From 605345d0323032fb013ee2feec8709169f97e182 Mon Sep 17 00:00:00 2001 From: Ryan Cavicchioni Date: Sat, 16 Mar 2019 12:05:55 -0500 Subject: [PATCH] Add role for unattended-upgrades --- roles/unattended-upgrades/defaults/main.yaml | 96 +++++++++++++++++++ roles/unattended-upgrades/tasks/main.yaml | 32 +++++++ .../templates/apticron.conf.j2 | 5 + .../templates/auto-upgrades.j2 | 14 +++ .../templates/unattended-upgrades.j2 | 61 ++++++++++++ 5 files changed, 208 insertions(+) create mode 100644 roles/unattended-upgrades/defaults/main.yaml create mode 100644 roles/unattended-upgrades/tasks/main.yaml create mode 100644 roles/unattended-upgrades/templates/apticron.conf.j2 create mode 100644 roles/unattended-upgrades/templates/auto-upgrades.j2 create mode 100644 roles/unattended-upgrades/templates/unattended-upgrades.j2 diff --git a/roles/unattended-upgrades/defaults/main.yaml b/roles/unattended-upgrades/defaults/main.yaml new file mode 100644 index 0000000..4d6e7a0 --- /dev/null +++ b/roles/unattended-upgrades/defaults/main.yaml @@ -0,0 +1,96 @@ +--- +unattended_upgrades_mailto: root + +unattended_upgrades_package_name: unattended-upgrades +unattended_upgrades_package_state: present + +unattended_upgrades_apticron_package_name: apticron +unattended_upgrades_apticron_package_state: present +unattended_upgrades_apticron_email: "{{ unattended_upgrades_mailto }}" + +unattended_upgrades_update_package_lists: true +unattended_upgrades_download_upgradable_packages: true +unattended_upgrades_autoclean_interval: 7 +unattended_upgrades_unattended_upgrade: true + +# Automatically upgrade packages from these (origin:archive) pairs +# +# Note that in Ubuntu security updates may pull in new dependencies +# from non-security sources (e.g. chromium). By allowing the release +# pocket these get automatically pulled in. +unattended_upgrades_allowed_origins: + - "${distro_id}:${distro_codename}" + - "${distro_id}:${distro_codename}-security" + - "${distro_id}ESM:${distro_codename}" + # - "${distro_id}:${distro_codename}-updates" + # - "${distro_id}:${distro_codename}-proposed" + # - "${distro_id}:${distro_codename}-backports" + +# List of packages to not update (regexp are supported) +# unattended_upgrades_package_blacklist: [] + +# This option will controls whether the development release of Ubuntu will be +# upgraded automatically. +unattended_upgrades_dev_release: false + +# This option allows you to control if on a unclean dpkg exit +# unattended-upgrades will automatically run +# dpkg --force-confold --configure -a +# The default is true, to ensure updates keep getting installed +# unattended_upgrades_auto_fix_interrupted_dpkg: false + +# Split the upgrade into the smallest possible chunks so that +# they can be interrupted with SIGTERM. This makes the upgrade +# a bit slower but it has the benefit that shutdown while a upgrade +# is running is possible (with a small delay) +# unattended_upgrades_minimal_steps: false + +# Install all unattended-upgrades when the machine is shutting down +# instead of doing it in the background while the machine is running +# This will (obviously) make shutdown slower +# unattended_upgrades_install_on_shutdown: true + +# Send email to this address for problems or packages upgrades +# If empty or unset then no email is sent, make sure that you +# have a working mail setup on your system. A package that provides +# 'mailx' must be installed. E.g. "user@example.com" +unattended_upgrades_mail: "{{ unattended_upgrades_mailto }}" + +# Set this value to "true" to get emails only on errors. Default +# is to always send a mail if Unattended-Upgrade::Mail is set +# unattended_upgrades_mail_only_on_error: true + +# Remove unused automatically installed kernel-related packages +# (kernel images, kernel headers and kernel version locked tools). +# unattended_upgrades_remove_unused_kernel_packages: false + +# Do automatic removal of new unused dependencies after the upgrade +# (equivalent to apt-get autoremove) +# unattended_upgrades_removed_unused_dependencies: false + +# Automatically reboot *WITHOUT CONFIRMATION* +# if the file /var/run/reboot-required is found after the upgrade +# unattended_upgrades_automatic_reboot: false + +# If automatic reboot is enabled and needed, reboot at the specific +# time instead of immediately +# Default: "now" +# unattended_upgrades_automatic_reboot_time: '02:00' + +# Use apt bandwidth limit feature, this example limits the download +# speed to 70kb/sec +# unattended_upgrades_download_limit: 70 + +# Enable logging to syslog. Default is False +# unattended_upgrades_syslog_enable: false + +# Specify syslog facility. Default is daemon +# unattended_upgrades_syslog_facility: daemon + +# Download and install upgrades only on AC power +# (i.e. skip or gracefully stop updates on battery) +# unattended_upgrades_only_on_ac_power: true + +# Download and install upgrades only on non-metered connection +# (i.e. skip or gracefully stop updates on a metered connection) +# unattended_upgrades_skip_updates_on_metered_connections: true diff --git a/roles/unattended-upgrades/tasks/main.yaml b/roles/unattended-upgrades/tasks/main.yaml new file mode 100644 index 0000000..cca004b --- /dev/null +++ b/roles/unattended-upgrades/tasks/main.yaml @@ -0,0 +1,32 @@ +--- +- name: install unattended-upgrades + package: + name: "{{ unattended_upgrades_package_name }}" + state: "{{ unattended_upgrades_package_state }}" + +- name: install apticron + package: + name: "{{ unattended_upgrades_apticron_package_name }}" + state: "{{ unattended_upgrades_apticron_package_state }}" + +- name: configure unattended-upgrades + template: + src: unattended-upgrades.j2 + dest: /etc/apt/apt.conf.d/50unattended-upgrades + +- name: configure auto-upgrades + template: + src: auto-upgrades.j2 + dest: /etc/apt/apt.conf.d/20auto-upgrades + +- name: configure apticron + template: + src: apticron.conf.j2 + dest: /etc/apticron/apticron.conf + when: unattended_upgrades_apticron_package_state == 'present' + +- name: manage apticron.conf + file: + path: /etc/apticron/apticron.conf + state: absent + when: unattended_upgrades_apticron_package_state == 'absent' diff --git a/roles/unattended-upgrades/templates/apticron.conf.j2 b/roles/unattended-upgrades/templates/apticron.conf.j2 new file mode 100644 index 0000000..75c1e45 --- /dev/null +++ b/roles/unattended-upgrades/templates/apticron.conf.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +{% if unattended_upgrades_apticron_email is defined %} +EMAIL="{{ unattended_upgrades_apticron_email }}" +{% endif %} diff --git a/roles/unattended-upgrades/templates/auto-upgrades.j2 b/roles/unattended-upgrades/templates/auto-upgrades.j2 new file mode 100644 index 0000000..2bbe6f0 --- /dev/null +++ b/roles/unattended-upgrades/templates/auto-upgrades.j2 @@ -0,0 +1,14 @@ +// {{ ansible_managed }} + +{% if unattended_upgrades_update_package_lists %} +APT::Periodic::Update-Package-Lists "1"; +{% endif %} +{% if unattended_upgrades_download_upgradable_packages %} +APT::Periodic::Download-Upgradeable-Packages "1"; +{% endif %} +{% if unattended_upgrades_autoclean_interval %} +APT::Periodic::AutocleanInterval "{{ unattended_upgrades_autoclean_interval }}"; +{% endif %} +{% if unattended_upgrades_unattended_upgrade %} +APT::Periodic::Unattended-Upgrade "1"; +{% endif %} diff --git a/roles/unattended-upgrades/templates/unattended-upgrades.j2 b/roles/unattended-upgrades/templates/unattended-upgrades.j2 new file mode 100644 index 0000000..230324c --- /dev/null +++ b/roles/unattended-upgrades/templates/unattended-upgrades.j2 @@ -0,0 +1,61 @@ +// {{ ansible_managed }} + +{% if unattended_upgrades_allowed_origins is defined %} +Unattended-Upgrade::Allowed-Origins { +{% for origin in unattended_upgrades_allowed_origins %} + "{{ origin }}"; +{% endfor -%} +}; +{% endif %} +{% if unattended_upgrades_package_blacklist is defined %} +Unattended-Upgrade::Package-Blacklist { +{% for package in unattended_upgrades_package_blacklist %} + "{{ package }}"; +{% endfor -%} +}; +{% endif %} +{% if unattended_upgrades_dev_release is defined %} +Unattended-Upgrade::DevRelease "{{ unattended_upgrades_dev_release | lower }}"; +{% endif %} +{% if unattended_upgrades_auto_fix_interrupted_dpkg is defined %} +Unattended-Upgrade::AutoFixInterruptedDpkg "{{ unattended_upgrades_auto_fix_interrupted_dpkg }}"; +{% endif %} +{% if unattended_upgrades_minimal_steps is defined %} +Unattended-Upgrade::MinimalSteps "{{ unattended_upgrades_minimal_steps | lower }}"; +{% endif %} +{% if unattended_upgrades_install_on_shutdown is defined %} +Unattended-Upgrade::InstallOnShutdown "{{ unattended_upgrades_install_on_shutdown | lower }}"; +{% endif %} +{% if unattended_upgrades_mail is defined %} +Unattended-Upgrade::Mail "{{ unattended_upgrades_mail }}"; +{% endif %} +{% if unattended_upgrades_mail_only_on_error is defined %} +Unattended-Upgrade::MailOnlyOnError "{{ unattended_upgrades_mail_only_on_error | lower }}"; +{% endif %} +{% if unattended_upgrades_remove_unused_kernel_packages is defined %} +Unattended-Upgrade::Remove-Unused-Kernel-Packages "{{ unattended_upgrades_remove_unused_kernel_packages | lower }}"; +{% endif %} +{% if unattended_upgrades_removed_unused_dependencies is defined %} +Unattended-Upgrade::Remove-Unused-Dependencies "{{ unattended_upgrades_removed_unused_dependencies | lower }}"; +{% endif %} +{% if unattended_upgrades_automatic_reboot is defined %} +Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_automatic_reboot | lower }}"; +{% endif %} +{% if unattended_upgrades_automatic_reboot_time is defined %} +Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades_automatic_reboot_time }}"; +{% endif %} +{% if unattended_upgrades_download_limit is defined %} +Acquire::http::Dl-Limit "{{ unattended_upgrades_download_limit }}"; +{% endif %} +{% if unattended_upgrades_syslog_enable is defined %} +Unattended-Upgrade::SyslogEnable "{{ unattended_upgrades_syslog_enable | lower }}"; +{% endif %} +{% if unattended_upgrades_syslog_facility is defined %} +Unattended-Upgrade::SyslogFacility "{{ unattended_upgrades_syslog_facility }}"; +{% endif %} +{% if unattended_upgrades_only_on_ac_power is defined %} +Unattended-Upgrade::OnlyOnACPower "{{ unattended_upgrades_only_on_ac_power | lower }}"; +{% endif %} +{% if unattended_upgrades_skip_updates_on_metered_connections is defined %} +Unattended-Upgrade::Skip-Updates-On-Metered-Connections "{{ unattended_upgrades_skip_updates_on_metered_connections | lower }}"; +{% endif %}