
+  changed_when: false
+  failed_when: false
+
+- name: Parse upstream latest stable version
+  ansible.builtin.set_fact:
+    upstream_version: "{{ _upstream_version_raw.stdout | trim }}"
+    upstream_fetch_ok: "{{ 'fetch_failed' not in _upstream_version_raw.stdout }}"
+
+- name: Derive upstream branch (major.minor)
+  ansible.builtin.set_fact:
+    upstream_major_minor: >-
+      {{
+        upstream_version
+        | regex_replace('^(\d+\.\d+).*$', '\1')
+        | default(pfsense_major_minor)
+      }}
+  when: upstream_fetch_ok | bool
+
+# ---------------------------------------------------------------------------
+# 5. Compare branches — detect if a newer stable branch exists upstream
+# ---------------------------------------------------------------------------
+- name: Determine if a newer major release branch is available
+  ansible.builtin.set_fact:
+    new_major_release_available: >-
+      {{
+        upstream_fetch_ok | bool and
+        (upstream_major_minor | string) != (pfsense_major_minor | string) and
+        (upstream_major_minor.split('.')[0] | int > pfsense_major_minor.split('.')[0] | int) or
+        (upstream_major_minor.split('.')[0] | int == pfsense_major_minor.split('.')[0] | int and
+         upstream_major_minor.split('.')[1] | int > pfsense_major_minor.split('.')[1] | int)
+      }}
+  when: upstream_fetch_ok | bool
+
+- name: Default new_major_release_available when fetch failed
+  ansible.builtin.set_fact:
+    new_major_release_available: false
+  when: not (upstream_fetch_ok | bool)
+
+# ---------------------------------------------------------------------------
+# 6. Print the full update status report
+# ---------------------------------------------------------------------------
+- name: Display update status report
+  ansible.builtin.debug:
+    msg:
+      - "============================================================"
+      - " Update Status: {{ inventory_hostname }}"
+      - "============================================================"
+      - " Current version  : {{ pfsense_current_version }}"
+      - " Current branch   : {{ pfsense_major_minor }}"
+      - "------------------------------------------------------------"
+      - " In-branch update : {{ 'YES — ' ~ upgrade_available_version if upgrade_available | bool else 'No — already up to date' }}"
+      - " Outdated pkgs    : {{ pkg_outdated_count }} package(s) behind"
+      - "------------------------------------------------------------"
+      - " Upstream latest  : {{ upstream_version if upstream_fetch_ok | bool else 'Could not reach upstream' }}"
+      - " Upstream branch  : {{ upstream_major_minor if upstream_fetch_ok | bool else 'N/A' }}"
+      - " New branch avail : {{ 'YES — ' ~ upstream_version if new_major_release_available | bool else 'No' }}"
+      - "------------------------------------------------------------"
+      - " perform_upgrade  : {{ perform_upgrade | bool }}"
+      - " allow_major_upg  : {{ allow_major_upgrade | bool }}"
+      - "============================================================"
+
+- name: Warn if a new major release branch is available but not allowed
+  ansible.builtin.debug:
+    msg: >
+      WARNING: pfSense {{ upstream_version }} is available on branch {{ upstream_major_minor }},
+      which is newer than your running branch {{ pfsense_major_minor }}.
+      To upgrade across branches, re-run with: -e "perform_upgrade=true allow_major_upgrade=true"
+  when:
+    - new_major_release_available | bool
+    - not (allow_major_upgrade | bool)
+
+- name: Warn if perform_upgrade is false but upgrades are available
+  ansible.builtin.debug:
+    msg: >
+      DRY RUN — upgrades are available but perform_upgrade=false.
+      Re-run with -e "perform_upgrade=true" to apply.
+  when:
+    - (upgrade_available | bool) or (pkg_outdated_count | int > 0)
+    - not (perform_upgrade | bool)