feat: proxmox_upgrade role and playbook

roles/proxmox_upgrade/tasks/upgrade.yml

@@ -0,0 +1,95 @@
+---
+# =============================================================================
+# proxmox_upgrade — upgrade.yml
+# Run apt dist-upgrade and reboot, wait for node to rejoin cluster
+# =============================================================================
+
+- name: Upgrade | Set CEPH noout flag before upgrade
+  ansible.builtin.shell: ceph osd set noout
+  when: ceph_enabled | bool
+  changed_when: true
+
+- name: Upgrade | Run apt update
+  ansible.builtin.shell: apt-get update -q
+  changed_when: false
+
+- name: Upgrade | Run apt dist-upgrade
+  ansible.builtin.shell: "{{ apt_upgrade_cmd }}"
+  register: apt_upgrade_result
+  changed_when: "'0 upgraded' not in apt_upgrade_result.stdout"
+
+- name: Upgrade | Log packages upgraded
+  ansible.builtin.debug:
+    msg: "{{ apt_upgrade_result.stdout_lines | select('match', '.*upgraded.*') | list | first | default('No output') }}"
+
+- name: Upgrade | Run apt autoremove
+  ansible.builtin.shell: DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+  when: apt_autoremove | bool
+  changed_when: false
+
+- name: Upgrade | Check if reboot is required
+  ansible.builtin.stat:
+    path: /var/run/reboot-required
+  register: reboot_required
+
+- name: Upgrade | Log reboot status
+  ansible.builtin.debug:
+    msg: "{{ 'Reboot required — rebooting node' if reboot_required.stat.exists else 'No reboot required — skipping reboot' }}"
+
+- name: Upgrade | Reboot node
+  ansible.builtin.reboot:
+    reboot_timeout: "{{ node_rejoin_timeout }}"
+    msg: "Rebooting for Proxmox upgrade"
+    pre_reboot_delay: 5
+    post_reboot_delay: 30
+  when: reboot_required.stat.exists
+
+# ── Wait for node to rejoin cluster ──────────────────────────────────────────
+- name: Upgrade | Wait for node to appear online in cluster
+  ansible.builtin.uri:
+    url: "https://{{ api_host }}:{{ api_port }}/api2/json/nodes"
+    method: GET
+    headers:
+      Authorization: "PVEAPIToken={{ api_token_id }}={{ api_token_secret }}"
+    validate_certs: false
+  register: nodes_status
+  until: >-
+    nodes_status.json.data
+    | selectattr('node', 'equalto', current_node)
+    | selectattr('status', 'equalto', 'online')
+    | list | length > 0
+  retries: "{{ (node_rejoin_timeout | int / 10) | int }}"
+  delay: 10
+  delegate_to: localhost
+
+- name: Upgrade | Node {{ current_node }} back online
+  ansible.builtin.debug:
+    msg: "Node {{ current_node }} has rejoined the cluster"
+
+# ── CEPH recovery wait ────────────────────────────────────────────────────────
+- name: Upgrade | Wait for CEPH to recover
+  when: ceph_enabled | bool
+  block:
+    - name: Upgrade | CEPH | Wait for HEALTH_OK or HEALTH_WARN
+      ansible.builtin.shell: ceph health
+      register: ceph_health_post
+      until: "'HEALTH_OK' in ceph_health_post.stdout or 'HEALTH_WARN' in ceph_health_post.stdout"
+      retries: "{{ (ceph_recover_timeout | int / 10) | int }}"
+      delay: 10
+      changed_when: false
+
+    - name: Upgrade | CEPH | Clear noout flag
+      ansible.builtin.shell: ceph osd unset noout
+      changed_when: true
+
+    - name: Upgrade | CEPH | Log recovery status
+      ansible.builtin.debug:
+        msg: "CEPH recovered: {{ ceph_health_post.stdout }}"
+
+- name: Upgrade | Node {{ current_node }} upgrade complete
+  ansible.builtin.debug:
+    msg: >-
+      Node {{ current_node }} upgrade complete —
+      {{ apt_upgrade_result.stdout_lines | select('match', '.*upgraded.*') | list | first | default('packages updated') }}
+      {{ '— rebooted' if reboot_required.stat.exists else '— no reboot needed' }}
+