From 9fb12372ac486021b39fe6ded5878db25905b9b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20-=20Le=20Filament?= <theo@le-filament.com>
Date: Thu, 27 Apr 2023 19:23:15 +0200
Subject: [PATCH] feat: configure unattended upgrade

---
 files/apt-daily-upgrade.timer |  4 ++
 files/apt-daily.timer         |  4 ++
 files/apt-unattended-upgrades | 60 +++++++++++++++++++++++++++++
 handlers/main.yml             | 21 +++++++++-
 tasks/main.yml                | 72 ++++++++++++++++++++++++++++++++++-
 vars/Debian.yml               |  1 -
 6 files changed, 159 insertions(+), 3 deletions(-)
 create mode 100644 files/apt-daily-upgrade.timer
 create mode 100644 files/apt-daily.timer
 create mode 100644 files/apt-unattended-upgrades

diff --git a/files/apt-daily-upgrade.timer b/files/apt-daily-upgrade.timer
new file mode 100644
index 0000000..a8b361e
--- /dev/null
+++ b/files/apt-daily-upgrade.timer
@@ -0,0 +1,4 @@
+[Timer]
+OnCalendar=
+OnCalendar=Tuesday 5:00
+RandomizedDelaySec=10m
diff --git a/files/apt-daily.timer b/files/apt-daily.timer
new file mode 100644
index 0000000..2dd84b0
--- /dev/null
+++ b/files/apt-daily.timer
@@ -0,0 +1,4 @@
+[Timer]
+OnCalendar=
+OnCalendar=Tuesday 4:30
+RandomizedDelaySec=10m
diff --git a/files/apt-unattended-upgrades b/files/apt-unattended-upgrades
new file mode 100644
index 0000000..a5cc28f
--- /dev/null
+++ b/files/apt-unattended-upgrades
@@ -0,0 +1,60 @@
+Unattended-Upgrade::Allowed-Origins {
+	"${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	"${distro_id}:${distro_codename}-updates";
+};
+
+Unattended-Upgrade::Package-Blacklist {};
+
+Unattended-Upgrade::DevRelease "false";
+
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+Unattended-Upgrade::MinimalSteps "true";
+
+Unattended-Upgrade::InstallOnShutdown "false";
+
+//Unattended-Upgrade::Mail "";
+
+// "always", "only-on-error" or "on-change"
+//Unattended-Upgrade::MailReport "on-change";
+
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+Unattended-Upgrade::Automatic-Reboot "true";
+
+Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
+
+Unattended-Upgrade::Automatic-Reboot-Time "now";
+
+Unattended-Upgrade::SyslogEnable "true";
+
+Unattended-Upgrade::SyslogFacility "daemon";
+
+Unattended-Upgrade::OnlyOnACPower "false";
+
+Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";
+
+Unattended-Upgrade::Verbose "false";
+
+Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
diff --git a/handlers/main.yml b/handlers/main.yml
index 2f7cbb9..e455fa3 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,4 +1,23 @@
 ---
 
 - name: restart-sshd
-  service: name=sshd state=restarted
+  service:
+    name: sshd
+    state: restarted
+
+- name: restart-cron
+  ansible.builtin.service:
+    name: cron
+    state: restarted
+
+- name: restart-apt-update-timer
+  ansible.builtin.systemd:
+    name: apt-daily.timer
+    state: restarted
+    enabled: true
+
+- name: restart-apt-upgrade-timer
+  ansible.builtin.systemd:
+    name: apt-daily-upgrade.timer 
+    state: restarted
+    enabled: true
diff --git a/tasks/main.yml b/tasks/main.yml
index 18357cc..7e94fae 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -3,7 +3,14 @@
   include_vars: "{{ ansible_os_family }}.yml"
 
 - name: Set machine hostname
-  hostname: name="{{ inventory_hostname_short | lower | regex_replace('_','') }}"
+  hostname:
+    name: "{{ inventory_hostname_short | lower | regex_replace('_','') }}"
+
+- name: Set timezone to Europe/Paris
+  community.general.timezone:
+    name: Europe/Paris
+  notify:
+    - restart-cron
 
 - name: Never include APT phased update
   copy:
@@ -81,6 +88,69 @@
     mode: '0644'
   when: ansible_os_family == "Debian"
 
+- name: Remove Unattended Upgrades
+  apt:
+    name: "unattended-upgrades"
+    autoremove: true
+    purge: true
+    state: absent
+  when: ansible_os_family == "Debian" and inventory_hostname not in groups.maintenance_contract
+
+- name: Install Unattended Upgrades
+  apt:
+    name: "unattended-upgrades"
+    state: present
+  when: ansible_os_family == "Debian" and inventory_hostname in groups.maintenance_contract
+
+- name: Copy Unattended Upgrades configuration
+  ansible.builtin.copy:
+    src: 'apt-unattended-upgrades'
+    dest: '/etc/apt/apt.conf.d/50unattended-upgrades'
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups.maintenance_contract
+
+- name: Create apt-daily timer directory if it does not exist
+  ansible.builtin.file:
+    path: '/etc/systemd/system/apt-daily.timer.d'
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  when: inventory_hostname in groups.maintenance_contract
+
+- name: override apt-daily timer
+  ansible.builtin.copy:
+    src: 'apt-daily.timer'
+    dest: '/etc/systemd/system/apt-daily.timer.d/override.conf'
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups.maintenance_contract
+  notify:
+    - restart-apt-update-timer
+
+- name: Create apt-daily-upgrade timer directory if it does not exist
+  ansible.builtin.file:
+    path: '/etc/systemd/system/apt-daily-upgrade.timer.d'
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  when: inventory_hostname in groups.maintenance_contract
+
+- name: override apt-daily-upgrade timer
+  ansible.builtin.copy:
+    src: 'apt-daily-upgrade.timer'
+    dest: '/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf'
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups.maintenance_contract
+  notify:
+    - restart-apt-upgrade-timer
+
 - name: Create {{ host_user }} group
   group:
     name: "{{ host_user }}"
diff --git a/vars/Debian.yml b/vars/Debian.yml
index 6538faa..61ed1d6 100644
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@@ -2,7 +2,6 @@
 packages_to_remove:
   - samba*
   - snapd
-  - unattended-upgrades
   - popularity-contest
   - ubuntu-advantage-tools
 files_to_remove:
-- 
GitLab