diff options
| author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-11 09:17:50 +0200 |
|---|---|---|
| committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-11 19:04:51 +0200 |
| commit | 1c363a140e3cbc2ed96eeb372cf3abfdb642d3f0 (patch) | |
| tree | e554df64114e323902d360ce627f22a04e2e1745 | |
| parent | journald: parametrize the log level (diff) | |
| download | infra-ansible-1c363a140e3cbc2ed96eeb372cf3abfdb642d3f0.tar.gz infra-ansible-1c363a140e3cbc2ed96eeb372cf3abfdb642d3f0.zip | |
apt: configure unattended-upgrades
| -rw-r--r-- | roles/apt/defaults/main.yml | 2 | ||||
| -rw-r--r-- | roles/apt/tasks/main.yml | 3 | ||||
| -rw-r--r-- | roles/apt/tasks/unattended_upgrades.yml | 33 | ||||
| -rw-r--r-- | roles/apt/templates/02periodic.j2 | 6 | ||||
| -rw-r--r-- | roles/apt/templates/50unattended-upgrades.j2 | 21 |
5 files changed, 65 insertions, 0 deletions
diff --git a/roles/apt/defaults/main.yml b/roles/apt/defaults/main.yml index ff5adcb..0026b08 100644 --- a/roles/apt/defaults/main.yml +++ b/roles/apt/defaults/main.yml @@ -1 +1,3 @@ apt_extra_packages: [] +apt_unattended_reboot: true +apt_unattended_reboot_time: "02:00" diff --git a/roles/apt/tasks/main.yml b/roles/apt/tasks/main.yml index 1d07a7f..6511c44 100644 --- a/roles/apt/tasks/main.yml +++ b/roles/apt/tasks/main.yml @@ -25,3 +25,6 @@ install_recommends: false name: '{{ apt_extra_packages }}' state: present + +- name: Configure unattended-upgrades + ansible.builtin.include_tasks: unattended_upgrades.yml diff --git a/roles/apt/tasks/unattended_upgrades.yml b/roles/apt/tasks/unattended_upgrades.yml new file mode 100644 index 0000000..79327d5 --- /dev/null +++ b/roles/apt/tasks/unattended_upgrades.yml @@ -0,0 +1,33 @@ +- name: Install unattended-upgrades + become: + ansible.builtin.apt: + install_recommends: false + name: unattended-upgrades + state: present + +- name: 50unattended-upgrades + become: true + ansible.builtin.template: + src: 50unattended-upgrades.j2 + dest: /etc/apt/apt.conf.d/50unattended-upgrades + owner: root + group: root + mode: '644' + +# https://wiki.debian.org/UnattendedUpgrades says that 20auto-upgrades and +# 02periodic are _alternatives_ (and, presumably, not mechanisms that can be +# used together). +- name: 20auto-upgrades + become: true + ansible.builtin.file: + path: /etc/apt/apt.conf.d/20auto-upgrades + state: absent + +- name: 02periodic + become: true + ansible.builtin.template: + src: 02periodic.j2 + dest: /etc/apt/apt.conf.d/02periodic + owner: root + group: root + mode: '644' diff --git a/roles/apt/templates/02periodic.j2 b/roles/apt/templates/02periodic.j2 new file mode 100644 index 0000000..0c26a8f --- /dev/null +++ b/roles/apt/templates/02periodic.j2 @@ -0,0 +1,6 @@ +APT::Periodic::Enable "1"; +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::Unattended-Upgrade "1"; +APT::Periodic::AutocleanInterval "7"; +APT::Periodic::Verbose "2"; diff --git a/roles/apt/templates/50unattended-upgrades.j2 b/roles/apt/templates/50unattended-upgrades.j2 new file mode 100644 index 0000000..dfb2f9e --- /dev/null +++ b/roles/apt/templates/50unattended-upgrades.j2 @@ -0,0 +1,21 @@ +Unattended-Upgrade::Origins-Pattern { + "origin=${distro_id},codename=${distro_codename}"; + "origin=${distro_id},codename=${distro_codename}-security"; +}; + +Unattended-Upgrade::DevRelease "false"; +Unattended-Upgrade::AutoFixInterruptedDpkg "true"; +Unattended-Upgrade::MinimalSteps "true"; +Unattended-Upgrade::InstallOnShutdown "false"; +Unattended-Upgrade::Mail "root"; +Unattended-Upgrade::MailOnlyOnError "true"; +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; +Unattended-Upgrade::Remove-Unused-Dependencies "true"; +Unattended-Upgrade::Automatic-Reboot "{{ apt_unattended_reboot | lower }}"; +Unattended-Upgrade::Automatic-Reboot-Time "{{ apt_unattended_reboot_time }}"; +Unattended-Upgrade::SyslogEnable "true"; + +Dpkg::Options { + "--force-confdef"; + "--force-confold"; +}; |