dockerhost/roles/anyops_autoupgrade/tasks/main.yaml

---
- name: install packages
  apt:
    name:
     - unattended-upgrades
     - apt-listchanges
     - update-notifier-common
     - ssmtp

- name: Create unattended upgrades configuration file
  ansible.builtin.blockinfile:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    block: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
    marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings"
    create: true
    mode: "0644"
    owner: root
    group: root
  register: unattended_upgrades_config_set

- name: Enable automated reboots
  ansible.builtin.blockinfile:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    block: |
      Unattended-Upgrade::Automatic-Reboot "true";
      Unattended-Upgrade::Automatic-Reboot-Time "{{ reboot_time }}";
    marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings"
    create: true
    mode: "0644"
    owner: root
    group: root
  register: unattended_upgrades_settings_set

- name: template configuration
  ansible.builtin.template:
    src: unattended-upgrades.j2
    dest: /tmp/test.conf

# - name: origins to upgrade
#   ansible.builtin.lineinfile:
#     dest: /etc/apt/apt.conf.d/50unattended-upgrades
#     line: "\t\"{{ item }}\";"
#     search_string: "\t\"{{ item }}\";"
#     state: present
#     insertafter: "^Unattended-Upgrade::Allowed-Origins"
#   loop:
#     # std ubuntu
#     - '${distro_id}:${distro_codename}'
#     - '${distro_id}:${distro_codename}-security'
#     # ESM
#     - '${distro_id}ESMApps:${distro_codename}-apps-security'
#     - '${distro_id}ESM:${distro_codename}-infra-security'
#     # crowdsec
#     - 'packagecloud.io/crowdsec/crowdsec:${distro_codename}'
#     # Docker
#     - 'Docker:${distro_codename}'

#       #   # "${distro_id}:${distro_codename}";
#       #   # "${distro_id}:${distro_codename}-security";
#       #   # "packagecloud.io/crowdsec/crowdsec:${distro_codename}";
#       #   # "Docker:${distro_codename}";

#       # "${distro_id}ESMApps:${distro_codename}-apps-security";
#       # "${distro_id}ESM:${distro_codename}-infra-security";

- name: origins to upgrade
  ansible.builtin.blockinfile:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    block: |
      Unattended-Upgrade::Origins-Pattern {
        "o=*";
      }
    marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades origins pattern"
  loop:


- name: notify mail address
  ansible.builtin.lineinfile:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    line: "Unattended-Upgrade::Mail \"{{ unattended_upgrade.Mail }}\";"
    search_string: "^Unattended-Upgrade::Mail"
    state: present
- name: notify mail sender
  ansible.builtin.lineinfile:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    line: "Unattended-Upgrade::Sender \"Unattended-upgrades {{ inventory_hostname }} <admin@anyops.de>\";"
    search_string: "^Unattended-Upgrade::Sender"
    state: present

- name: Dpkg reconfigure
  ansible.builtin.command:
    cmd: dpkg-reconfigure -f noninteractive unattended-upgrades
  register: dpkg_reconfigure_unattended_upgrades
  when:
    - unattended_upgrades_config_set.changed or
      unattended_upgrades_settings_set.changed

- name: Configure updates installation timing
  ansible.builtin.lineinfile:
    path: /lib/systemd/system/apt-daily-upgrade.timer
    regexp: '^OnCalendar'
    line: OnCalendar=*-*-* {{ install_time }}
  notify: systemd reload

- name: Configure updates installation timing offset
  ansible.builtin.lineinfile:
    path: /lib/systemd/system/apt-daily-upgrade.timer
    regexp: '^RandomizedDelaySec'
    line: 'RandomizedDelaySec={{ reboot_offset }}'
  notify: systemd reload

- name: ssmtp config mailhub
  ansible.builtin.lineinfile:
    path: /etc/ssmtp/ssmtp.conf
    regexp: ^mailhub
    line: mailhub=muh.anyops.de
- name: ssmtp config rewriteDomain
  ansible.builtin.lineinfile:
    path: /etc/ssmtp/ssmtp.conf
    regexp: ^rewriteDomain
    line: rewriteDomain=anyops.de
- name: ssmtp config hostname
  ansible.builtin.lineinfile:
    path: /etc/ssmtp/ssmtp.conf
    regexp: ^hostname
    line: "hostname={{ ansible_host }}"
- name: ssmtp config FromLineOverride
  ansible.builtin.lineinfile:
    path: /etc/ssmtp/ssmtp.conf
    regexp: ^FromLineOverride
    line: FromLineOverride=YES
add autoupgrade role 2025-03-17 18:17:11 +01:00			`---`
			`- name: install packages`
			`apt:`
			`name:`
			`- unattended-upgrades`
			`- apt-listchanges`
			`- update-notifier-common`
unattended-upgrades 2025-03-19 10:05:43 +01:00			`- ssmtp`
add autoupgrade role 2025-03-17 18:17:11 +01:00
			`- name: Create unattended upgrades configuration file`
			`ansible.builtin.blockinfile:`
			`dest: /etc/apt/apt.conf.d/20auto-upgrades`
			`block: \|`
			`APT::Periodic::Update-Package-Lists "1";`
			`APT::Periodic::Unattended-Upgrade "1";`
			`marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings"`
			`create: true`
			`mode: "0644"`
			`owner: root`
			`group: root`
			`register: unattended_upgrades_config_set`

			`- name: Enable automated reboots`
			`ansible.builtin.blockinfile:`
			`dest: /etc/apt/apt.conf.d/50unattended-upgrades`
			`block: \|`
			`Unattended-Upgrade::Automatic-Reboot "true";`
			`Unattended-Upgrade::Automatic-Reboot-Time "{{ reboot_time }}";`
			`marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings"`
			`create: true`
			`mode: "0644"`
			`owner: root`
			`group: root`
			`register: unattended_upgrades_settings_set`

			`- name: template configuration`
			`ansible.builtin.template:`
			`src: unattended-upgrades.j2`
			`dest: /tmp/test.conf`

unattended-upgrades 2025-03-19 10:05:43 +01:00			`# - name: origins to upgrade`
			`# ansible.builtin.lineinfile:`
			`# dest: /etc/apt/apt.conf.d/50unattended-upgrades`
			`# line: "\t\"{{ item }}\";"`
			`# search_string: "\t\"{{ item }}\";"`
			`# state: present`
			`# insertafter: "^Unattended-Upgrade::Allowed-Origins"`
			`# loop:`
			`# # std ubuntu`
			`# - '${distro_id}:${distro_codename}'`
			`# - '${distro_id}:${distro_codename}-security'`
			`# # ESM`
			`# - '${distro_id}ESMApps:${distro_codename}-apps-security'`
			`# - '${distro_id}ESM:${distro_codename}-infra-security'`
			`# # crowdsec`
			`# - 'packagecloud.io/crowdsec/crowdsec:${distro_codename}'`
			`# # Docker`
			`# - 'Docker:${distro_codename}'`

			`# # # "${distro_id}:${distro_codename}";`
			`# # # "${distro_id}:${distro_codename}-security";`
			`# # # "packagecloud.io/crowdsec/crowdsec:${distro_codename}";`
			`# # # "Docker:${distro_codename}";`

			`# # "${distro_id}ESMApps:${distro_codename}-apps-security";`
			`# # "${distro_id}ESM:${distro_codename}-infra-security";`

add autoupgrade role 2025-03-17 18:17:11 +01:00			`- name: origins to upgrade`
unattended-upgrades 2025-03-19 10:05:43 +01:00			`ansible.builtin.blockinfile:`
add autoupgrade role 2025-03-17 18:17:11 +01:00			`dest: /etc/apt/apt.conf.d/50unattended-upgrades`
unattended-upgrades 2025-03-19 10:05:43 +01:00			`block: \|`
			`Unattended-Upgrade::Origins-Pattern {`
			`"o=*";`
			`}`
			`marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades origins pattern"`
add autoupgrade role 2025-03-17 18:17:11 +01:00			`loop:`



unattended-upgrades 2025-03-19 10:05:43 +01:00			`- name: notify mail address`
			`ansible.builtin.lineinfile:`
			`dest: /etc/apt/apt.conf.d/50unattended-upgrades`
			`line: "Unattended-Upgrade::Mail \"{{ unattended_upgrade.Mail }}\";"`
			`search_string: "^Unattended-Upgrade::Mail"`
			`state: present`
			`- name: notify mail sender`
			`ansible.builtin.lineinfile:`
			`dest: /etc/apt/apt.conf.d/50unattended-upgrades`
replaced fixed hostname with variable 2025-06-21 17:30:41 +02:00			`line: "Unattended-Upgrade::Sender \"Unattended-upgrades {{ inventory_hostname }} <admin@anyops.de>\";"`
unattended-upgrades 2025-03-19 10:05:43 +01:00			`search_string: "^Unattended-Upgrade::Sender"`
			`state: present`
add autoupgrade role 2025-03-17 18:17:11 +01:00
			`- name: Dpkg reconfigure`
			`ansible.builtin.command:`
			`cmd: dpkg-reconfigure -f noninteractive unattended-upgrades`
			`register: dpkg_reconfigure_unattended_upgrades`
			`when:`
			`- unattended_upgrades_config_set.changed or`
			`unattended_upgrades_settings_set.changed`

			`- name: Configure updates installation timing`
			`ansible.builtin.lineinfile:`
			`path: /lib/systemd/system/apt-daily-upgrade.timer`
			`regexp: '^OnCalendar'`
			`line: OnCalendar=--* {{ install_time }}`
			`notify: systemd reload`

			`- name: Configure updates installation timing offset`
			`ansible.builtin.lineinfile:`
unattended-upgrades 2025-03-19 10:05:43 +01:00			`path: /lib/systemd/system/apt-daily-upgrade.timer`
add autoupgrade role 2025-03-17 18:17:11 +01:00			`regexp: '^RandomizedDelaySec'`
			`line: 'RandomizedDelaySec={{ reboot_offset }}'`
unattended-upgrades 2025-03-19 10:05:43 +01:00			`notify: systemd reload`

			`- name: ssmtp config mailhub`
			`ansible.builtin.lineinfile:`
			`path: /etc/ssmtp/ssmtp.conf`
			`regexp: ^mailhub`
			`line: mailhub=muh.anyops.de`
			`- name: ssmtp config rewriteDomain`
			`ansible.builtin.lineinfile:`
			`path: /etc/ssmtp/ssmtp.conf`
			`regexp: ^rewriteDomain`
			`line: rewriteDomain=anyops.de`
			`- name: ssmtp config hostname`
			`ansible.builtin.lineinfile:`
			`path: /etc/ssmtp/ssmtp.conf`
			`regexp: ^hostname`
			`line: "hostname={{ ansible_host }}"`
			`- name: ssmtp config FromLineOverride`
			`ansible.builtin.lineinfile:`
			`path: /etc/ssmtp/ssmtp.conf`
			`regexp: ^FromLineOverride`
			`line: FromLineOverride=YES`