From d59cb41d5e99650f5de6b8476572f5ba124cc8b8 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 28 Jan 2021 03:42:07 +0100 Subject: [PATCH] Use unattended-upgrades for Debian-Security --- roles/baseconfig/tasks/apt-unattended.yml | 21 ++++++++++++++++++ roles/baseconfig/tasks/main.yml | 3 +++ .../templates/apt/20auto-upgrades.j2 | 4 ++++ .../templates/apt/50unattended-upgrades.j2 | 22 +++++++++++++++++++ 4 files changed, 50 insertions(+) create mode 100644 roles/baseconfig/tasks/apt-unattended.yml create mode 100644 roles/baseconfig/templates/apt/20auto-upgrades.j2 create mode 100644 roles/baseconfig/templates/apt/50unattended-upgrades.j2 diff --git a/roles/baseconfig/tasks/apt-unattended.yml b/roles/baseconfig/tasks/apt-unattended.yml new file mode 100644 index 0000000..9251e17 --- /dev/null +++ b/roles/baseconfig/tasks/apt-unattended.yml @@ -0,0 +1,21 @@ +--- +- name: Install unattended-upgrades + when: ansible_os_family == "Debian" + apt: + name: unattended-upgrades + state: present + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure unattended-upgrades + template: + src: "apt/{{ item }}.j2" + dest: "/etc/apt/apt.conf.d/{{ item }}" + owner: root + mode: u=rw,g=r,o=r + loop: + - 50unattended-upgrades + - 20auto-upgrades +... diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 2455998..c1d3eda 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -74,6 +74,9 @@ # APT-List Changes : send email with changelog - include_tasks: apt-listchanges.yml +# APT Unattended upgrades +- include_tasks: apt-unattended.yml + # User skeleton - name: Configure user skeleton copy: diff --git a/roles/baseconfig/templates/apt/20auto-upgrades.j2 b/roles/baseconfig/templates/apt/20auto-upgrades.j2 new file mode 100644 index 0000000..a1ba39e --- /dev/null +++ b/roles/baseconfig/templates/apt/20auto-upgrades.j2 @@ -0,0 +1,4 @@ +// {{ ansible_managed }} + +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/roles/baseconfig/templates/apt/50unattended-upgrades.j2 b/roles/baseconfig/templates/apt/50unattended-upgrades.j2 new file mode 100644 index 0000000..b2932b5 --- /dev/null +++ b/roles/baseconfig/templates/apt/50unattended-upgrades.j2 @@ -0,0 +1,22 @@ +// {{ ansible_managed }} + +Unattended-Upgrade::Origins-Pattern { + "origin=Debian,codename=${distro_codename},label=Debian-Security"; +}; + +Unattended-Upgrade::Package-Blacklist {}; + +Unattended-Upgrade::MinimalSteps "true"; +Unattended-Upgrade::InstallOnShutdown "false"; + +Unattended-Upgrade::Mail "{{ monitoring_mail }}"; +// Unattended-Upgrade::MailOnlyOnError "false"; + +Unattended-Upgrade::Remove-Unused-Kernel-Packages "false"; +Unattended-Upgrade::Remove-New-Unused-Dependencies "false"; +Unattended-Upgrade::Remove-Unused-Dependencies "false"; + +Unattended-Upgrade::Automatic-Reboot "false"; + +Unattended-Upgrade::SyslogEnable "true"; +Unattended-Upgrade::SyslogFacility "daemon";