Initial commit after reviewing this with Claude Opus.

roles/arch_update/tasks/aur_rebuild.yaml

@@ -1,14 +1,17 @@
-- name:  Get list of AUR Python packages that need to be rebuilt
+- name: Get list of AUR Python packages that need to be rebuilt
   ansible.builtin.shell:
     cmd:
       comm -12 <(pactree -lrud1 {{ package_pattern }} | sort -u) <(pacman -Qqm | sort -u)
+    executable: /bin/bash
   register: aur_packages
-- name:  Rebuild AUR Python packages
+  changed_when: false
+  failed_when: false
+
+- name: Rebuild AUR Python packages
   aur:
-    use:  "{{ aur_helper }}"
+    use: "{{ aur_helper }}"
-    name:  '{{ item }}'
+    name: '{{ item }}'
-    aur_only:  true
+    aur_only: true
-    extra_args:  --rebuild
+    extra_args: --rebuild
-  loop:  '{{ aur_packages.stdout.split() }}'
+  loop: '{{ aur_packages.stdout_lines | default([]) }}'
-
+  when: aur_packages.stdout_lines | default([]) | length > 0
-

roles/arch_update/tasks/repo_upgrade.yaml

@@ -6,12 +6,10 @@
     upgrade: true
     extra_args: "--noconfirm"
   register: arch_upgrade_result
-  #- name: Debug full Arch upgrade output
-  #  ansible.builtin.debug:
-  #    var: arch_upgrade_result
   failed_when: 
     - arch_upgrade_result.failed == true
-    # We ignore the failure if it's just 'nothing to do', 
+    - "'there is nothing to do' not in (arch_upgrade_result.stdout | default('') | lower)"
-  #  # but otherwise, we let it fail so you can step in.
+- name: Debug full Arch upgrade output
-    - "'Nothing to upgrade' not in arch_upgrade_result.msg"
+  ansible.builtin.debug:
+    var: arch_upgrade_result
 

roles/debian_update/tasks/apt_upgrade.yaml

@@ -1,5 +0,0 @@
-- name: Full system upgrade
-  become: true
-  ansible.builtin.apt:
-    update_cache: true
-    upgrade:  full

roles/debian_update/tasks/main.yaml

@@ -1,2 +1,6 @@
-- name: Perform official repository updates
+---
-  ansible.builtin.import_tasks: apt_upgrade.yaml
+- name: Full system upgrade
+  become: true
+  ansible.builtin.apt:
+    update_cache: true
+    upgrade: full

roles/reboot/files/check_reboot.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env zsh
+#!/usr/bin/env bash
 
 # Exit code 0 = Reboot required
 # Exit code 1 = System is up to date / No reboot needed

roles/reboot/handlers/main.yaml

@@ -5,6 +5,7 @@
     name: mollyguard.service
     state: stopped
   listen: Reboot system
+  failed_when: false
 
 - name: Execute System Reboot
   become: true

roles/reboot/tasks/main.yaml

@@ -1,6 +1,6 @@
 ---
 - name: Check if kernel or microcode update requires reboot
-  ansible.builtin.script: check_reboot.zsh  # Your script placed in files/
+  ansible.builtin.script: check_reboot.sh  # Your script placed in files/
   register: reboot_check
   # Prevent Ansible from failing if the script returns false (exit code 1)
   failed_when: false

systemd-creds.yaml

@@ -22,6 +22,6 @@
     - name:  Create override
       ansible.builtin.shell:
         cmd: |
-          printf {{ passphrase }} | (echo "[Service]"; systemd-creds encrypt --name={{ creds_name }} --pretty - -) >> /etc/systemd/system/shared.d/00-systemd-creds.conf
+          printf '%s' {{ passphrase | quote }} | (echo "[Service]"; systemd-creds encrypt --name={{ creds_name }} --pretty - -) >> /etc/systemd/system/shared.d/00-systemd-creds.conf
           printf "Environment=%s=%%d/%s\n" {{ creds_var }} {{ creds_name }} >> /etc/systemd/system/shared.d/00-systemd-creds.conf
         #creates:  /etc/systemd/system/shared.d/00-systemd-creds.conf