aboutsummaryrefslogtreecommitdiff
path: root/ansible/roles/unattended-upgrades
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/unattended-upgrades')
-rw-r--r--ansible/roles/unattended-upgrades/README.md109
-rw-r--r--ansible/roles/unattended-upgrades/tasks/main.yml39
2 files changed, 148 insertions, 0 deletions
diff --git a/ansible/roles/unattended-upgrades/README.md b/ansible/roles/unattended-upgrades/README.md
new file mode 100644
index 0000000..eee9ff7
--- /dev/null
+++ b/ansible/roles/unattended-upgrades/README.md
@@ -0,0 +1,109 @@
+# Original /etc/apt/apt.conf.d/50unattended-upgrades
+
+ // Unattended-Upgrade::Origins-Pattern controls which packages are
+ // upgraded.
+ //
+ // Lines below have the format format is "keyword=value,...". A
+ // package will be upgraded only if the values in its metadata match
+ // all the supplied keywords in a line. (In other words, omitted
+ // keywords are wild cards.) The keywords originate from the Release
+ // file, but several aliases are accepted. The accepted keywords are:
+ // a,archive,suite (eg, "stable")
+ // c,component (eg, "main", "contrib", "non-free")
+ // l,label (eg, "Debian", "Debian-Security")
+ // o,origin (eg, "Debian", "Unofficial Multimedia Packages")
+ // n,codename (eg, "jessie", "jessie-updates")
+ // site (eg, "http.debian.net")
+ // The available values on the system are printed by the command
+ // "apt-cache policy", and can be debugged by running
+ // "unattended-upgrades -d" and looking at the log file.
+ //
+ // Within lines unattended-upgrades allows 2 macros whose values are
+ // derived from /etc/debian_version:
+ // ${distro_id} Installed origin.
+ // ${distro_codename} Installed codename (eg, "jessie")
+ Unattended-Upgrade::Origins-Pattern {
+ // Codename based matching:
+ // This will follow the migration of a release through different
+ // archives (e.g. from testing to stable and later oldstable).
+ // "o=Debian,n=jessie";
+ // "o=Debian,n=jessie-updates";
+ // "o=Debian,n=jessie-proposed-updates";
+ // "o=Debian,n=jessie,l=Debian-Security";
+
+ // Archive or Suite based matching:
+ // Note that this will silently match a different release after
+ // migration to the specified archive (e.g. testing becomes the
+ // new stable).
+ // "o=Debian,a=stable";
+ // "o=Debian,a=stable-updates";
+ // "o=Debian,a=proposed-updates";
+ "origin=Debian,codename=${distro_codename},label=Debian-Security";
+ };
+
+ // List of packages to not update (regexp are supported)
+ Unattended-Upgrade::Package-Blacklist {
+ // "vim";
+ // "libc6";
+ // "libc6-dev";
+ // "libc6-i686";
+ };
+
+ // This option allows you to control if on a unclean dpkg exit
+ // unattended-upgrades will automatically run
+ // dpkg --force-confold --configure -a
+ // The default is true, to ensure updates keep getting installed
+ //Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+ // Split the upgrade into the smallest possible chunks so that
+ // they can be interrupted with SIGUSR1. This makes the upgrade
+ // a bit slower but it has the benefit that shutdown while a upgrade
+ // is running is possible (with a small delay)
+ //Unattended-Upgrade::MinimalSteps "true";
+
+ // Install all unattended-upgrades when the machine is shuting down
+ // instead of doing it in the background while the machine is running
+ // This will (obviously) make shutdown slower
+ //Unattended-Upgrade::InstallOnShutdown "true";
+
+ // Send email to this address for problems or packages upgrades
+ // If empty or unset then no email is sent, make sure that you
+ // have a working mail setup on your system. A package that provides
+ // 'mailx' must be installed. E.g. "user@example.com"
+ //Unattended-Upgrade::Mail "root";
+
+ // Set this value to "true" to get emails only on errors. Default
+ // is to always send a mail if Unattended-Upgrade::Mail is set
+ //Unattended-Upgrade::MailOnlyOnError "true";
+
+ // Do automatic removal of new unused dependencies after the upgrade
+ // (equivalent to apt-get autoremove)
+ //Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+ // Automatically reboot *WITHOUT CONFIRMATION* if
+ // the file /var/run/reboot-required is found after the upgrade
+ //Unattended-Upgrade::Automatic-Reboot "false";
+
+ // Automatically reboot even if there are users currently logged in.
+ //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+ // If automatic reboot is enabled and needed, reboot at the specific
+ // time instead of immediately
+ // Default: "now"
+ //Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+ // Use apt bandwidth limit feature, this example limits the download
+ // speed to 70kb/sec
+ //Acquire::http::Dl-Limit "70";
+
+ // Enable logging to syslog. Default is False
+ // Unattended-Upgrade::SyslogEnable "false";
+
+ // Specify syslog facility. Default is daemon
+ // Unattended-Upgrade::SyslogFacility "daemon";
+
+# Original /etc/apt/apt.conf.d/20auto-upgrades
+
+ APT::Periodic::Update-Package-Lists "1";
+ APT::Periodic::Unattended-Upgrade "1";
+
diff --git a/ansible/roles/unattended-upgrades/tasks/main.yml b/ansible/roles/unattended-upgrades/tasks/main.yml
new file mode 100644
index 0000000..0bc02a1
--- /dev/null
+++ b/ansible/roles/unattended-upgrades/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: Packages for unattended upgrades
+ become: true
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - unattended-upgrades
+ - apt-listchanges
+
+- name: Configure /etc/apt/apt.conf.d/50unattended-upgrades
+ become: true
+ copy:
+ dest: /etc/apt/apt.conf.d/50unattended-upgrades
+ content: |
+ Unattended-Upgrade::Origins-Pattern {
+ "origin=Debian,codename=${distro_codename},label=Debian";
+ "origin=Debian,codename=${distro_codename}-updates,label=Debian";
+ "origin=Debian,codename=${distro_codename},label=Debian-Security";
+ "origin=apt.postgresql.org,codename=${distro_codename}-pgdg,label=PostgreSQL for Debian/Ubuntu repository";
+ }
+ Unattended-Upgrade::MinimalSteps "False";
+ Unattended-Upgrade::Mail "{{ unattended_upgrades.mail }}";
+ Unattended-Upgrade::MailOnlyOnError "false";
+
+- name: Configure /etc/apt/apt.conf.d/20auto-upgrades
+ become: true
+ copy:
+ dest: /etc/apt/apt.conf.d/20auto-upgrades
+ content: |
+ APT::Periodic::Update-Package-Lists "1";
+ APT::Periodic::Unattended-Upgrade "1";
+
+- name: Configure /etc/apt/listchanges.conf
+ become: true
+ lineinfile:
+ dest: /etc/apt/listchanges.conf
+ line: "email_address={{ unattended_upgrades.mail }}"
+ regexp: "^email_address="
generated by cgit v1.2.3 (git 2.46.0) at 2025-01-09 14:54:28 +0000