diff --git a/README.md b/README.md index d8356f3..e654bda 100644 --- a/README.md +++ b/README.md @@ -1,36 +1,13 @@ -ubuntu-unattended -========= +# luzifer-ansible / ubuntu-unattended-upgrades -Enable unattended upgrades on Ubuntu machines +This role installs required packages for unattended upgrades and configures them. -Role Variables --------------- +## Requirements -```yaml ---- -mail_target: "mail@example.com" # The email address to send reports to -reboot_time: "04:00" # When to reboot the server after updates -do_reboot: "true" # Execute an automated reboot? -do_autoremove: "false" # Execute 'apt-get autoremove'? -``` +- Ubuntu >= 16.04 (xenial) -You should ensure `do_reboot` and `do_autoremove` are strings as they are written into the apt configuration and that file expects `true` instead of `True`, which will get written if you pass a bool here. +## Usage -Example Playbook ----------------- +See the [Ansible Galaxy Intro](https://galaxy.ansible.com/intro) for usage of roles within Ansible Galaxy. -```yaml ---- -- hosts: servers - roles: - - role: ubuntu-unattended - mail_target: mymail@provider.com - reboot_time: 04:00 - do_reboot: "true" - do_autoremove: "false" -``` - -License -------- - -Apache 2.0 +For configuration variables and how to use them see [defaults/main.yml](defaults/main.yml). diff --git a/defaults/main.yml b/defaults/main.yml index 4b6262e..e0f08b8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,17 @@ --- -mail_target: "mail@example.com" -reboot_time: "04:00" -do_reboot: "true" -do_autoremove: "false" + +unattended_allowed_origins: +- "${distro_id}:${distro_codename}"; +- "${distro_id}:${distro_codename}-security"; +- "${distro_id}:${distro_codename}-updates"; + +unattended_package_blacklist: [] + +unattended_auto_fix_interrupted_dpkg: true +unattended_automatic_reboot: false +unattended_install_on_shutdown: false +unattended_mail: "mail@example.com" +unattended_mail_only_on_error: false +unattended_minimal_steps: false +unattended_reboot_time: "now" +unattended_remove_unused_dependencies: false diff --git a/files/20auto-upgrades b/files/20auto-upgrades deleted file mode 100644 index 8d6d7c8..0000000 --- a/files/20auto-upgrades +++ /dev/null @@ -1,2 +0,0 @@ -APT::Periodic::Update-Package-Lists "1"; -APT::Periodic::Unattended-Upgrade "1"; diff --git a/tasks/main.yml b/tasks/main.yml index d66d403..129fc4a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,41 +1,24 @@ --- - name: Install required packages for autoupdate - apt: name={{ item }} update_cache=yes + apt: + name: '{{ item }}' + update_cache: yes with_items: - unattended-upgrades - update-notifier-common - sendmail -- name: Add configuration file - copy: dest=/etc/apt/apt.conf.d/20auto-upgrades src=20auto-upgrades +- name: Enable automatic update / upgrade + copy: + content: | + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Unattended-Upgrade "1"; + dest: /etc/apt/apt.conf.d/20auto-upgrades -- name: Configure mail target for Unattended Upgrade - lineinfile: line="Unattended-Upgrade::Mail \"{{mail_target}}\";" - args: +- name: Configure unattended upgrades + template: + src: templates/50unattended-upgrades dest: /etc/apt/apt.conf.d/50unattended-upgrades - regexp: '^(//)?Unattended-Upgrade::Mail ' -- name: Set auto-reboot-time for Unattended Upgrade - lineinfile: line="Unattended-Upgrade::Automatic-Reboot-Time \"{{reboot_time}}\";" - args: - dest: /etc/apt/apt.conf.d/50unattended-upgrades - regexp: '^(//)?Unattended-Upgrade::Automatic-Reboot-Time ' - -- name: Set auto-reboot for Unattended Upgrade - lineinfile: line="Unattended-Upgrade::Automatic-Reboot \"{{do_reboot}}\";" - args: - dest: /etc/apt/apt.conf.d/50unattended-upgrades - regexp: '^(//)?Unattended-Upgrade::Automatic-Reboot ' - -- name: Set autoremove for Unattended Upgrade - lineinfile: line="Unattended-Upgrade::Remove-Unused-Dependencies \"{{do_autoremove}}\";" - args: - dest: /etc/apt/apt.conf.d/50unattended-upgrades - regexp: '^(//)?Unattended-Upgrade::Remove-Unused-Dependencies ' - -- name: Enable normal updates - lineinfile: line=' "${distro_id}:${distro_codename}-updates";' - args: - dest: /etc/apt/apt.conf.d/50unattended-upgrades - regexp: '\$\{distro_id\}:\$\{distro_codename\}-updates' +... diff --git a/templates/50unattended-upgrades b/templates/50unattended-upgrades new file mode 100644 index 0000000..9bf287d --- /dev/null +++ b/templates/50unattended-upgrades @@ -0,0 +1,53 @@ +// Automatically upgrade packages from these (origin:archive) pairs +Unattended-Upgrade::Allowed-Origins { +{% for line in unattended_allowed_origins %} + {{ line }} +{% endfor %} +}; + +// List of packages to not update (regexp are supported) +Unattended-Upgrade::Package-Blacklist { +{% for line in unattended_package_blacklist %} + {{ line }} +{% endfor %} +}; + +// This option allows you to control if on a unclean dpkg exit +// unattended-upgrades will automatically run +// dpkg --force-confold --configure -a +// The default is true, to ensure updates keep getting installed +Unattended-Upgrade::AutoFixInterruptedDpkg "{{ unattended_auto_fix_interrupted_dpkg | to_json }}"; + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGUSR1. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +Unattended-Upgrade::MinimalSteps "{{ unattended_minimal_steps | to_json }}"; + +// Install all unattended-upgrades when the machine is shuting down +// instead of doing it in the background while the machine is running +// This will (obviously) make shutdown slower +Unattended-Upgrade::InstallOnShutdown "{{ unattended_install_on_shutdown | to_json }}"; + +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. A package that provides +// 'mailx' must be installed. E.g. "user@example.com" +Unattended-Upgrade::Mail "{{ unattended_mail }}"; + +// Set this value to "true" to get emails only on errors. Default +// is to always send a mail if Unattended-Upgrade::Mail is set +Unattended-Upgrade::MailOnlyOnError "{{ unattended_mail_only_on_error | to_json }}"; + +// Do automatic removal of new unused dependencies after the upgrade +// (equivalent to apt-get autoremove) +Unattended-Upgrade::Remove-Unused-Dependencies "{{ unattended_remove_unused_dependencies | to_json }}"; + +// Automatically reboot *WITHOUT CONFIRMATION* +// if the file /var/run/reboot-required is found after the upgrade +Unattended-Upgrade::Automatic-Reboot "{{ unattended_automatic_reboot | to_json }}"; + +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_reboot_time }}";