Rewrite role to add more configuration options

Signed-off-by: Knut Ahlers <knut@ahlers.me>
2024-11-08 13:40:02 +00:00 · 2017-12-24 23:56:31 +01:00 · 2017-12-24 23:56:31 +01:00 · 09bae05552
commit 09bae05552
parent a0972b50f0
5 changed files with 89 additions and 66 deletions
--- a/README.md
+++ b/README.md
@ -1,36 +1,13 @@
-ubuntu-unattended
+# luzifer-ansible / ubuntu-unattended-upgrades
 =========
-Enable unattended upgrades on Ubuntu machines
+This role installs required packages for unattended upgrades and configures them.
-Role Variables
+## Requirements
 --------------
-```yaml
+- Ubuntu >= 16.04 (xenial)
 ---
 mail_target:    "mail@example.com"  # The email address to send reports to
 reboot_time:    "04:00"             # When to reboot the server after updates
 do_reboot:      "true"              # Execute an automated reboot?
 do_autoremove:  "false"             # Execute 'apt-get autoremove'?
 ```
-You should ensure `do_reboot` and `do_autoremove` are strings as they are written into the apt configuration and that file expects `true` instead of `True`, which will get written if you pass a bool here.
+## Usage
-Example Playbook
+See the [Ansible Galaxy Intro](https://galaxy.ansible.com/intro) for usage of roles within Ansible Galaxy.
 ----------------
-```yaml
+For configuration variables and how to use them see [defaults/main.yml](defaults/main.yml).
 ---
 - hosts: servers
  roles:
    - role: ubuntu-unattended
      mail_target: mymail@provider.com
      reboot_time: 04:00
      do_reboot: "true"
      do_autoremove: "false"
 ```
 License
 -------
 Apache 2.0
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,5 +1,17 @@
 ---
-mail_target: "mail@example.com"
+
-reboot_time: "04:00"
+unattended_allowed_origins:
-do_reboot: "true"
+- "${distro_id}:${distro_codename}";
-do_autoremove: "false"
+- "${distro_id}:${distro_codename}-security";
 - "${distro_id}:${distro_codename}-updates";
 unattended_package_blacklist: []
 unattended_auto_fix_interrupted_dpkg: true
 unattended_automatic_reboot: false
 unattended_install_on_shutdown: false
 unattended_mail: "mail@example.com"
 unattended_mail_only_on_error: false
 unattended_minimal_steps: false
 unattended_reboot_time: "now"
 unattended_remove_unused_dependencies: false
--- a/files/20auto-upgrades
+++ b/files/20auto-upgrades
@ -1,2 +0,0 @@
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Unattended-Upgrade "1";
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,41 +1,24 @@
 ---
 - name: Install required packages for autoupdate
-  apt: name={{ item }} update_cache=yes
+  apt:
    name: '{{ item }}'
    update_cache: yes
  with_items:
    - unattended-upgrades
    - update-notifier-common
    - sendmail
- name: Add configuration file
+- name: Enable automatic update / upgrade
-  copy: dest=/etc/apt/apt.conf.d/20auto-upgrades src=20auto-upgrades
+  copy:
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
    dest: /etc/apt/apt.conf.d/20auto-upgrades
- name: Configure mail target for Unattended Upgrade
+- name: Configure unattended upgrades
-  lineinfile: line="Unattended-Upgrade::Mail \"{{mail_target}}\";"
+  template:
-  args:
+    src: templates/50unattended-upgrades
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '^(//)?Unattended-Upgrade::Mail '
- name: Set auto-reboot-time for Unattended Upgrade
+...
  lineinfile: line="Unattended-Upgrade::Automatic-Reboot-Time \"{{reboot_time}}\";"
  args:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '^(//)?Unattended-Upgrade::Automatic-Reboot-Time '
 - name: Set auto-reboot for Unattended Upgrade
  lineinfile: line="Unattended-Upgrade::Automatic-Reboot \"{{do_reboot}}\";"
  args:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '^(//)?Unattended-Upgrade::Automatic-Reboot '
 - name: Set autoremove for Unattended Upgrade
  lineinfile: line="Unattended-Upgrade::Remove-Unused-Dependencies \"{{do_autoremove}}\";"
  args:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '^(//)?Unattended-Upgrade::Remove-Unused-Dependencies '
 - name: Enable normal updates
  lineinfile: line='    "${distro_id}:${distro_codename}-updates";'
  args:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '\$\{distro_id\}:\$\{distro_codename\}-updates'
--- a/templates/50unattended-upgrades
+++ b/templates/50unattended-upgrades
@ -0,0 +1,53 @@
 // Automatically upgrade packages from these (origin:archive) pairs
 Unattended-Upgrade::Allowed-Origins {
 {% for line in unattended_allowed_origins %}
  {{ line }}
 {% endfor %}
 };
 // List of packages to not update (regexp are supported)
 Unattended-Upgrade::Package-Blacklist {
 {% for line in unattended_package_blacklist %}
  {{ line }}
 {% endfor %}
 };
 // This option allows you to control if on a unclean dpkg exit
 // unattended-upgrades will automatically run
 //   dpkg --force-confold --configure -a
 // The default is true, to ensure updates keep getting installed
 Unattended-Upgrade::AutoFixInterruptedDpkg "{{ unattended_auto_fix_interrupted_dpkg | to_json }}";
 // Split the upgrade into the smallest possible chunks so that
 // they can be interrupted with SIGUSR1. This makes the upgrade
 // a bit slower but it has the benefit that shutdown while a upgrade
 // is running is possible (with a small delay)
 Unattended-Upgrade::MinimalSteps "{{ unattended_minimal_steps | to_json }}";
 // Install all unattended-upgrades when the machine is shuting down
 // instead of doing it in the background while the machine is running
 // This will (obviously) make shutdown slower
 Unattended-Upgrade::InstallOnShutdown "{{ unattended_install_on_shutdown | to_json }}";
 // Send email to this address for problems or packages upgrades
 // If empty or unset then no email is sent, make sure that you
 // have a working mail setup on your system. A package that provides
 // 'mailx' must be installed. E.g. "user@example.com"
 Unattended-Upgrade::Mail "{{ unattended_mail }}";
 // Set this value to "true" to get emails only on errors. Default
 // is to always send a mail if Unattended-Upgrade::Mail is set
 Unattended-Upgrade::MailOnlyOnError "{{ unattended_mail_only_on_error | to_json }}";
 // Do automatic removal of new unused dependencies after the upgrade
 // (equivalent to apt-get autoremove)
 Unattended-Upgrade::Remove-Unused-Dependencies "{{ unattended_remove_unused_dependencies | to_json }}";
 // Automatically reboot *WITHOUT CONFIRMATION*
 //  if the file /var/run/reboot-required is found after the upgrade
 Unattended-Upgrade::Automatic-Reboot "{{ unattended_automatic_reboot | to_json }}";
 // If automatic reboot is enabled and needed, reboot at the specific
 // time instead of immediately
 //  Default: "now"
 Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_reboot_time }}";
		`@ -1,2 +0,0 @@`
			`APT::Periodic::Update-Package-Lists "1";`
			`APT::Periodic::Unattended-Upgrade "1";`