diff --git a/files/apt-daily-upgrade.timer b/files/apt-daily-upgrade.timer new file mode 100644 index 0000000000000000000000000000000000000000..a8b361efce6b39ddd0108d1ec119ff072b0ff598 --- /dev/null +++ b/files/apt-daily-upgrade.timer @@ -0,0 +1,4 @@ +[Timer] +OnCalendar= +OnCalendar=Tuesday 5:00 +RandomizedDelaySec=10m diff --git a/files/apt-daily.timer b/files/apt-daily.timer new file mode 100644 index 0000000000000000000000000000000000000000..2dd84b0934278174d167d0e635ce763b196dc637 --- /dev/null +++ b/files/apt-daily.timer @@ -0,0 +1,4 @@ +[Timer] +OnCalendar= +OnCalendar=Tuesday 4:30 +RandomizedDelaySec=10m diff --git a/files/apt-unattended-upgrades b/files/apt-unattended-upgrades new file mode 100644 index 0000000000000000000000000000000000000000..a5cc28f3acc83c772263baa2edf31cf9d8a31041 --- /dev/null +++ b/files/apt-unattended-upgrades @@ -0,0 +1,60 @@ +Unattended-Upgrade::Allowed-Origins { + "${distro_id}:${distro_codename}"; + "${distro_id}:${distro_codename}-security"; + "${distro_id}:${distro_codename}-updates"; +}; + +Unattended-Upgrade::Package-Blacklist {}; + +Unattended-Upgrade::DevRelease "false"; + +Unattended-Upgrade::AutoFixInterruptedDpkg "true"; + +Unattended-Upgrade::MinimalSteps "true"; + +Unattended-Upgrade::InstallOnShutdown "false"; + +//Unattended-Upgrade::Mail ""; + +// "always", "only-on-error" or "on-change" +//Unattended-Upgrade::MailReport "on-change"; + +Unattended-Upgrade::Remove-Unused-Kernel-Packages "false"; + +// Do automatic removal of newly unused dependencies after the upgrade +//Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; + +Unattended-Upgrade::Remove-Unused-Dependencies "true"; + +Unattended-Upgrade::Automatic-Reboot "true"; + +Unattended-Upgrade::Automatic-Reboot-WithUsers "false"; + +Unattended-Upgrade::Automatic-Reboot-Time "now"; + +Unattended-Upgrade::SyslogEnable "true"; + +Unattended-Upgrade::SyslogFacility "daemon"; + +Unattended-Upgrade::OnlyOnACPower "false"; + +Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false"; + +Unattended-Upgrade::Verbose "false"; + +Unattended-Upgrade::Debug "false"; + +// Allow package downgrade if Pin-Priority exceeds 1000 +// Unattended-Upgrade::Allow-downgrade "false"; + +// When APT fails to mark a package to be upgraded or installed try adjusting +// candidates of related packages to help APT's resolver in finding a solution +// where the package can be upgraded or installed. +// This is a workaround until APT's resolver is fixed to always find a +// solution if it exists. (See Debian bug #711128.) +// The fallback is enabled by default, except on Debian's sid release because +// uninstallable packages are frequent there. +// Disabling the fallback speeds up unattended-upgrades when there are +// uninstallable packages at the expense of rarely keeping back packages which +// could be upgraded or installed. +// Unattended-Upgrade::Allow-APT-Mark-Fallback "true"; diff --git a/handlers/main.yml b/handlers/main.yml index 2f7cbb9f27107ffd4662e52a314724860062ff59..e455fa34e72b7e02ea801d511aa8c033cd41d959 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,23 @@ --- - name: restart-sshd - service: name=sshd state=restarted + service: + name: sshd + state: restarted + +- name: restart-cron + ansible.builtin.service: + name: cron + state: restarted + +- name: restart-apt-update-timer + ansible.builtin.systemd: + name: apt-daily.timer + state: restarted + enabled: true + +- name: restart-apt-upgrade-timer + ansible.builtin.systemd: + name: apt-daily-upgrade.timer + state: restarted + enabled: true diff --git a/tasks/main.yml b/tasks/main.yml index 18357ccd7437117e1d4f756727a6b6908e5fe4ec..7e94fae3ccdc9af027e27cad9d55508cc99169f6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,7 +3,14 @@ include_vars: "{{ ansible_os_family }}.yml" - name: Set machine hostname - hostname: name="{{ inventory_hostname_short | lower | regex_replace('_','') }}" + hostname: + name: "{{ inventory_hostname_short | lower | regex_replace('_','') }}" + +- name: Set timezone to Europe/Paris + community.general.timezone: + name: Europe/Paris + notify: + - restart-cron - name: Never include APT phased update copy: @@ -81,6 +88,69 @@ mode: '0644' when: ansible_os_family == "Debian" +- name: Remove Unattended Upgrades + apt: + name: "unattended-upgrades" + autoremove: true + purge: true + state: absent + when: ansible_os_family == "Debian" and inventory_hostname not in groups.maintenance_contract + +- name: Install Unattended Upgrades + apt: + name: "unattended-upgrades" + state: present + when: ansible_os_family == "Debian" and inventory_hostname in groups.maintenance_contract + +- name: Copy Unattended Upgrades configuration + ansible.builtin.copy: + src: 'apt-unattended-upgrades' + dest: '/etc/apt/apt.conf.d/50unattended-upgrades' + owner: root + group: root + mode: '0644' + when: inventory_hostname in groups.maintenance_contract + +- name: Create apt-daily timer directory if it does not exist + ansible.builtin.file: + path: '/etc/systemd/system/apt-daily.timer.d' + state: directory + owner: root + group: root + mode: '0755' + when: inventory_hostname in groups.maintenance_contract + +- name: override apt-daily timer + ansible.builtin.copy: + src: 'apt-daily.timer' + dest: '/etc/systemd/system/apt-daily.timer.d/override.conf' + owner: root + group: root + mode: '0644' + when: inventory_hostname in groups.maintenance_contract + notify: + - restart-apt-update-timer + +- name: Create apt-daily-upgrade timer directory if it does not exist + ansible.builtin.file: + path: '/etc/systemd/system/apt-daily-upgrade.timer.d' + state: directory + owner: root + group: root + mode: '0755' + when: inventory_hostname in groups.maintenance_contract + +- name: override apt-daily-upgrade timer + ansible.builtin.copy: + src: 'apt-daily-upgrade.timer' + dest: '/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf' + owner: root + group: root + mode: '0644' + when: inventory_hostname in groups.maintenance_contract + notify: + - restart-apt-upgrade-timer + - name: Create {{ host_user }} group group: name: "{{ host_user }}" diff --git a/vars/Debian.yml b/vars/Debian.yml index 6538faab773105d32fc73eff16c896dbae038962..61ed1d65e9e83f612b060a7b164988d7fc8bfb4a 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -2,7 +2,6 @@ packages_to_remove: - samba* - snapd - - unattended-upgrades - popularity-contest - ubuntu-advantage-tools files_to_remove: