From b741ccdb179cb6ddac3507995a2088368ec24be1 Mon Sep 17 00:00:00 2001 From: saibotk Date: Tue, 2 May 2023 00:44:40 +0200 Subject: [PATCH] roles: Add unattended_upgrades role --- playbooks/site.yml | 2 + playbooks/unattended_upgrades.yml | 22 +++++ roles/unattended_upgrades/README.md | 21 +++++ roles/unattended_upgrades/defaults/main.yml | 40 +++++++++ roles/unattended_upgrades/handlers/main.yml | 24 ++++++ roles/unattended_upgrades/meta/main.yml | 17 ++++ roles/unattended_upgrades/tasks/CentOS-7.yml | 42 ++++++++++ roles/unattended_upgrades/tasks/Debian.yml | 25 ++++++ roles/unattended_upgrades/tasks/main.yml | 27 ++++++ .../templates/yum-cron.conf | 83 +++++++++++++++++++ 10 files changed, 303 insertions(+) create mode 100644 playbooks/unattended_upgrades.yml create mode 100644 roles/unattended_upgrades/README.md create mode 100644 roles/unattended_upgrades/defaults/main.yml create mode 100644 roles/unattended_upgrades/handlers/main.yml create mode 100644 roles/unattended_upgrades/meta/main.yml create mode 100644 roles/unattended_upgrades/tasks/CentOS-7.yml create mode 100644 roles/unattended_upgrades/tasks/Debian.yml create mode 100644 roles/unattended_upgrades/tasks/main.yml create mode 100644 roles/unattended_upgrades/templates/yum-cron.conf diff --git a/playbooks/site.yml b/playbooks/site.yml index a50da75..853fae8 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -17,6 +17,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +- name: Install & configure unattended upgrades + import_playbook: unattended_upgrades.yml - name: Install & configure ipv6 NAT for Docker import_playbook: docker_ipv6_nat.yml - name: Install & configure backup solution using LVM diff --git a/playbooks/unattended_upgrades.yml b/playbooks/unattended_upgrades.yml new file mode 100644 index 0000000..19f9960 --- /dev/null +++ b/playbooks/unattended_upgrades.yml @@ -0,0 +1,22 @@ +--- + +# Infrastructure +# Ansible instructions to deploy the infrastructure +# Copyright (C) 2021 Saibotk +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +- name: Configure unattended upgrades + hosts: unattended_upgrades + roles: + - unattended_upgrades diff --git a/roles/unattended_upgrades/README.md b/roles/unattended_upgrades/README.md new file mode 100644 index 0000000..74ee825 --- /dev/null +++ b/roles/unattended_upgrades/README.md @@ -0,0 +1,21 @@ +unattended_upgrades +========= + +This will install the needed packages and configurations for unattended system upgrades. + +Requirements +------------ + +Either CentOS 7 or an Debian based system. + +Role Variables +-------------- + +**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.** + +**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!** + +License +------- + +GPL-3.0-only diff --git a/roles/unattended_upgrades/defaults/main.yml b/roles/unattended_upgrades/defaults/main.yml new file mode 100644 index 0000000..3ea5c34 --- /dev/null +++ b/roles/unattended_upgrades/defaults/main.yml @@ -0,0 +1,40 @@ +--- +# Default variables for the unattended_upgrades role + +# Infrastructure +# Ansible instructions to deploy the infrastructure +# Copyright (C) 2021 Saibotk +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Control if the needed packages should be installed or removed +unattended_upgrades_package_state: "present" + +# ### yum-cron related settings ### + +# What kind of package updates should be installed automatically? +# default = yum upgrade +# security = yum --security upgrade +# security-severity:Critical = yum --sec-severity=Critical upgrade +# minimal = yum --bugfix update-minimal +# minimal-security = yum --security update-minimal +# minimal-security-severity:Critical = --sec-severity=Critical update-minimal +unattended_upgrades_yum_cron_level: "security" + +# Maximum amout of time to randomly sleep, in minutes. The program +# will sleep for a random amount of time between 0 and random_sleep +# minutes before running. This is useful for e.g. staggering the +# times that multiple systems will access update servers. If +# random_sleep is 0 or negative, the program will run immediately. +# 6*60 = 360 +unattended_upgrades_yum_cron_random_sleep: 60 diff --git a/roles/unattended_upgrades/handlers/main.yml b/roles/unattended_upgrades/handlers/main.yml new file mode 100644 index 0000000..47c49aa --- /dev/null +++ b/roles/unattended_upgrades/handlers/main.yml @@ -0,0 +1,24 @@ +--- +# Handlers file for the unattended_upgrades role + +# Infrastructure +# Ansible instructions to deploy the infrastructure +# Copyright (C) 2021 Saibotk +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +- name: Restart yum-cron service + ansible.builtin.service: + name: "yum-cron" + state: "restarted" + become: true diff --git a/roles/unattended_upgrades/meta/main.yml b/roles/unattended_upgrades/meta/main.yml new file mode 100644 index 0000000..642e55d --- /dev/null +++ b/roles/unattended_upgrades/meta/main.yml @@ -0,0 +1,17 @@ +galaxy_info: + author: saibotk + description: Installs packages and configs needed for unattended system upgrades. + license: GPL-3.0-only + min_ansible_version: "2.9" + + platforms: + - name: EL + versions: + - "7" + - name: Debian + versions: + - all + + galaxy_tags: [] + +dependencies: [] diff --git a/roles/unattended_upgrades/tasks/CentOS-7.yml b/roles/unattended_upgrades/tasks/CentOS-7.yml new file mode 100644 index 0000000..344c16b --- /dev/null +++ b/roles/unattended_upgrades/tasks/CentOS-7.yml @@ -0,0 +1,42 @@ +--- +# Tasks file for the unattended_upgrades role + +# Infrastructure +# Ansible instructions to deploy the infrastructure +# +# Copyright (C) 2021 Saibotk +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +- name: Ensure yum-cron is installed. + ansible.builtin.package: + name: "yum-cron" + state: "{{ unattended_upgrades_package_state }}" + become: true + +- name: Deploy yum-cron.conf + ansible.builtin.template: + dest: /etc/yum/yum-cron.conf + src: yum-cron.conf + owner: root + group: root + mode: "0644" + notify: Restart yum-cron service + become: true + +- name: Ensure yum-cron service is enabled and started. + ansible.builtin.service: + name: yum-cron + state: started + enabled: true + become: true diff --git a/roles/unattended_upgrades/tasks/Debian.yml b/roles/unattended_upgrades/tasks/Debian.yml new file mode 100644 index 0000000..050edde --- /dev/null +++ b/roles/unattended_upgrades/tasks/Debian.yml @@ -0,0 +1,25 @@ +--- +# Tasks file for the unattended_upgrades role + +# Infrastructure +# Ansible instructions to deploy the infrastructure +# +# Copyright (C) 2021 Saibotk +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +- name: Ensure unattended-upgrades is installed. + ansible.builtin.package: + name: "unattended-upgrades" + state: "{{ unattended_upgrades_package_state }}" + become: true diff --git a/roles/unattended_upgrades/tasks/main.yml b/roles/unattended_upgrades/tasks/main.yml new file mode 100644 index 0000000..61cccca --- /dev/null +++ b/roles/unattended_upgrades/tasks/main.yml @@ -0,0 +1,27 @@ +--- +# Tasks file for the unattended_upgrades role + +# Infrastructure +# Ansible instructions to deploy the infrastructure +# Copyright (C) 2021 Saibotk +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +- name: "Select tasks for {{ ansible_distribution }} {{ ansible_distribution_major_version }}" # noqa name[template] + ansible.builtin.include_tasks: "{{ distro_file }}" + with_first_found: + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + loop_control: + loop_var: distro_file diff --git a/roles/unattended_upgrades/templates/yum-cron.conf b/roles/unattended_upgrades/templates/yum-cron.conf new file mode 100644 index 0000000..3ef026b --- /dev/null +++ b/roles/unattended_upgrades/templates/yum-cron.conf @@ -0,0 +1,83 @@ +# {{ ansible_managed }} + +[commands] +# What kind of update to use: +# default = yum upgrade +# security = yum --security upgrade +# security-severity:Critical = yum --sec-severity=Critical upgrade +# minimal = yum --bugfix update-minimal +# minimal-security = yum --security update-minimal +# minimal-security-severity:Critical = --sec-severity=Critical update-minimal +update_cmd = {{ unattended_upgrades_yum_cron_level }} + +# Whether a message should be emitted when updates are available, +# were downloaded, or applied. +update_messages = yes + +# Whether updates should be downloaded when they are available. +download_updates = yes + +# Whether updates should be applied when they are available. Note +# that download_updates must also be yes for the update to be applied. +apply_updates = yes + +# Maximum amout of time to randomly sleep, in minutes. The program +# will sleep for a random amount of time between 0 and random_sleep +# minutes before running. This is useful for e.g. staggering the +# times that multiple systems will access update servers. If +# random_sleep is 0 or negative, the program will run immediately. +# 6*60 = 360 +random_sleep = {{ unattended_upgrades_yum_cron_random_sleep }} + + +[emitters] +# Name to use for this system in messages that are emitted. If +# system_name is None, the hostname will be used. +system_name = None + +# How to send messages. Valid options are stdio and email. If +# emit_via includes stdio, messages will be sent to stdout; this is useful +# to have cron send the messages. If emit_via includes email, this +# program will send email itself according to the configured options. +# If emit_via is None or left blank, no messages will be sent. +emit_via = stdio + +# The width, in characters, that messages that are emitted should be +# formatted to. +output_width = 80 + + +[email] +# The address to send email messages from. +# NOTE: 'localhost' will be replaced with the value of system_name. +email_from = root@localhost + +# List of addresses to send messages to. +email_to = root + +# Name of the host to connect to to send email messages. +email_host = localhost + + +[groups] +# NOTE: This only works when group_command != objects, which is now the default +# List of groups to update +group_list = None + +# The types of group packages to install +group_package_types = mandatory, default + +[base] +# This section overrides yum.conf + +# Use this to filter Yum core messages +# -4: critical +# -3: critical+errors +# -2: critical+errors+warnings (default) +debuglevel = -2 + +# skip_broken = True +mdpolicy = group:main + +# Uncomment to auto-import new gpg keys (dangerous) +# assumeyes = True