feat: configure unattended upgrade

files/apt-daily-upgrade.timer

+[Timer]
+OnCalendar=
+OnCalendar=Tuesday 5:00
+RandomizedDelaySec=10m

files/apt-daily.timer

+[Timer]
+OnCalendar=
+OnCalendar=Tuesday 4:30
+RandomizedDelaySec=10m

files/apt-unattended-upgrades

+Unattended-Upgrade::Allowed-Origins {
+	"${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	"${distro_id}:${distro_codename}-updates";
+};
+
+Unattended-Upgrade::Package-Blacklist {};
+
+Unattended-Upgrade::DevRelease "false";
+
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+Unattended-Upgrade::MinimalSteps "true";
+
+Unattended-Upgrade::InstallOnShutdown "false";
+
+//Unattended-Upgrade::Mail "";
+
+// "always", "only-on-error" or "on-change"
+//Unattended-Upgrade::MailReport "on-change";
+
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+Unattended-Upgrade::Automatic-Reboot "true";
+
+Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
+
+Unattended-Upgrade::Automatic-Reboot-Time "now";
+
+Unattended-Upgrade::SyslogEnable "true";
+
+Unattended-Upgrade::SyslogFacility "daemon";
+
+Unattended-Upgrade::OnlyOnACPower "false";
+
+Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";
+
+Unattended-Upgrade::Verbose "false";
+
+Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

handlers/main.yml

 ---
 
 - name: restart-sshd
-  service: name=sshd state=restarted
+  service:
+    name: sshd
+    state: restarted
+
+- name: restart-cron
+  ansible.builtin.service:
+    name: cron
+    state: restarted
+
+- name: restart-apt-update-timer
+  ansible.builtin.systemd:
+    name: apt-daily.timer
+    state: restarted
+    enabled: true
+
+- name: restart-apt-upgrade-timer
+  ansible.builtin.systemd:
+    name: apt-daily-upgrade.timer 
+    state: restarted
+    enabled: true

tasks/main.yml

@@ -3,7 +3,14 @@
   include_vars: "{{ ansible_os_family }}.yml"
 
 - name: Set machine hostname
-  hostname: name="{{ inventory_hostname_short | lower | regex_replace('_','') }}"
+  hostname:
+    name: "{{ inventory_hostname_short | lower | regex_replace('_','') }}"
+
+- name: Set timezone to Europe/Paris
+  community.general.timezone:
+    name: Europe/Paris
+  notify:
+    - restart-cron
 
 - name: Never include APT phased update
   copy:
@@ -81,6 +88,69 @@
     mode: '0644'
   when: ansible_os_family == "Debian"
 
+- name: Remove Unattended Upgrades
+  apt:
+    name: "unattended-upgrades"
+    autoremove: true
+    purge: true
+    state: absent
+  when: ansible_os_family == "Debian" and inventory_hostname not in groups.maintenance_contract
+
+- name: Install Unattended Upgrades
+  apt:
+    name: "unattended-upgrades"
+    state: present
+  when: ansible_os_family == "Debian" and inventory_hostname in groups.maintenance_contract
+
+- name: Copy Unattended Upgrades configuration
+  ansible.builtin.copy:
+    src: 'apt-unattended-upgrades'
+    dest: '/etc/apt/apt.conf.d/50unattended-upgrades'
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups.maintenance_contract
+
+- name: Create apt-daily timer directory if it does not exist
+  ansible.builtin.file:
+    path: '/etc/systemd/system/apt-daily.timer.d'
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  when: inventory_hostname in groups.maintenance_contract
+
+- name: override apt-daily timer
+  ansible.builtin.copy:
+    src: 'apt-daily.timer'
+    dest: '/etc/systemd/system/apt-daily.timer.d/override.conf'
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups.maintenance_contract
+  notify:
+    - restart-apt-update-timer
+
+- name: Create apt-daily-upgrade timer directory if it does not exist
+  ansible.builtin.file:
+    path: '/etc/systemd/system/apt-daily-upgrade.timer.d'
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  when: inventory_hostname in groups.maintenance_contract
+
+- name: override apt-daily-upgrade timer
+  ansible.builtin.copy:
+    src: 'apt-daily-upgrade.timer'
+    dest: '/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf'
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups.maintenance_contract
+  notify:
+    - restart-apt-upgrade-timer
+
 - name: Create {{ host_user }} group
   group:
     name: "{{ host_user }}"

vars/Debian.yml

@@ -2,7 +2,6 @@
 packages_to_remove:
   - samba*
   - snapd
-  - unattended-upgrades
   - popularity-contest
   - ubuntu-advantage-tools
 files_to_remove: