apt: add a helpful comment to 50unattended-upgrades

1 files changed, 20 insertions, 0 deletions

diff --git a/roles/apt/templates/50unattended-upgrades.j2 b/roles/apt/templates/50unattended-upgrades.j2
index 389bb2b..57c8d20 100644
--- a/roles/apt/templates/50unattended-upgrades.j2
+++ b/roles/apt/templates/50unattended-upgrades.j2
@@ -1,5 +1,25 @@
 {{ ansible_managed | comment }}
 
+// Lines below have the format format is "keyword=value,...".  A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line.  (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted.  The accepted keywords are:
+//   a,archive,suite (eg, "stable")
+//   c,component     (eg, "main", "contrib", "non-free")
+//   l,label         (eg, "Debian", "Debian-Security")
+//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+//   n,codename      (eg, "jessie", "jessie-updates")
+//     site          (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+//   ${distro_id}            Installed origin.
+//   ${distro_codename}      Installed codename (eg, "buster")
+
 Unattended-Upgrade::Origins-Pattern {
     "origin=${distro_id},codename=${distro_codename}";
     "origin=${distro_id},codename=${distro_codename}-security";