# Patching Role

Apply security patches and OS updates to enterprise infrastructure nodes.

## Features

- **Idempotent**: Properly checks for changes with `changed_when`
- **Patch Window**: Optional enforcement of patch time windows
- **Pre-patch Backup**: Backs up package list before patching
- **Smart Reboot**: Automatically detects if reboot is required
- **Service Restart**: Restarts only necessary services after patching
- **Health Checks**: Verifies services and runs health endpoint checks

## Role Variables

See `defaults/main.yml` for all available variables.

### Key Variables

- `patch_window_start`: Patch window start time (default: 02:00)
- `patch_window_end`: Patch window end time (default: 04:00)
- `enforce_patch_window`: Enforce patch time window (default: true)
- `patch_security_only`: Apply security updates only (default: true)
- `backup_before_patch`: Create backup before patching (default: true)
- `reboot_if_required`: Auto-reboot if required (default: false)
- `services_to_restart`: Services to restart after patching
- `critical_services`: Critical services to verify after patching

## Usage

```yaml
- role: patching
  vars:
    patch_security_only: true
    enforce_patch_window: false
    reboot_if_required: true
```

## Report

Patch report is generated at: `/var/log/patch_report_<timestamp>.log`

## Backup Location

Pre-patch backups saved to: `/var/backups/pre-patch-<timestamp>/`