patch-openssl-CVE-2014-0160.yml

---
 - hosts: all
   vars:
     openssl_packages: ["openssl","libssl1.0.0"]
     openssl_impacted_service:
        - nginx
        - apache2
        - postgresql
        - php5-fpm
        - openvpn
        - postfix
        - monit
        - zabbix-server
        - unbound
   tasks:
     - name: ensure openssl is the last version
       apt: pkg={{item}} state=latest update_cache=yes
       register: openssl_updated
       with_items: openssl_packages
       when: ansible_os_family == "Debian" or ansible_os_family == "Linuxmint"

     - name: check if service need to be restarted
       shell: "lsof -n | grep 'DEL.*libssl.so'"
       register: result_check
       failed_when: result_check.stdout.find('unrecognized') != -1 and result_check.rc != 0
       changed_when: result_check.stdout.find('unrecognized') == -1 or result_check.rc == 0
       always_run: yes

     - name: test running services  
       command: "service {{item}} status | grep -i running"
       register: services_status
       with_items: openssl_impacted_service
       when: result_check.rc == 0 or openssl_updated.changed
       ignore_errors: true
       always_run: yes

     - name: restart running service
       service: name={{item.item}} state=restarted
       with_items: services_status.results
       when: (result_check.rc == 0 or openssl_updated.changed ) and item.rc == 0

     - name: ensure no more service need to be restarted
       shell: "lsof -n | grep 'DEL.*libssl.so'"
       register: result
       failed_when: result.rc == 0
       changed_when: result.rc != 1
       always_run: yes