From e606ebee6ed1b442b40e8ffcc7386e6402bd7a13 Mon Sep 17 00:00:00 2001 From: Stefan Le Breton Date: Mon, 17 Mar 2025 18:17:11 +0100 Subject: [PATCH] add autoupgrade role --- deploy.yml | 4 + group_vars/all/upgrades.yaml | 20 +++++ roles/anyops_autoupgrade/defaults/main.yaml | 13 +++ roles/anyops_autoupgrade/handlers/main.yaml | 3 + roles/anyops_autoupgrade/tasks/main.yaml | 88 +++++++++++++++++++ .../templates/unattended-upgrades.j2 | 11 +++ 6 files changed, 139 insertions(+) create mode 100644 group_vars/all/upgrades.yaml create mode 100644 roles/anyops_autoupgrade/defaults/main.yaml create mode 100644 roles/anyops_autoupgrade/handlers/main.yaml create mode 100644 roles/anyops_autoupgrade/tasks/main.yaml create mode 100644 roles/anyops_autoupgrade/templates/unattended-upgrades.j2 diff --git a/deploy.yml b/deploy.yml index c8c157b..690ac68 100644 --- a/deploy.yml +++ b/deploy.yml @@ -104,3 +104,7 @@ # - 10.201.201.2 # wireguard tags: - ufw + + - name: autoupgrade + ansible.builtin.include_role: + name: anyops_autoupgrade diff --git a/group_vars/all/upgrades.yaml b/group_vars/all/upgrades.yaml new file mode 100644 index 0000000..09b5675 --- /dev/null +++ b/group_vars/all/upgrades.yaml @@ -0,0 +1,20 @@ +--- +install_time: "17:00" +reboot_time: "17:15" +reboot_offset: "10m" +unattended_upgrade: + Mail: "admin@anyops.de push-info+tk_37c6vla7m9o4stn6ppm8c4l7m2kb6@pushin.anyops.de" + MailOnlyOnError: "true" + DevRelease: auto + "Package-Blacklist": [] + "Allowed-Origins": + # std ubuntu + - '${distro_id}:${distro_codename}' + - '${distro_id}:${distro_codename}-security' + # ESM + - '${distro_id}ESMApps:${distro_codename}-apps-security' + - '${distro_id}ESM:${distro_codename}-infra-security' + # crowdsec + - 'packagecloud.io/crowdsec/crowdsec:${distro_codename}' + # Docker + - 'Docker:${distro_codename}' diff --git a/roles/anyops_autoupgrade/defaults/main.yaml b/roles/anyops_autoupgrade/defaults/main.yaml new file mode 100644 index 0000000..368e698 --- /dev/null +++ b/roles/anyops_autoupgrade/defaults/main.yaml @@ -0,0 +1,13 @@ +--- +install_time: 01:00 +reboot_time: 00:00 +reboot_offset: 120m +default_unattended_upgrades: + DevRelease: auto + Allowed-Origins: + # std ubuntu + - '${distro_id}:${distro_codename}' + - '${distro_id}:${distro_codename}-security' + # ESM + - '${distro_id}ESMApps:${distro_codename}-apps-security' + - '${distro_id}ESM:${distro_codename}-infra-security' diff --git a/roles/anyops_autoupgrade/handlers/main.yaml b/roles/anyops_autoupgrade/handlers/main.yaml new file mode 100644 index 0000000..cef3bb9 --- /dev/null +++ b/roles/anyops_autoupgrade/handlers/main.yaml @@ -0,0 +1,3 @@ +- name: systemd reload + ansible.builtin.systemd_service: + daemon_reload: true \ No newline at end of file diff --git a/roles/anyops_autoupgrade/tasks/main.yaml b/roles/anyops_autoupgrade/tasks/main.yaml new file mode 100644 index 0000000..45d33e5 --- /dev/null +++ b/roles/anyops_autoupgrade/tasks/main.yaml @@ -0,0 +1,88 @@ +--- +- name: install packages + apt: + name: + - unattended-upgrades + - apt-listchanges + - update-notifier-common + +- name: Create unattended upgrades configuration file + ansible.builtin.blockinfile: + dest: /etc/apt/apt.conf.d/20auto-upgrades + block: | + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Unattended-Upgrade "1"; + marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings" + create: true + mode: "0644" + owner: root + group: root + register: unattended_upgrades_config_set + +- name: Enable automated reboots + ansible.builtin.blockinfile: + dest: /etc/apt/apt.conf.d/50unattended-upgrades + block: | + Unattended-Upgrade::Automatic-Reboot "true"; + Unattended-Upgrade::Automatic-Reboot-Time "{{ reboot_time }}"; + marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings" + create: true + mode: "0644" + owner: root + group: root + register: unattended_upgrades_settings_set + +- name: template configuration + ansible.builtin.template: + src: unattended-upgrades.j2 + dest: /tmp/test.conf + +- name: origins to upgrade + ansible.builtin.lineinfile: + dest: /etc/apt/apt.conf.d/50unattended-upgrades + line: "\t\"{{ item }}\";" + search_string: "\t\"{{ item }}\";" + state: present + insertafter: "^Unattended-Upgrade::Allowed-Origins" + loop: + # std ubuntu + - '${distro_id}:${distro_codename}' + - '${distro_id}:${distro_codename}-security' + # ESM + - '${distro_id}ESMApps:${distro_codename}-apps-security' + - '${distro_id}ESM:${distro_codename}-infra-security' + # crowdsec + - 'packagecloud.io/crowdsec/crowdsec:${distro_codename}' + # Docker + - 'Docker:${distro_codename}' + + # # "${distro_id}:${distro_codename}"; + # # "${distro_id}:${distro_codename}-security"; + # # "packagecloud.io/crowdsec/crowdsec:${distro_codename}"; + # # "Docker:${distro_codename}"; + + # "${distro_id}ESMApps:${distro_codename}-apps-security"; + # "${distro_id}ESM:${distro_codename}-infra-security"; + + +- name: Dpkg reconfigure + ansible.builtin.command: + cmd: dpkg-reconfigure -f noninteractive unattended-upgrades + register: dpkg_reconfigure_unattended_upgrades + when: + - unattended_upgrades_config_set.changed or + unattended_upgrades_settings_set.changed + +- name: Configure updates installation timing + ansible.builtin.lineinfile: + path: /lib/systemd/system/apt-daily-upgrade.timer + regexp: '^OnCalendar' + line: OnCalendar=*-*-* {{ install_time }} + notify: systemd reload + +- name: Configure updates installation timing offset + ansible.builtin.lineinfile: + path: '/lib/systemd/system/apt-daily-upgrade.timer' + regexp: '^RandomizedDelaySec' + line: 'RandomizedDelaySec={{ reboot_offset }}' + notify: systemd reload \ No newline at end of file diff --git a/roles/anyops_autoupgrade/templates/unattended-upgrades.j2 b/roles/anyops_autoupgrade/templates/unattended-upgrades.j2 new file mode 100644 index 0000000..a7d7e4b --- /dev/null +++ b/roles/anyops_autoupgrade/templates/unattended-upgrades.j2 @@ -0,0 +1,11 @@ +{% for item in unattended_upgrade %} +{%- if unattended_upgrade[item] is string %} +Unattended-Upgrade::{{ item }} = "{{ unattended_upgrade[item] }}"; +{% else -%} +Unattended-Upgrade::{{ item }} { +{% for subitem in unattended_upgrade[item] %} + "{{ subitem }}"; +{% endfor %} +} +{% endif -%} +{% endfor %} \ No newline at end of file