Use unattended-upgrades for Debian-Security #4
4 changed files with 50 additions and 0 deletions
21
roles/baseconfig/tasks/apt-unattended.yml
Normal file
21
roles/baseconfig/tasks/apt-unattended.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
- name: Install unattended-upgrades
|
||||
when: ansible_os_family == "Debian"
|
||||
apt:
|
||||
name: unattended-upgrades
|
||||
state: present
|
||||
update_cache: true
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Configure unattended-upgrades
|
||||
template:
|
||||
src: "apt/{{ item }}.j2"
|
||||
dest: "/etc/apt/apt.conf.d/{{ item }}"
|
||||
owner: root
|
||||
mode: u=rw,g=r,o=r
|
||||
loop:
|
||||
- 50unattended-upgrades
|
||||
- 20auto-upgrades
|
||||
...
|
|
@ -74,6 +74,9 @@
|
|||
# APT-List Changes : send email with changelog
|
||||
- include_tasks: apt-listchanges.yml
|
||||
|
||||
# APT Unattended upgrades
|
||||
- include_tasks: apt-unattended.yml
|
||||
|
||||
# User skeleton
|
||||
- name: Configure user skeleton
|
||||
copy:
|
||||
|
|
4
roles/baseconfig/templates/apt/20auto-upgrades.j2
Normal file
4
roles/baseconfig/templates/apt/20auto-upgrades.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
// {{ ansible_managed }}
|
||||
|
||||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
22
roles/baseconfig/templates/apt/50unattended-upgrades.j2
Normal file
22
roles/baseconfig/templates/apt/50unattended-upgrades.j2
Normal file
|
@ -0,0 +1,22 @@
|
|||
// {{ ansible_managed }}
|
||||
|
||||
Unattended-Upgrade::Origins-Pattern {
|
||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||
};
|
||||
|
||||
Unattended-Upgrade::Package-Blacklist {};
|
||||
|
||||
Unattended-Upgrade::MinimalSteps "true";
|
||||
Unattended-Upgrade::InstallOnShutdown "false";
|
||||
|
||||
Unattended-Upgrade::Mail "{{ monitoring_mail }}";
|
||||
// Unattended-Upgrade::MailOnlyOnError "false";
|
||||
|
||||
Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
|
||||
Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
|
||||
Unattended-Upgrade::Remove-Unused-Dependencies "false";
|
||||
|
||||
Unattended-Upgrade::Automatic-Reboot "false";
|
||||
|
||||
Unattended-Upgrade::SyslogEnable "true";
|
||||
Unattended-Upgrade::SyslogFacility "daemon";
|
Loading…
Reference in a new issue