diff options
| author | Daniel Weipert <code@drogueronin.de> | 2021-04-28 16:28:39 +0200 |
|---|---|---|
| committer | Daniel Weipert <code@drogueronin.de> | 2021-04-28 16:28:39 +0200 |
| commit | 6f5455f6c525d5e5acedc8f5fcace1c2a9279423 (patch) | |
| tree | 8a52aa12b8d4318033ca4a53c5fbd94db593b9ac /src | |
| parent | a9a428462acb8aecc4c335027d552a30bb7c49b5 (diff) | |
Diffstat (limited to 'src')
| -rw-r--r-- | src/BaseServerSetup.php | 30 | ||||
| -rw-r--r-- | src/unattended-upgrades/auto-upgrades.twig | 25 | ||||
| -rw-r--r-- | src/unattended-upgrades/unattended-upgrades.php | 140 | ||||
| -rw-r--r-- | src/unattended-upgrades/unattended-upgrades.twig | 117 |
4 files changed, 5 insertions, 307 deletions
diff --git a/src/BaseServerSetup.php b/src/BaseServerSetup.php index 7ff1efb..206d773 100644 --- a/src/BaseServerSetup.php +++ b/src/BaseServerSetup.php @@ -2,11 +2,11 @@ namespace Dweipert\DevOps\BaseServerSetup; +use Dweipert\DevOps\UnattendedUpgrades\UnattendedUpgrades; use PHPIAC\Module\State; use PHPIAC\Modules\AptModule; use PHPIAC\Modules\CopyModule; use PHPIAC\Modules\GitModule; -use PHPIAC\Modules\TemplateModule; use PHPIAC\Modules\UfwModule; use PHPIAC\Modules\UserModule; use PHPIAC\Role\RoleInterface; @@ -17,8 +17,7 @@ class BaseServerSetup implements RoleInterface public function __invoke(array $config = []): array { $config = array_replace_recursive( - include __DIR__ . '/unattended-upgrades/unattended-upgrades.php', - [ + ['unattended_upgrades' => [ 'unattended_origins_patterns' => [ 'o=${distro_id},a=${distro_codename}', 'o=${distro_id},a=${distro_codename}-security', @@ -26,32 +25,13 @@ class BaseServerSetup implements RoleInterface 'unattended_mail' => $config['mail'], 'unattended_automatic_reboot' => true, 'unattended_syslog_enable' => true, - ], + ]], $config ); return [ # setup unattended upgrades - (new Task())->setModule(new AptModule([ - 'package' => 'unattended-upgrades', - 'updateCache' => true, - ])), - (new Task())->setModule(new TemplateModule([ - 'src' => __DIR__ . '/unattended-upgrades/auto-upgrades.twig', - 'dest' => '/etc/apt/apt.conf.d/20auto-upgrades', - 'vars' => $config, - 'owner' => 'root', - 'group' => 'root', - 'mode' => 0644, - ])), - (new Task())->setModule(new TemplateModule([ - 'src' => __DIR__ . '/unattended-upgrades/unattended-upgrades.twig', - 'dest' => '/etc/apt/apt.conf.d/50unattended-upgrades', - 'vars' => $config, - 'owner' => 'root', - 'group' => 'root', - 'mode' => 0644, - ])), + ...(new UnattendedUpgrades())($config['unattended_upgrades']), # setup user (new Task())->setModule(new AptModule([ @@ -66,7 +46,7 @@ class BaseServerSetup implements RoleInterface ])), (new Task())->setModule(new CopyModule([ 'src' => '~/.ssh', - 'dest' => '/home/' . $config['username'], + 'dest' => '/home/' . $config['username'] . '/.ssh', 'owner' => $config['username'], 'group' => $config['username'], 'remoteSrc' => true, diff --git a/src/unattended-upgrades/auto-upgrades.twig b/src/unattended-upgrades/auto-upgrades.twig deleted file mode 100644 index 388a028..0000000 --- a/src/unattended-upgrades/auto-upgrades.twig +++ /dev/null @@ -1,25 +0,0 @@ -APT::Periodic::Unattended-Upgrade "1"; - -{% if unattended_update_package_list is defined %} -APT::Periodic::Update-Package-Lists "{{unattended_update_package_list}}"; -{% endif %} - -{% if unattended_download_upgradeable is defined %} -APT::Periodic::Download-Upgradeable-Packages "{{unattended_download_upgradeable}}"; -{% endif %} - -{% if unattended_autoclean_interval is defined %} -APT::Periodic::AutocleanInterval "{{unattended_autoclean_interval}}"; -{% endif %} - -{% if unattended_clean_interval is defined %} -APT::Periodic::CleanInterval "{{unattended_clean_interval}}"; -{% endif %} - -{% if unattended_verbose is defined %} -APT::Periodic::Verbose "{{unattended_verbose}}"; -{% endif %} - -{% if unattended_random_sleep is defined %} -APT::Periodic::RandomSleep "{{unattended_random_sleep}}"; -{% endif %} diff --git a/src/unattended-upgrades/unattended-upgrades.php b/src/unattended-upgrades/unattended-upgrades.php deleted file mode 100644 index 1c3f73c..0000000 --- a/src/unattended-upgrades/unattended-upgrades.php +++ /dev/null @@ -1,140 +0,0 @@ -<?php - -return [ - # Cache update time for apt module - 'unattended_cache_valid_time' => 3600, - - #Unattended-Upgrade::Origins-Pattern - # Automatically upgrade packages from these origin patterns - # e.g.: 'o=Debian,a=stable', 'o=Debian,a=stable-updates' - # - # Left unset, distribution-specific defaults will be used through - # __unattended_origins_patterns variable only if this variable - # is not provided externally - # REFS https://github.com/ansible/ansible/issues/8121 - #'unattended_origins_patterns' => [], - - #Unattended-Upgrade::Package-Blacklist - # List of packages to not update - 'unattended_package_blacklist' => [], - - #Unattended-Upgrade::AutoFixInterruptedDpkg - # On a unclean dpkg exit unattended-upgrades will run - # dpkg --force-confold --configure -a - # The default is true, to ensure updates keep getting installed - 'unattended_autofix_interrupted_dpkg' => true, - - #Unattended-Upgrade::MinimalSteps - # Split the upgrade into the smallest possible chunks so that - # they can be interrupted with SIGUSR1. This makes the upgrade - # a bit slower but it has the benefit that shutdown while a upgrade - # is running is possible (with a small delay) - 'unattended_minimal_steps' => true, - - #Unattended-Upgrade::InstallOnShutdown - # Install all unattended-upgrades when the machine is shuting down - # instead of doing it in the background while the machine is running - # This will (obviously) make shutdown slower - 'unattended_install_on_shutdown' => false, - - #Unattended-Upgrade::Mail - # Send email to this address for problems or packages upgrades - # If empty or unset then no email is sent, make sure that you - # have a working mail setup on your system. A package that provides - # 'mailx' must be installed. - 'unattended_mail' => false, - - #Unattended-Upgrade::MailOnlyOnError - # Set this value to "true" to get emails only on errors. Default - # is to always send a mail if Unattended-Upgrade::Mail is set - 'unattended_mail_only_on_error' => false, - - #Unattended-Upgrade::Remove-Unused-Dependencies - # Do automatic removal of all unused dependencies after the upgrade - # (equivalent to apt-get autoremove) - 'unattended_remove_unused_dependencies' => false, - - #Unattended-Upgrade::Remove-New-Unused-Dependencies - # Remove any new unused dependencies after the upgrade - 'unattended_remove_new_unused_dependencies' => true, - - #Unattended-Upgrade::Automatic-Reboot - # Automatically reboot *WITHOUT CONFIRMATION* if a - # the file /var/run/reboot-required is found after the upgrade - 'unattended_automatic_reboot' => false, - - #Unattended-Upgrade::Automatic-Reboot-Time - # If automatic reboot is enabled and needed, reboot at the specific - # time instead of immediately - 'unattended_automatic_reboot_time' => false, - - #Unattended-Upgrade::IgnoreAppsRequireRestart - # Do upgrade application even if it requires restart after upgrade - # I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file - 'unattended_ignore_apps_require_restart' => false, - - #Unattended-Upgrade::SyslogEnable - # Write events to syslog, which is useful in environments where syslog - # messages are sent to a central store. - 'unattended_syslog_enable' => false, - - #Unattended-Upgrade::SyslogFacility - # Write events to the specified syslog facility, or the daemon facility if - # not specified. Requires the Unattended-Upgrade::SyslogEnable option to be - # set to true. - #'unattended_syslog_facility' => 'daemon', - - ### APT::Periodic configuration - # Snatched from /usr/lib/apt/apt.systemd.daily - - #APT::Periodic::Update-Package-Lists "0"; - # - Do "apt-get update" automatically every n-days (0=disable) - 'unattended_update_package_list' => 1, - - #APT::Periodic::Download-Upgradeable-Packages "0"; - # - Do "apt-get upgrade --download-only" every n-days (0=disable) - #'unattended_download_upgradeable' => 0, - - #APT::Periodic::AutocleanInterval "0"; - # - Do "apt-get autoclean" every n-days (0=disable) - 'unattended_autoclean_interval' => 7, - - #APT::Periodic::CleanInterval "0"; - # - Do "apt-get clean" every n-days (0=disable) - #'unattended_clean_interval' => 0, - - #APT::Periodic::Verbose "0"; - # - Send report mail to root - # 0: no report (or null string) - # 1: progress report (actually any string) - # 2: + command outputs (remove -qq, remove 2>/dev/null, add -d) - # 3: + trace on - #'unattended_verbose' => 0, - - ## Cron systems only - - #APT::Periodic::RandomSleep - # When the apt job starts, it will sleep for a random period between 0 - # and APT::Periodic::RandomSleep seconds - # The default value is "1800" so that the script will stall for up to 30 - # minutes (1800 seconds) so that the mirror servers are not crushed by - # everyone running their updates all at the same time - # Kept undefined to allow default (1800) - #'unattended_random_sleep' => 0, - - #Dpkg::Options - # Provide dpkg options that take effect during unattended upgrades. - # By default no flags are appended. Configuration file changes can - # block installation of certain packages. Passing the flags - # "--force-confdef" and "--force-confold" will ensure updates are applied - # and old configuration files are preserved. - 'unattended_dpkg_options' => [], - - # 'unattended_dpkg_options' => [ - # '--force-confdef', - # '--force-confold', - # ], - - # Use apt bandwidth limit feature, this example limits the download speed to 70kb/sec - #'unattended_dl_limit' => 70, -]; diff --git a/src/unattended-upgrades/unattended-upgrades.twig b/src/unattended-upgrades/unattended-upgrades.twig deleted file mode 100644 index 0796f6b..0000000 --- a/src/unattended-upgrades/unattended-upgrades.twig +++ /dev/null @@ -1,117 +0,0 @@ -// Unattended-Upgrade::Origins-Pattern controls which packages are -// upgraded. -Unattended-Upgrade::Origins-Pattern { -{% if unattended_origins_patterns is defined %} -{% for origin in unattended_origins_patterns %} - "{{ origin }}"; -{% endfor %} -{% endif %} -}; - -// List of packages to not update (regexp are supported) -Unattended-Upgrade::Package-Blacklist { -{% for package in unattended_package_blacklist %} - "{{ package }}"; -{% endfor %} -}; - -{% if not unattended_autofix_interrupted_dpkg %} -// This option allows you to control if on a unclean dpkg exit -// unattended-upgrades will automatically run -// dpkg --force-confold --configure -a -// The default is true, to ensure updates keep getting installed -Unattended-Upgrade::AutoFixInterruptedDpkg "false"; -{% endif %} - -// Split the upgrade into the smallest possible chunks so that -// they can be interrupted with SIGUSR1. This makes the upgrade -// a bit slower but it has the benefit that shutdown while a upgrade -// is running is possible (with a small delay) -Unattended-Upgrade::MinimalSteps "{{ unattended_minimal_steps | lower }}"; - -{% if unattended_install_on_shutdown %} -// Install all unattended-upgrades when the machine is shuting down -// instead of doing it in the background while the machine is running -// This will (obviously) make shutdown slower -Unattended-Upgrade::InstallOnShutdown "true"; -{% endif %} - -{% if unattended_mail %} -// Send email to this address for problems or packages upgrades -// If empty or unset then no email is sent, make sure that you -// have a working mail setup on your system. A package that provides -// 'mailx' must be installed. -Unattended-Upgrade::Mail "{{ unattended_mail }}"; -{% endif %} - -{% if unattended_mail_only_on_error %} -// Set this value to "true" to get emails only on errors. Default -// is to always send a mail if Unattended-Upgrade::Mail is set -Unattended-Upgrade::MailOnlyOnError "true"; -{% endif %} - -{% if unattended_remove_unused_dependencies %} -// Do automatic removal of all unused dependencies after the upgrade -// (equivalent to apt-get autoremove) -Unattended-Upgrade::Remove-Unused-Dependencies "true"; -{% endif %} - -{% if not unattended_remove_new_unused_dependencies %} -// Do automatic removal of new unused dependencies after the upgrade -Unattended-Upgrade::Remove-New-Unused-Dependencies "false"; -{% endif %} - -{% if unattended_automatic_reboot %} -// Automatically reboot *WITHOUT CONFIRMATION* if a -// the file /var/run/reboot-required is found after the upgrade -Unattended-Upgrade::Automatic-Reboot "true"; -{% endif %} - -{% if unattended_automatic_reboot_time %} -// If automatic reboot is enabled and needed, reboot at the specific -// time instead of immediately -// Default: "now" -Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_automatic_reboot_time }}"; -{% endif %} - -{% if unattended_update_days is defined %} -// Set the days of the week that updates should be applied. The days can be specified -// as localized abbreviated or full names. Or as integers where "0" is Sunday, "1" is -// Monday etc. -// Example - apply updates only on Monday and Friday: -// {"Mon";"Fri"}; -Unattended-Upgrade::Update-Days {{ unattended_update_days }}; -{% endif %} - -{% if unattended_ignore_apps_require_restart %} -// Do upgrade application even if it requires restart after upgrade -// I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file -Unattended-Upgrade::IgnoreAppsRequireRestart "true"; -{% endif %} - -{% if unattended_syslog_enable %} -// Write events to syslog, which is useful in environments where syslog -// messages are sent to a central store. -Unattended-Upgrade::SyslogEnable "{{ unattended_syslog_enable }}"; -{% if unattended_syslog_facility is defined %} -// Write events to the specified syslog facility, or the daemon facility -// if not specified. Requires the Unattended-Upgrade::SyslogEnable option -// to be set to true. -Unattended-Upgrade::SyslogFacility "{{ unattended_syslog_facility }}"; -{% endif %} -{% endif %} - -{% if unattended_dpkg_options %} -// Append options for governing dpkg behavior, e.g. --force-confdef. -Dpkg::Options { -{% for dpkg_option in unattended_dpkg_options %} - "{{ dpkg_option }}"; -{% endfor %} -}; -{% endif %} - -{% if unattended_dl_limit is defined %} -// Use apt bandwidth limit feature, this example limits the download -// speed to 70kb/sec -Acquire::http::Dl-Limit "{{ unattended_dl_limit }}"; -{% endif %} |