From 1c363a140e3cbc2ed96eeb372cf3abfdb642d3f0 Mon Sep 17 00:00:00 2001 From: Egor Tensin Date: Fri, 11 Aug 2023 09:17:50 +0200 Subject: apt: configure unattended-upgrades --- roles/apt/defaults/main.yml | 2 ++ roles/apt/tasks/main.yml | 3 +++ roles/apt/tasks/unattended_upgrades.yml | 33 ++++++++++++++++++++++++++++ roles/apt/templates/02periodic.j2 | 6 +++++ roles/apt/templates/50unattended-upgrades.j2 | 21 ++++++++++++++++++ 5 files changed, 65 insertions(+) create mode 100644 roles/apt/tasks/unattended_upgrades.yml create mode 100644 roles/apt/templates/02periodic.j2 create mode 100644 roles/apt/templates/50unattended-upgrades.j2 (limited to 'roles/apt') diff --git a/roles/apt/defaults/main.yml b/roles/apt/defaults/main.yml index ff5adcb..0026b08 100644 --- a/roles/apt/defaults/main.yml +++ b/roles/apt/defaults/main.yml @@ -1 +1,3 @@ apt_extra_packages: [] +apt_unattended_reboot: true +apt_unattended_reboot_time: "02:00" diff --git a/roles/apt/tasks/main.yml b/roles/apt/tasks/main.yml index 1d07a7f..6511c44 100644 --- a/roles/apt/tasks/main.yml +++ b/roles/apt/tasks/main.yml @@ -25,3 +25,6 @@ install_recommends: false name: '{{ apt_extra_packages }}' state: present + +- name: Configure unattended-upgrades + ansible.builtin.include_tasks: unattended_upgrades.yml diff --git a/roles/apt/tasks/unattended_upgrades.yml b/roles/apt/tasks/unattended_upgrades.yml new file mode 100644 index 0000000..79327d5 --- /dev/null +++ b/roles/apt/tasks/unattended_upgrades.yml @@ -0,0 +1,33 @@ +- name: Install unattended-upgrades + become: + ansible.builtin.apt: + install_recommends: false + name: unattended-upgrades + state: present + +- name: 50unattended-upgrades + become: true + ansible.builtin.template: + src: 50unattended-upgrades.j2 + dest: /etc/apt/apt.conf.d/50unattended-upgrades + owner: root + group: root + mode: '644' + +# https://wiki.debian.org/UnattendedUpgrades says that 20auto-upgrades and +# 02periodic are _alternatives_ (and, presumably, not mechanisms that can be +# used together). +- name: 20auto-upgrades + become: true + ansible.builtin.file: + path: /etc/apt/apt.conf.d/20auto-upgrades + state: absent + +- name: 02periodic + become: true + ansible.builtin.template: + src: 02periodic.j2 + dest: /etc/apt/apt.conf.d/02periodic + owner: root + group: root + mode: '644' diff --git a/roles/apt/templates/02periodic.j2 b/roles/apt/templates/02periodic.j2 new file mode 100644 index 0000000..0c26a8f --- /dev/null +++ b/roles/apt/templates/02periodic.j2 @@ -0,0 +1,6 @@ +APT::Periodic::Enable "1"; +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::Unattended-Upgrade "1"; +APT::Periodic::AutocleanInterval "7"; +APT::Periodic::Verbose "2"; diff --git a/roles/apt/templates/50unattended-upgrades.j2 b/roles/apt/templates/50unattended-upgrades.j2 new file mode 100644 index 0000000..dfb2f9e --- /dev/null +++ b/roles/apt/templates/50unattended-upgrades.j2 @@ -0,0 +1,21 @@ +Unattended-Upgrade::Origins-Pattern { + "origin=${distro_id},codename=${distro_codename}"; + "origin=${distro_id},codename=${distro_codename}-security"; +}; + +Unattended-Upgrade::DevRelease "false"; +Unattended-Upgrade::AutoFixInterruptedDpkg "true"; +Unattended-Upgrade::MinimalSteps "true"; +Unattended-Upgrade::InstallOnShutdown "false"; +Unattended-Upgrade::Mail "root"; +Unattended-Upgrade::MailOnlyOnError "true"; +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; +Unattended-Upgrade::Remove-Unused-Dependencies "true"; +Unattended-Upgrade::Automatic-Reboot "{{ apt_unattended_reboot | lower }}"; +Unattended-Upgrade::Automatic-Reboot-Time "{{ apt_unattended_reboot_time }}"; +Unattended-Upgrade::SyslogEnable "true"; + +Dpkg::Options { + "--force-confdef"; + "--force-confold"; +}; -- cgit v1.2.3