---

- name: Patch Debian and RedHat systems
  hosts: all
  become: true
  gather_facts: true

  vars:
    reboot_if_required: true

  tasks:
    - name: Update apt cache (Debian)
      ansible.builtin.apt:
        update_cache: yes
        cache_valid_time: 3600
      when: ansible_os_family == "Debian"

    - name: Upgrade all packages (Debian)
      ansible.builtin.apt:
        upgrade: dist
        autoremove: yes
        autoclean: yes
      when: ansible_os_family == "Debian"

    - name: Upgrade all packages (RedHat)
      ansible.builtin.dnf:
        name: "*"
        state: latest
        update_cache: yes
      when: ansible_os_family == "RedHat"

    - name: Check if reboot is required (Debian)
      ansible.builtin.stat:
        path: /var/run/reboot-required
      register: reboot_required_debian
      when: ansible_os_family == "Debian"

    - name: Check if reboot is required (RedHat)
      ansible.builtin.command: needs-restarting -r
      register: reboot_required_redhat
      failed_when: False
      changed_when: False
      when: ansible_os_family == "RedHat"

    - name: Reboot Debian systems if required
      ansible.builtin.reboot:
        msg: "Rebooting after patching"
        reboot_timeout: 600
      when:
        - reboot_if_required
        - ansible_os_family == "Debian"
        - reboot_required_debian.stat.exists

    - name: Reboot RedHat systems if required
      ansible.builtin.reboot:
        msg: "Rebooting after patching"
        reboot_timeout: 600
      when:
        - reboot_if_required
        - ansible_os_family == "RedHat"
        - reboot_required_redhat.rc == 1