From 45d380c6412b292d05dcb9ae157c28247b640f8c Mon Sep 17 00:00:00 2001
From: Vincent Lafeychine <vincent.lafeychine@proton.me>
Date: Tue, 3 Oct 2023 14:09:48 +0200
Subject: [PATCH] unattended_upgrades: migration

---
 playbooks/base.yml                            |  1 +
 roles/unattended_upgrades/tasks/main.yml      | 16 ++++++++++
 .../templates/20auto-upgrades.j2              |  4 +++
 .../templates/50unattended-upgrades.j2        | 29 +++++++++++++++++++
 4 files changed, 50 insertions(+)
 create mode 100644 roles/unattended_upgrades/tasks/main.yml
 create mode 100644 roles/unattended_upgrades/templates/20auto-upgrades.j2
 create mode 100644 roles/unattended_upgrades/templates/50unattended-upgrades.j2

diff --git a/playbooks/base.yml b/playbooks/base.yml
index fffa1df..3c81038 100755
--- a/playbooks/base.yml
+++ b/playbooks/base.yml
@@ -5,4 +5,5 @@
     - vm_network
   roles:
     - base_utils
+    - unattended_upgrades
 ...
diff --git a/roles/unattended_upgrades/tasks/main.yml b/roles/unattended_upgrades/tasks/main.yml
new file mode 100644
index 0000000..1aa3d4f
--- /dev/null
+++ b/roles/unattended_upgrades/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Install unattended-upgrades
+  apt:
+    name: unattended-upgrades
+
+- name: Configure unattended-upgrades
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/apt/apt.conf.d/{{ item }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  loop:
+    - 20auto-upgrades
+    - 50unattended-upgrades
+...
diff --git a/roles/unattended_upgrades/templates/20auto-upgrades.j2 b/roles/unattended_upgrades/templates/20auto-upgrades.j2
new file mode 100644
index 0000000..1dd0e4b
--- /dev/null
+++ b/roles/unattended_upgrades/templates/20auto-upgrades.j2
@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
diff --git a/roles/unattended_upgrades/templates/50unattended-upgrades.j2 b/roles/unattended_upgrades/templates/50unattended-upgrades.j2
new file mode 100644
index 0000000..0876ab5
--- /dev/null
+++ b/roles/unattended_upgrades/templates/50unattended-upgrades.j2
@@ -0,0 +1,29 @@
+{{ ansible_managed | comment }}
+
+Unattended-Upgrade::Origins-Pattern {
+    "origin=Debian,codename=${distro_codename},label=Debian-Security";
+};
+
+Unattended-Upgrade::Package-Blacklist {};
+Unattended-Upgrade::Package-Whitelist {};
+
+Unattended-Upgrade::Automatic-Reboot "false";
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::IgnoreAppsRequireRestart "false";
+Unattended-Upgrade::InstallOnShutdown "false";
+Unattended-Upgrade::MinimalSteps "true";
+
+Unattended-Upgrade::Mail "{{ monitoring_mail }}";
+Unattended-Upgrade::MailOnlyOnError "true";
+
+Unattended-Upgrade::Keep-Debs-After-Install "false";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
+
+Unattended-Upgrade::SyslogEnable "true";
+Unattended-Upgrade::SyslogFacility "daemon";
+
+Unattended-Upgrade::OnlyOnACPower "false";
+
+# https://bugs.launchpad.net/ubuntu/+source/pygobject/+bug/1859080
+Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";