dockerhost/roles/anyops_autoupgrade/tasks/main.yaml

---
- name: install packages
  apt:
    name:
     - unattended-upgrades
     - apt-listchanges
     - update-notifier-common

- name: Create unattended upgrades configuration file
  ansible.builtin.blockinfile:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    block: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
    marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings"
    create: true
    mode: "0644"
    owner: root
    group: root
  register: unattended_upgrades_config_set

- name: Enable automated reboots
  ansible.builtin.blockinfile:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    block: |
      Unattended-Upgrade::Automatic-Reboot "true";
      Unattended-Upgrade::Automatic-Reboot-Time "{{ reboot_time }}";
    marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings"
    create: true
    mode: "0644"
    owner: root
    group: root
  register: unattended_upgrades_settings_set

- name: template configuration
  ansible.builtin.template:
    src: unattended-upgrades.j2
    dest: /tmp/test.conf

- name: origins to upgrade
  ansible.builtin.lineinfile:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    line: "\t\"{{ item }}\";"
    search_string: "\t\"{{ item }}\";"
    state: present
    insertafter: "^Unattended-Upgrade::Allowed-Origins"
  loop:
    # std ubuntu
    - '${distro_id}:${distro_codename}'
    - '${distro_id}:${distro_codename}-security'
    # ESM
    - '${distro_id}ESMApps:${distro_codename}-apps-security'
    - '${distro_id}ESM:${distro_codename}-infra-security'
    # crowdsec
    - 'packagecloud.io/crowdsec/crowdsec:${distro_codename}'
    # Docker
    - 'Docker:${distro_codename}'

      #   # "${distro_id}:${distro_codename}";
      #   # "${distro_id}:${distro_codename}-security";
      #   # "packagecloud.io/crowdsec/crowdsec:${distro_codename}";
      #   # "Docker:${distro_codename}";

      # "${distro_id}ESMApps:${distro_codename}-apps-security";
      # "${distro_id}ESM:${distro_codename}-infra-security";


- name: Dpkg reconfigure
  ansible.builtin.command:
    cmd: dpkg-reconfigure -f noninteractive unattended-upgrades
  register: dpkg_reconfigure_unattended_upgrades
  when:
    - unattended_upgrades_config_set.changed or
      unattended_upgrades_settings_set.changed

- name: Configure updates installation timing
  ansible.builtin.lineinfile:
    path: /lib/systemd/system/apt-daily-upgrade.timer
    regexp: '^OnCalendar'
    line: OnCalendar=*-*-* {{ install_time }}
  notify: systemd reload

- name: Configure updates installation timing offset
  ansible.builtin.lineinfile:
    path: '/lib/systemd/system/apt-daily-upgrade.timer'
    regexp: '^RandomizedDelaySec'
    line: 'RandomizedDelaySec={{ reboot_offset }}'
  notify: systemd reload
add autoupgrade role 2025-03-17 18:17:11 +01:00			`---`
			`- name: install packages`
			`apt:`
			`name:`
			`- unattended-upgrades`
			`- apt-listchanges`
			`- update-notifier-common`

			`- name: Create unattended upgrades configuration file`
			`ansible.builtin.blockinfile:`
			`dest: /etc/apt/apt.conf.d/20auto-upgrades`
			`block: \|`
			`APT::Periodic::Update-Package-Lists "1";`
			`APT::Periodic::Unattended-Upgrade "1";`
			`marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings"`
			`create: true`
			`mode: "0644"`
			`owner: root`
			`group: root`
			`register: unattended_upgrades_config_set`

			`- name: Enable automated reboots`
			`ansible.builtin.blockinfile:`
			`dest: /etc/apt/apt.conf.d/50unattended-upgrades`
			`block: \|`
			`Unattended-Upgrade::Automatic-Reboot "true";`
			`Unattended-Upgrade::Automatic-Reboot-Time "{{ reboot_time }}";`
			`marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings"`
			`create: true`
			`mode: "0644"`
			`owner: root`
			`group: root`
			`register: unattended_upgrades_settings_set`

			`- name: template configuration`
			`ansible.builtin.template:`
			`src: unattended-upgrades.j2`
			`dest: /tmp/test.conf`

			`- name: origins to upgrade`
			`ansible.builtin.lineinfile:`
			`dest: /etc/apt/apt.conf.d/50unattended-upgrades`
			`line: "\t\"{{ item }}\";"`
			`search_string: "\t\"{{ item }}\";"`
			`state: present`
			`insertafter: "^Unattended-Upgrade::Allowed-Origins"`
			`loop:`
			`# std ubuntu`
			`- '${distro_id}:${distro_codename}'`
			`- '${distro_id}:${distro_codename}-security'`
			`# ESM`
			`- '${distro_id}ESMApps:${distro_codename}-apps-security'`
			`- '${distro_id}ESM:${distro_codename}-infra-security'`
			`# crowdsec`
			`- 'packagecloud.io/crowdsec/crowdsec:${distro_codename}'`
			`# Docker`
			`- 'Docker:${distro_codename}'`

			`# # "${distro_id}:${distro_codename}";`
			`# # "${distro_id}:${distro_codename}-security";`
			`# # "packagecloud.io/crowdsec/crowdsec:${distro_codename}";`
			`# # "Docker:${distro_codename}";`

			`# "${distro_id}ESMApps:${distro_codename}-apps-security";`
			`# "${distro_id}ESM:${distro_codename}-infra-security";`


			`- name: Dpkg reconfigure`
			`ansible.builtin.command:`
			`cmd: dpkg-reconfigure -f noninteractive unattended-upgrades`
			`register: dpkg_reconfigure_unattended_upgrades`
			`when:`
			`- unattended_upgrades_config_set.changed or`
			`unattended_upgrades_settings_set.changed`

			`- name: Configure updates installation timing`
			`ansible.builtin.lineinfile:`
			`path: /lib/systemd/system/apt-daily-upgrade.timer`
			`regexp: '^OnCalendar'`
			`line: OnCalendar=--* {{ install_time }}`
			`notify: systemd reload`

			`- name: Configure updates installation timing offset`
			`ansible.builtin.lineinfile:`
			`path: '/lib/systemd/system/apt-daily-upgrade.timer'`
			`regexp: '^RandomizedDelaySec'`
			`line: 'RandomizedDelaySec={{ reboot_offset }}'`
			`notify: systemd reload`