roles: Add unattended_upgrades role

2023-05-02 00:44:40 +02:00 · 2023-05-02 00:44:40 +02:00 · b741ccdb17
commit b741ccdb17
parent 3bfe42aeeb
10 changed files with 303 additions and 0 deletions
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@ -17,6 +17,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure unattended upgrades
  import_playbook: unattended_upgrades.yml
 - name: Install & configure ipv6 NAT for Docker
  import_playbook: docker_ipv6_nat.yml
 - name: Install & configure backup solution using LVM
--- a/playbooks/unattended_upgrades.yml
+++ b/playbooks/unattended_upgrades.yml
@ -0,0 +1,22 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Configure unattended upgrades
  hosts: unattended_upgrades
  roles:
    - unattended_upgrades
--- a/roles/unattended_upgrades/README.md
+++ b/roles/unattended_upgrades/README.md
@ -0,0 +1,21 @@
 unattended_upgrades
 =========
 This will install the needed packages and configurations for unattended system upgrades.
 Requirements
 ------------
 Either CentOS 7 or an Debian based system.
 Role Variables
 --------------
 **Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
 **Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
 License
 -------
 GPL-3.0-only
--- a/roles/unattended_upgrades/defaults/main.yml
+++ b/roles/unattended_upgrades/defaults/main.yml
@ -0,0 +1,40 @@
 ---
 # Default variables for the unattended_upgrades role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # Control if the needed packages should be installed or removed
 unattended_upgrades_package_state: "present"
 # ### yum-cron related settings ###
 # What kind of package updates should be installed automatically?
 # default                            = yum upgrade
 # security                           = yum --security upgrade
 # security-severity:Critical         = yum --sec-severity=Critical upgrade
 # minimal                            = yum --bugfix update-minimal
 # minimal-security                   = yum --security update-minimal
 # minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
 unattended_upgrades_yum_cron_level: "security"
 # Maximum amout of time to randomly sleep, in minutes.  The program
 # will sleep for a random amount of time between 0 and random_sleep
 # minutes before running.  This is useful for e.g. staggering the
 # times that multiple systems will access update servers.  If
 # random_sleep is 0 or negative, the program will run immediately.
 # 6*60 = 360
 unattended_upgrades_yum_cron_random_sleep: 60
--- a/roles/unattended_upgrades/handlers/main.yml
+++ b/roles/unattended_upgrades/handlers/main.yml
@ -0,0 +1,24 @@
 ---
 # Handlers file for the unattended_upgrades role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Restart yum-cron service
  ansible.builtin.service:
    name: "yum-cron"
    state: "restarted"
  become: true
--- a/roles/unattended_upgrades/meta/main.yml
+++ b/roles/unattended_upgrades/meta/main.yml
@ -0,0 +1,17 @@
 galaxy_info:
  author: saibotk
  description: Installs packages and configs needed for unattended system upgrades.
  license: GPL-3.0-only
  min_ansible_version: "2.9"
  platforms:
    - name: EL
      versions:
        - "7"
    - name: Debian
      versions:
        - all
  galaxy_tags: []
 dependencies: []
--- a/roles/unattended_upgrades/tasks/CentOS-7.yml
+++ b/roles/unattended_upgrades/tasks/CentOS-7.yml
@ -0,0 +1,42 @@
 ---
 # Tasks file for the unattended_upgrades role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 #
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Ensure yum-cron is installed.
  ansible.builtin.package:
    name: "yum-cron"
    state: "{{ unattended_upgrades_package_state }}"
  become: true
 - name: Deploy yum-cron.conf
  ansible.builtin.template:
    dest: /etc/yum/yum-cron.conf
    src: yum-cron.conf
    owner: root
    group: root
    mode: "0644"
  notify: Restart yum-cron service
  become: true
 - name: Ensure yum-cron service is enabled and started.
  ansible.builtin.service:
    name: yum-cron
    state: started
    enabled: true
  become: true
--- a/roles/unattended_upgrades/tasks/Debian.yml
+++ b/roles/unattended_upgrades/tasks/Debian.yml
@ -0,0 +1,25 @@
 ---
 # Tasks file for the unattended_upgrades role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 #
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Ensure unattended-upgrades is installed.
  ansible.builtin.package:
    name: "unattended-upgrades"
    state: "{{ unattended_upgrades_package_state }}"
  become: true
--- a/roles/unattended_upgrades/tasks/main.yml
+++ b/roles/unattended_upgrades/tasks/main.yml
@ -0,0 +1,27 @@
 ---
 # Tasks file for the unattended_upgrades role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: "Select tasks for {{ ansible_distribution }} {{ ansible_distribution_major_version }}" # noqa name[template]
  ansible.builtin.include_tasks: "{{ distro_file }}"
  with_first_found:
    - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
    - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"
  loop_control:
    loop_var: distro_file
--- a/roles/unattended_upgrades/templates/yum-cron.conf
+++ b/roles/unattended_upgrades/templates/yum-cron.conf
@ -0,0 +1,83 @@
 # {{ ansible_managed }}
 [commands]
 #  What kind of update to use:
 # default                            = yum upgrade
 # security                           = yum --security upgrade
 # security-severity:Critical         = yum --sec-severity=Critical upgrade
 # minimal                            = yum --bugfix update-minimal
 # minimal-security                   = yum --security update-minimal
 # minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
 update_cmd = {{ unattended_upgrades_yum_cron_level }}
 # Whether a message should be emitted when updates are available,
 # were downloaded, or applied.
 update_messages = yes
 # Whether updates should be downloaded when they are available.
 download_updates = yes
 # Whether updates should be applied when they are available.  Note
 # that download_updates must also be yes for the update to be applied.
 apply_updates = yes
 # Maximum amout of time to randomly sleep, in minutes.  The program
 # will sleep for a random amount of time between 0 and random_sleep
 # minutes before running.  This is useful for e.g. staggering the
 # times that multiple systems will access update servers.  If
 # random_sleep is 0 or negative, the program will run immediately.
 # 6*60 = 360
 random_sleep = {{ unattended_upgrades_yum_cron_random_sleep }}
 [emitters]
 # Name to use for this system in messages that are emitted.  If
 # system_name is None, the hostname will be used.
 system_name = None
 # How to send messages.  Valid options are stdio and email.  If
 # emit_via includes stdio, messages will be sent to stdout; this is useful
 # to have cron send the messages.  If emit_via includes email, this
 # program will send email itself according to the configured options.
 # If emit_via is None or left blank, no messages will be sent.
 emit_via = stdio
 # The width, in characters, that messages that are emitted should be
 # formatted to.
 output_width = 80
 [email]
 # The address to send email messages from.
 # NOTE: 'localhost' will be replaced with the value of system_name.
 email_from = root@localhost
 # List of addresses to send messages to.
 email_to = root
 # Name of the host to connect to to send email messages.
 email_host = localhost
 [groups]
 # NOTE: This only works when group_command != objects, which is now the default
 # List of groups to update
 group_list = None
 # The types of group packages to install
 group_package_types = mandatory, default
 [base]
 # This section overrides yum.conf
 # Use this to filter Yum core messages
 # -4: critical
 # -3: critical+errors
 # -2: critical+errors+warnings (default)
 debuglevel = -2
 # skip_broken = True
 mdpolicy = group:main
 # Uncomment to auto-import new gpg keys (dangerous)
 # assumeyes = True