feat(security): update / install clamav only if desired version and installed version differs

collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 security_apt_force_https: true
 security_apt_https_ignore_list: []
-security_clamav_version: 1.2.1
+security_clamav_version: 1.3.1
 security_firewall_enabled: true
 security_firewall_filter_policy_forward: drop
 security_firewall_filter_policy_input: drop

collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml

@@ -88,14 +88,21 @@
         job: "/usr/bin/rkhunter -c 2>&1"
         state: present
 
+- name: get current clamav version
+  ansible.builtin.shell: >
+    dpkg -l | awk '$2=="clamav"{ print $3 }' | cut -d '-' -f 1
+  register: clamav_version_cmd
+  changed_when: false
+  failed_when: false
+
 - name: '[system] clamav'
   become: true
   block:
     - name: '[clamav] retrieve and install clamav package'
       ansible.builtin.apt:
         deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb
-        force_apt_get: true
         state: present
+      when: clamav_version_cmd.get("stdout", "") != security_clamav_version
     - name: '[clamav] add clamav group'
       ansible.builtin.group:
         name: clamav

inventory/group_vars/all/vars.yml

@@ -3,6 +3,9 @@
 custom_base_user_account: "{{ vault_custom_base_user_account }}"
 custom_github_token: "{{ vault_custom_github_token | default('') }}"
 
+# security parameters
+security_clamav_version: 1.3.1
+
 # global (hosts' system parameters)
 ## TODO: move to a CMDB
 global_dns_type: "dot"