Add role for unattended-upgrades

2019-03-16 12:05:55 -05:00
parent 3900e5c4d0
commit 605345d032
5 changed files with 208 additions and 0 deletions
--- a/roles/unattended-upgrades/defaults/main.yaml
+++ b/roles/unattended-upgrades/defaults/main.yaml
@@ -0,0 +1,96 @@
+---
+unattended_upgrades_mailto: root
+
+unattended_upgrades_package_name: unattended-upgrades
+unattended_upgrades_package_state: present
+
+unattended_upgrades_apticron_package_name: apticron
+unattended_upgrades_apticron_package_state: present
+unattended_upgrades_apticron_email: "{{ unattended_upgrades_mailto }}"
+
+unattended_upgrades_update_package_lists: true
+unattended_upgrades_download_upgradable_packages: true
+unattended_upgrades_autoclean_interval: 7
+unattended_upgrades_unattended_upgrade: true
+
+# Automatically upgrade packages from these (origin:archive) pairs
+#
+# Note that in Ubuntu security updates may pull in new dependencies
+# from non-security sources (e.g. chromium). By allowing the release
+# pocket these get automatically pulled in.
+unattended_upgrades_allowed_origins:
+  - "${distro_id}:${distro_codename}"
+  - "${distro_id}:${distro_codename}-security"
+  - "${distro_id}ESM:${distro_codename}"
+  # - "${distro_id}:${distro_codename}-updates"
+  # - "${distro_id}:${distro_codename}-proposed"
+  # - "${distro_id}:${distro_codename}-backports"
+
+# List of packages to not update (regexp are supported)
+# unattended_upgrades_package_blacklist: []
+
+# This option will controls whether the development release of Ubuntu will be
+# upgraded automatically.
+unattended_upgrades_dev_release: false
+
+# This option allows you to control if on a unclean dpkg exit
+# unattended-upgrades will automatically run
+#   dpkg --force-confold --configure -a
+# The default is true, to ensure updates keep getting installed
+# unattended_upgrades_auto_fix_interrupted_dpkg: false
+
+# Split the upgrade into the smallest possible chunks so that
+# they can be interrupted with SIGTERM. This makes the upgrade
+# a bit slower but it has the benefit that shutdown while a upgrade
+# is running is possible (with a small delay)
+# unattended_upgrades_minimal_steps: false
+
+# Install all unattended-upgrades when the machine is shutting down
+# instead of doing it in the background while the machine is running
+# This will (obviously) make shutdown slower
+# unattended_upgrades_install_on_shutdown: true
+
+# Send email to this address for problems or packages upgrades
+# If empty or unset then no email is sent, make sure that you
+# have a working mail setup on your system. A package that provides
+# 'mailx' must be installed. E.g. "user@example.com"
+unattended_upgrades_mail: "{{ unattended_upgrades_mailto }}"
+
+# Set this value to "true" to get emails only on errors. Default
+# is to always send a mail if Unattended-Upgrade::Mail is set
+# unattended_upgrades_mail_only_on_error: true
+
+# Remove unused automatically installed kernel-related packages
+# (kernel images, kernel headers and kernel version locked tools).
+# unattended_upgrades_remove_unused_kernel_packages: false
+
+# Do automatic removal of new unused dependencies after the upgrade
+# (equivalent to apt-get autoremove)
+# unattended_upgrades_removed_unused_dependencies: false
+
+# Automatically reboot *WITHOUT CONFIRMATION*
+#  if the file /var/run/reboot-required is found after the upgrade
+# unattended_upgrades_automatic_reboot: false
+
+# If automatic reboot is enabled and needed, reboot at the specific
+# time instead of immediately
+#  Default: "now"
+# unattended_upgrades_automatic_reboot_time: '02:00'
+
+# Use apt bandwidth limit feature, this example limits the download
+# speed to 70kb/sec
+# unattended_upgrades_download_limit: 70
+
+#  Enable logging to syslog. Default is False
+# unattended_upgrades_syslog_enable: false
+
+# Specify syslog facility. Default is daemon
+# unattended_upgrades_syslog_facility: daemon
+
+# Download and install upgrades only on AC power
+# (i.e. skip or gracefully stop updates on battery)
+# unattended_upgrades_only_on_ac_power: true
+
+# Download and install upgrades only on non-metered connection
+# (i.e. skip or gracefully stop updates on a metered connection)
+# unattended_upgrades_skip_updates_on_metered_connections: true
--- a/roles/unattended-upgrades/tasks/main.yaml
+++ b/roles/unattended-upgrades/tasks/main.yaml
@@ -0,0 +1,32 @@
+---
+- name: install unattended-upgrades
+  package:
+    name: "{{ unattended_upgrades_package_name }}"
+    state: "{{ unattended_upgrades_package_state }}"
+
+- name: install apticron
+  package:
+    name: "{{ unattended_upgrades_apticron_package_name }}"
+    state: "{{ unattended_upgrades_apticron_package_state }}"
+
+- name: configure unattended-upgrades
+  template:
+    src: unattended-upgrades.j2
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+
+- name: configure auto-upgrades
+  template:
+    src: auto-upgrades.j2
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+
+- name: configure apticron
+  template:
+    src: apticron.conf.j2
+    dest: /etc/apticron/apticron.conf
+  when: unattended_upgrades_apticron_package_state == 'present'
+
+- name: manage apticron.conf
+  file:
+    path: /etc/apticron/apticron.conf
+    state: absent
+  when: unattended_upgrades_apticron_package_state == 'absent'
--- a/roles/unattended-upgrades/templates/apticron.conf.j2
+++ b/roles/unattended-upgrades/templates/apticron.conf.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% if unattended_upgrades_apticron_email is defined %}
+EMAIL="{{ unattended_upgrades_apticron_email }}"
+{% endif %}
--- a/roles/unattended-upgrades/templates/auto-upgrades.j2
+++ b/roles/unattended-upgrades/templates/auto-upgrades.j2
@@ -0,0 +1,14 @@
+// {{ ansible_managed }}
+
+{% if unattended_upgrades_update_package_lists %}
+APT::Periodic::Update-Package-Lists "1";
+{% endif %}
+{% if unattended_upgrades_download_upgradable_packages %}
+APT::Periodic::Download-Upgradeable-Packages "1";
+{% endif %}
+{% if unattended_upgrades_autoclean_interval %}
+APT::Periodic::AutocleanInterval "{{ unattended_upgrades_autoclean_interval }}";
+{% endif %}
+{% if unattended_upgrades_unattended_upgrade %}
+APT::Periodic::Unattended-Upgrade "1";
+{% endif %}
--- a/roles/unattended-upgrades/templates/unattended-upgrades.j2
+++ b/roles/unattended-upgrades/templates/unattended-upgrades.j2
@@ -0,0 +1,61 @@
+// {{ ansible_managed }}
+
+{% if unattended_upgrades_allowed_origins is defined %}
+Unattended-Upgrade::Allowed-Origins {
+{% for origin in unattended_upgrades_allowed_origins %}
+  "{{ origin }}";
+{% endfor -%} 
+};
+{% endif %}
+{% if unattended_upgrades_package_blacklist is defined %}
+Unattended-Upgrade::Package-Blacklist {
+{% for package in unattended_upgrades_package_blacklist %}
+  "{{ package }}";
+{% endfor -%} 
+};
+{% endif %}
+{% if unattended_upgrades_dev_release is defined %}
+Unattended-Upgrade::DevRelease "{{ unattended_upgrades_dev_release | lower }}";
+{% endif %}
+{% if unattended_upgrades_auto_fix_interrupted_dpkg is defined %}
+Unattended-Upgrade::AutoFixInterruptedDpkg "{{ unattended_upgrades_auto_fix_interrupted_dpkg }}";
+{% endif %}
+{% if unattended_upgrades_minimal_steps is defined %}
+Unattended-Upgrade::MinimalSteps "{{ unattended_upgrades_minimal_steps | lower }}";
+{% endif %}
+{% if unattended_upgrades_install_on_shutdown is defined %}
+Unattended-Upgrade::InstallOnShutdown "{{ unattended_upgrades_install_on_shutdown | lower }}";
+{% endif %}
+{% if unattended_upgrades_mail is defined %}
+Unattended-Upgrade::Mail "{{ unattended_upgrades_mail }}";
+{% endif %}
+{% if unattended_upgrades_mail_only_on_error is defined %}
+Unattended-Upgrade::MailOnlyOnError "{{ unattended_upgrades_mail_only_on_error | lower }}";
+{% endif %}
+{% if unattended_upgrades_remove_unused_kernel_packages is defined %}
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "{{ unattended_upgrades_remove_unused_kernel_packages | lower }}";
+{% endif %}
+{% if unattended_upgrades_removed_unused_dependencies is defined %}
+Unattended-Upgrade::Remove-Unused-Dependencies "{{ unattended_upgrades_removed_unused_dependencies | lower }}";
+{% endif %}
+{% if unattended_upgrades_automatic_reboot is defined %}
+Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_automatic_reboot | lower }}";
+{% endif %}
+{% if unattended_upgrades_automatic_reboot_time is defined %}
+Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades_automatic_reboot_time }}";
+{% endif %}
+{% if unattended_upgrades_download_limit is defined %}
+Acquire::http::Dl-Limit "{{ unattended_upgrades_download_limit }}";
+{% endif %}
+{% if unattended_upgrades_syslog_enable is defined %}
+Unattended-Upgrade::SyslogEnable "{{ unattended_upgrades_syslog_enable | lower }}";
+{% endif %}
+{% if unattended_upgrades_syslog_facility is defined %}
+Unattended-Upgrade::SyslogFacility "{{ unattended_upgrades_syslog_facility }}";
+{% endif %}
+{% if unattended_upgrades_only_on_ac_power is defined %}
+Unattended-Upgrade::OnlyOnACPower "{{ unattended_upgrades_only_on_ac_power | lower }}";
+{% endif %}
+{% if unattended_upgrades_skip_updates_on_metered_connections is defined %}
+Unattended-Upgrade::Skip-Updates-On-Metered-Connections "{{ unattended_upgrades_skip_updates_on_metered_connections | lower }}";
+{% endif %}