Cleanup apt_common

playbooks/base.yml

@@ -1,11 +1,11 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Put a common configuration on all servers
 - hosts: all,!unifi
   vars:
     locales_default: en_US.UTF-8
     locales_additional:
       - fr_FR.UTF-8
+    apt_upgrade_email_address: monitoring.aurore@lists.crans.org
   roles:
     - debian_common
     - apt_common
@@ -13,3 +13,4 @@
     - basesecurity
     - logrotate
     - update_motd
+...

roles/apt_common/tasks/main.yml

@@ -12,4 +12,8 @@
   loop:
     - 20auto-upgrades
     - 50unattended-upgrades
+
+- name: Install debsums
+  apt:
+    name: debsums
 ...

roles/apt_common/templates/20auto-upgrades.j2

@@ -1,4 +1,4 @@
-// {{ ansible_managed }}
+{{ ansible_managed | comment("c") }}
 
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Unattended-Upgrade "1";

roles/apt_common/templates/50unattended-upgrades.j2

@@ -1,4 +1,4 @@
-// {{ ansible_managed }}
+{{ ansible_managed | comment("c") }}
 
 Unattended-Upgrade::Origins-Pattern {
         "origin=Debian,codename=${distro_codename},label=Debian-Security";
@@ -9,8 +9,10 @@ Unattended-Upgrade::Package-Blacklist {};
 Unattended-Upgrade::MinimalSteps "true";
 Unattended-Upgrade::InstallOnShutdown "false";
 
-Unattended-Upgrade::Mail "{{ monitoring_mail }}";
-// Unattended-Upgrade::MailOnlyOnError "false";
+{% if apt_upgrade_email_address | default(False) %}
+Unattended-Upgrade::Mail "{{ apt_upgrade_email_address }}";
+Unattended-Upgrade::MailOnlyOnError "false";
+{% endif %}
 
 Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
 Unattended-Upgrade::Remove-New-Unused-Dependencies "false";

roles/basesecurity/tasks/main.yml

@@ -23,12 +23,4 @@
     - /bin/mount  # Only root should mount
     - /bin/umount  # Only root should umount
   ignore_errors: true  # Sometimes file won't exist
-
-# See altered packages and configurations with `debsums -ca`
-- name: Install debsums
-  apt:
-    name: debsums
-    state: present
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
+...