add autoupgrade role

2025-03-17 18:17:11 +01:00 · 2025-03-17 18:17:11 +01:00 · e606ebee6e
commit e606ebee6e
parent 5388cdd861
6 changed files with 139 additions and 0 deletions
--- a/deploy.yml
+++ b/deploy.yml
@ -104,3 +104,7 @@
          #        - 10.201.201.2 # wireguard
      tags:
        - ufw
+
+    - name: autoupgrade
+      ansible.builtin.include_role:
+        name: anyops_autoupgrade
--- a/group_vars/all/upgrades.yaml
+++ b/group_vars/all/upgrades.yaml
@ -0,0 +1,20 @@
+---
+install_time: "17:00"
+reboot_time: "17:15"
+reboot_offset: "10m"
+unattended_upgrade:
+  Mail: "admin@anyops.de push-info+tk_37c6vla7m9o4stn6ppm8c4l7m2kb6@pushin.anyops.de"
+  MailOnlyOnError: "true"
+  DevRelease: auto
+  "Package-Blacklist": []
+  "Allowed-Origins":
+    # std ubuntu
+    - '${distro_id}:${distro_codename}'
+    - '${distro_id}:${distro_codename}-security'
+    # ESM
+    - '${distro_id}ESMApps:${distro_codename}-apps-security'
+    - '${distro_id}ESM:${distro_codename}-infra-security'
+    # crowdsec
+    - 'packagecloud.io/crowdsec/crowdsec:${distro_codename}'
+    # Docker
+    - 'Docker:${distro_codename}'
--- a/roles/anyops_autoupgrade/defaults/main.yaml
+++ b/roles/anyops_autoupgrade/defaults/main.yaml
@ -0,0 +1,13 @@
+---
+install_time: 01:00
+reboot_time: 00:00
+reboot_offset: 120m
+default_unattended_upgrades:
+  DevRelease: auto
+  Allowed-Origins:
+    # std ubuntu
+    - '${distro_id}:${distro_codename}'
+    - '${distro_id}:${distro_codename}-security'
+    # ESM
+    - '${distro_id}ESMApps:${distro_codename}-apps-security'
+    - '${distro_id}ESM:${distro_codename}-infra-security'
--- a/roles/anyops_autoupgrade/handlers/main.yaml
+++ b/roles/anyops_autoupgrade/handlers/main.yaml
@ -0,0 +1,3 @@
+- name: systemd reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
--- a/roles/anyops_autoupgrade/tasks/main.yaml
+++ b/roles/anyops_autoupgrade/tasks/main.yaml
@ -0,0 +1,88 @@
+---
+- name: install packages
+  apt:
+    name:
+     - unattended-upgrades
+     - apt-listchanges
+     - update-notifier-common
+
+- name: Create unattended upgrades configuration file
+  ansible.builtin.blockinfile:
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    block: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+    marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings"
+    create: true
+    mode: "0644"
+    owner: root
+    group: root
+  register: unattended_upgrades_config_set
+
+- name: Enable automated reboots
+  ansible.builtin.blockinfile:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    block: |
+      Unattended-Upgrade::Automatic-Reboot "true";
+      Unattended-Upgrade::Automatic-Reboot-Time "{{ reboot_time }}";
+    marker: "// {mark} ANSIBLE MANAGED BLOCK - unattended_upgrades settings"
+    create: true
+    mode: "0644"
+    owner: root
+    group: root
+  register: unattended_upgrades_settings_set
+
+- name: template configuration
+  ansible.builtin.template:
+    src: unattended-upgrades.j2
+    dest: /tmp/test.conf
+
+- name: origins to upgrade
+  ansible.builtin.lineinfile:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    line: "\t\"{{ item }}\";"
+    search_string: "\t\"{{ item }}\";"
+    state: present
+    insertafter: "^Unattended-Upgrade::Allowed-Origins"
+  loop:
+    # std ubuntu
+    - '${distro_id}:${distro_codename}'
+    - '${distro_id}:${distro_codename}-security'
+    # ESM
+    - '${distro_id}ESMApps:${distro_codename}-apps-security'
+    - '${distro_id}ESM:${distro_codename}-infra-security'
+    # crowdsec
+    - 'packagecloud.io/crowdsec/crowdsec:${distro_codename}'
+    # Docker
+    - 'Docker:${distro_codename}'
+
+      #   # "${distro_id}:${distro_codename}";
+      #   # "${distro_id}:${distro_codename}-security";
+      #   # "packagecloud.io/crowdsec/crowdsec:${distro_codename}";
+      #   # "Docker:${distro_codename}";
+
+      # "${distro_id}ESMApps:${distro_codename}-apps-security";
+      # "${distro_id}ESM:${distro_codename}-infra-security";
+
+
+- name: Dpkg reconfigure
+  ansible.builtin.command:
+    cmd: dpkg-reconfigure -f noninteractive unattended-upgrades
+  register: dpkg_reconfigure_unattended_upgrades
+  when:
+    - unattended_upgrades_config_set.changed or
+      unattended_upgrades_settings_set.changed
+
+- name: Configure updates installation timing
+  ansible.builtin.lineinfile:
+    path: /lib/systemd/system/apt-daily-upgrade.timer
+    regexp: '^OnCalendar'
+    line: OnCalendar=*-*-* {{ install_time }}
+  notify: systemd reload
+
+- name: Configure updates installation timing offset
+  ansible.builtin.lineinfile:
+    path: '/lib/systemd/system/apt-daily-upgrade.timer'
+    regexp: '^RandomizedDelaySec'
+    line: 'RandomizedDelaySec={{ reboot_offset }}'
+  notify: systemd reload
--- a/roles/anyops_autoupgrade/templates/unattended-upgrades.j2
+++ b/roles/anyops_autoupgrade/templates/unattended-upgrades.j2
@ -0,0 +1,11 @@
+{% for item in unattended_upgrade %}
+{%-  if unattended_upgrade[item] is string %}
+Unattended-Upgrade::{{ item }} = "{{ unattended_upgrade[item] }}";
+{%   else -%}
+Unattended-Upgrade::{{ item }} {
+{%     for subitem in unattended_upgrade[item] %}
+  "{{ subitem }}";
+{%     endfor %}
+}
+{%   endif -%}
+{% endfor %}