update system role

plays/upgrade.yml

@@ -2,22 +2,5 @@
 - hosts: all
   gather_facts: yes
 
-  tasks:
-    - name: Perform a dist-upgrade.
-      ansible.builtin.apt:
-        upgrade: dist
-        update_cache: yes
-
-    - name: Check if a reboot is required.
-      ansible.builtin.stat:
-        path: /var/run/reboot-required
-        get_checksum: no
-      register: reboot_required_file
-
-    - name: Reboot the server (if required).
-      ansible.builtin.reboot:
-      when: reboot_required_file.stat.exists == true
-
-    - name: Remove dependencies that are no longer required.
-      ansible.builtin.apt:
-        autoremove: yes
+  roles:
+    - role: roles/update_system

roles/update_system/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+# Default upgrade type
+# Options:
+#   safe  → only upgrade already installed packages
+#   dist  → perform a full distribution upgrade
+
+update_system_upgrade_type: safe

roles/update_system/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+# Ensures a Debian/Ubuntu system is up to date
+# Upgrade type is controlled by 'update_system_upgrade_type' (default: 'safe')
+
+- name: Ensure apt cache is up to date
+  apt:
+    update_cache: yes
+  become: yes
+
+- name: Upgrade installed packages
+  apt:
+    upgrade: "{{ update_system_upgrade_type }}"
+  become: yes
+
+- name: Autoremove unnecessary packages
+  apt:
+    autoremove: yes
+  become: yes
+
+- name: Clean up retrieved package files
+  apt:
+    autoclean: yes
+  become: yes