ansible-playbook/nezha_update_secret.yml

---
- name: 更新 Nezha Agent Client Secret
  hosts: all
  become: yes

  vars:
    # 必填参数：新的 client_secret 值
    client_secret: ""

    # 可选参数：旧的 client_secret 值（用于验证）
    # 留空则强制修改，无论当前值是什么
    old_client_secret: ""

    # 配置文件路径
    config_file: "/opt/nezha/agent/config.yml"

    # 服务名称
    service_name: "nezha-agent.service"

  tasks:
    - name: 验证必填参数
      ansible.builtin.assert:
        that:
          - client_secret is defined
          - client_secret | length > 0
        fail_msg: "参数 client_secret 不能为空"
        success_msg: "参数验证通过"

    - name: 检查配置文件是否存在
      ansible.builtin.stat:
        path: "{{ config_file }}"
      register: config_file_stat

    - name: 配置文件不存在时报错
      ansible.builtin.fail:
        msg: "配置文件 {{ config_file }} 不存在"
      when: not config_file_stat.stat.exists

    - name: 备份原始配置文件
      ansible.builtin.copy:
        src: "{{ config_file }}"
        dest: "{{ config_file }}.backup.{{ ansible_date_time.iso8601_basic_short }}"
        remote_src: yes
        force: no

    - name: 更新 client_secret（不验证旧值）
      ansible.builtin.lineinfile:
        path: "{{ config_file }}"
        regexp: '^client_secret:\s*.+$'
        line: "client_secret: {{ client_secret }}"
        backup: yes
      when: old_client_secret == ""
      notify: 重启 Nezha Agent
      register: update_result_force

    - name: 更新 client_secret（验证旧值）
      ansible.builtin.lineinfile:
        path: "{{ config_file }}"
        regexp: '^client_secret:\s*{{ old_client_secret | regex_escape }}$'
        line: "client_secret: {{ client_secret }}"
        backup: yes
      when: old_client_secret != ""
      notify: 重启 Nezha Agent
      register: update_result_safe

    - name: 检查是否成功替换（验证旧值模式）
      ansible.builtin.fail:
        msg: "未找到匹配的旧 client_secret 值，请检查 old_client_secret 参数是否正确"
      when:
        - old_client_secret != ""
        - update_result_safe is defined
        - not update_result_safe.changed

    - name: 显示更新结果
      ansible.builtin.debug:
        msg: "client_secret 已成功更新"
      when: (update_result_force is defined and update_result_force.changed) or
            (update_result_safe is defined and update_result_safe.changed)

    - name: 验证 Nezha Agent 服务状态
      ansible.builtin.systemd:
        name: "{{ service_name }}"
      register: service_status

    - name: 显示服务状态
      ansible.builtin.debug:
        msg: "Nezha Agent 服务状态: {{ service_status.status.ActiveState }}"

  handlers:
    - name: 重启 Nezha Agent
      ansible.builtin.systemd:
        name: "{{ service_name }}"
        state: restarted