unattended_upgrades: migration

playbooks/base.yml

@@ -5,4 +5,5 @@
     - vm_network
   roles:
     - base_utils
+    - unattended_upgrades
 ...

roles/unattended_upgrades/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Install unattended-upgrades
+  apt:
+    name: unattended-upgrades
+
+- name: Configure unattended-upgrades
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/apt/apt.conf.d/{{ item }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  loop:
+    - 20auto-upgrades
+    - 50unattended-upgrades
+...

roles/unattended_upgrades/templates/20auto-upgrades.j2

@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";

roles/unattended_upgrades/templates/50unattended-upgrades.j2

@@ -0,0 +1,29 @@
+{{ ansible_managed | comment }}
+
+Unattended-Upgrade::Origins-Pattern {
+    "origin=Debian,codename=${distro_codename},label=Debian-Security";
+};
+
+Unattended-Upgrade::Package-Blacklist {};
+Unattended-Upgrade::Package-Whitelist {};
+
+Unattended-Upgrade::Automatic-Reboot "false";
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::IgnoreAppsRequireRestart "false";
+Unattended-Upgrade::InstallOnShutdown "false";
+Unattended-Upgrade::MinimalSteps "true";
+
+Unattended-Upgrade::Mail "{{ monitoring_mail }}";
+Unattended-Upgrade::MailOnlyOnError "true";
+
+Unattended-Upgrade::Keep-Debs-After-Install "false";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
+
+Unattended-Upgrade::SyslogEnable "true";
+Unattended-Upgrade::SyslogFacility "daemon";
+
+Unattended-Upgrade::OnlyOnACPower "false";
+
+# https://bugs.launchpad.net/ubuntu/+source/pygobject/+bug/1859080
+Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";