summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDaniel Weipert <code@drogueronin.de>2021-04-28 16:28:39 +0200
committerDaniel Weipert <code@drogueronin.de>2021-04-28 16:28:39 +0200
commit6f5455f6c525d5e5acedc8f5fcace1c2a9279423 (patch)
tree8a52aa12b8d4318033ca4a53c5fbd94db593b9ac /src
parenta9a428462acb8aecc4c335027d552a30bb7c49b5 (diff)
Adds unattended upgrades as roleHEADmain
Diffstat (limited to 'src')
-rw-r--r--src/BaseServerSetup.php30
-rw-r--r--src/unattended-upgrades/auto-upgrades.twig25
-rw-r--r--src/unattended-upgrades/unattended-upgrades.php140
-rw-r--r--src/unattended-upgrades/unattended-upgrades.twig117
4 files changed, 5 insertions, 307 deletions
diff --git a/src/BaseServerSetup.php b/src/BaseServerSetup.php
index 7ff1efb..206d773 100644
--- a/src/BaseServerSetup.php
+++ b/src/BaseServerSetup.php
@@ -2,11 +2,11 @@
namespace Dweipert\DevOps\BaseServerSetup;
+use Dweipert\DevOps\UnattendedUpgrades\UnattendedUpgrades;
use PHPIAC\Module\State;
use PHPIAC\Modules\AptModule;
use PHPIAC\Modules\CopyModule;
use PHPIAC\Modules\GitModule;
-use PHPIAC\Modules\TemplateModule;
use PHPIAC\Modules\UfwModule;
use PHPIAC\Modules\UserModule;
use PHPIAC\Role\RoleInterface;
@@ -17,8 +17,7 @@ class BaseServerSetup implements RoleInterface
public function __invoke(array $config = []): array
{
$config = array_replace_recursive(
- include __DIR__ . '/unattended-upgrades/unattended-upgrades.php',
- [
+ ['unattended_upgrades' => [
'unattended_origins_patterns' => [
'o=${distro_id},a=${distro_codename}',
'o=${distro_id},a=${distro_codename}-security',
@@ -26,32 +25,13 @@ class BaseServerSetup implements RoleInterface
'unattended_mail' => $config['mail'],
'unattended_automatic_reboot' => true,
'unattended_syslog_enable' => true,
- ],
+ ]],
$config
);
return [
# setup unattended upgrades
- (new Task())->setModule(new AptModule([
- 'package' => 'unattended-upgrades',
- 'updateCache' => true,
- ])),
- (new Task())->setModule(new TemplateModule([
- 'src' => __DIR__ . '/unattended-upgrades/auto-upgrades.twig',
- 'dest' => '/etc/apt/apt.conf.d/20auto-upgrades',
- 'vars' => $config,
- 'owner' => 'root',
- 'group' => 'root',
- 'mode' => 0644,
- ])),
- (new Task())->setModule(new TemplateModule([
- 'src' => __DIR__ . '/unattended-upgrades/unattended-upgrades.twig',
- 'dest' => '/etc/apt/apt.conf.d/50unattended-upgrades',
- 'vars' => $config,
- 'owner' => 'root',
- 'group' => 'root',
- 'mode' => 0644,
- ])),
+ ...(new UnattendedUpgrades())($config['unattended_upgrades']),
# setup user
(new Task())->setModule(new AptModule([
@@ -66,7 +46,7 @@ class BaseServerSetup implements RoleInterface
])),
(new Task())->setModule(new CopyModule([
'src' => '~/.ssh',
- 'dest' => '/home/' . $config['username'],
+ 'dest' => '/home/' . $config['username'] . '/.ssh',
'owner' => $config['username'],
'group' => $config['username'],
'remoteSrc' => true,
diff --git a/src/unattended-upgrades/auto-upgrades.twig b/src/unattended-upgrades/auto-upgrades.twig
deleted file mode 100644
index 388a028..0000000
--- a/src/unattended-upgrades/auto-upgrades.twig
+++ /dev/null
@@ -1,25 +0,0 @@
-APT::Periodic::Unattended-Upgrade "1";
-
-{% if unattended_update_package_list is defined %}
-APT::Periodic::Update-Package-Lists "{{unattended_update_package_list}}";
-{% endif %}
-
-{% if unattended_download_upgradeable is defined %}
-APT::Periodic::Download-Upgradeable-Packages "{{unattended_download_upgradeable}}";
-{% endif %}
-
-{% if unattended_autoclean_interval is defined %}
-APT::Periodic::AutocleanInterval "{{unattended_autoclean_interval}}";
-{% endif %}
-
-{% if unattended_clean_interval is defined %}
-APT::Periodic::CleanInterval "{{unattended_clean_interval}}";
-{% endif %}
-
-{% if unattended_verbose is defined %}
-APT::Periodic::Verbose "{{unattended_verbose}}";
-{% endif %}
-
-{% if unattended_random_sleep is defined %}
-APT::Periodic::RandomSleep "{{unattended_random_sleep}}";
-{% endif %}
diff --git a/src/unattended-upgrades/unattended-upgrades.php b/src/unattended-upgrades/unattended-upgrades.php
deleted file mode 100644
index 1c3f73c..0000000
--- a/src/unattended-upgrades/unattended-upgrades.php
+++ /dev/null
@@ -1,140 +0,0 @@
-<?php
-
-return [
- # Cache update time for apt module
- 'unattended_cache_valid_time' => 3600,
-
- #Unattended-Upgrade::Origins-Pattern
- # Automatically upgrade packages from these origin patterns
- # e.g.: 'o=Debian,a=stable', 'o=Debian,a=stable-updates'
- #
- # Left unset, distribution-specific defaults will be used through
- # __unattended_origins_patterns variable only if this variable
- # is not provided externally
- # REFS https://github.com/ansible/ansible/issues/8121
- #'unattended_origins_patterns' => [],
-
- #Unattended-Upgrade::Package-Blacklist
- # List of packages to not update
- 'unattended_package_blacklist' => [],
-
- #Unattended-Upgrade::AutoFixInterruptedDpkg
- # On a unclean dpkg exit unattended-upgrades will run
- # dpkg --force-confold --configure -a
- # The default is true, to ensure updates keep getting installed
- 'unattended_autofix_interrupted_dpkg' => true,
-
- #Unattended-Upgrade::MinimalSteps
- # Split the upgrade into the smallest possible chunks so that
- # they can be interrupted with SIGUSR1. This makes the upgrade
- # a bit slower but it has the benefit that shutdown while a upgrade
- # is running is possible (with a small delay)
- 'unattended_minimal_steps' => true,
-
- #Unattended-Upgrade::InstallOnShutdown
- # Install all unattended-upgrades when the machine is shuting down
- # instead of doing it in the background while the machine is running
- # This will (obviously) make shutdown slower
- 'unattended_install_on_shutdown' => false,
-
- #Unattended-Upgrade::Mail
- # Send email to this address for problems or packages upgrades
- # If empty or unset then no email is sent, make sure that you
- # have a working mail setup on your system. A package that provides
- # 'mailx' must be installed.
- 'unattended_mail' => false,
-
- #Unattended-Upgrade::MailOnlyOnError
- # Set this value to "true" to get emails only on errors. Default
- # is to always send a mail if Unattended-Upgrade::Mail is set
- 'unattended_mail_only_on_error' => false,
-
- #Unattended-Upgrade::Remove-Unused-Dependencies
- # Do automatic removal of all unused dependencies after the upgrade
- # (equivalent to apt-get autoremove)
- 'unattended_remove_unused_dependencies' => false,
-
- #Unattended-Upgrade::Remove-New-Unused-Dependencies
- # Remove any new unused dependencies after the upgrade
- 'unattended_remove_new_unused_dependencies' => true,
-
- #Unattended-Upgrade::Automatic-Reboot
- # Automatically reboot *WITHOUT CONFIRMATION* if a
- # the file /var/run/reboot-required is found after the upgrade
- 'unattended_automatic_reboot' => false,
-
- #Unattended-Upgrade::Automatic-Reboot-Time
- # If automatic reboot is enabled and needed, reboot at the specific
- # time instead of immediately
- 'unattended_automatic_reboot_time' => false,
-
- #Unattended-Upgrade::IgnoreAppsRequireRestart
- # Do upgrade application even if it requires restart after upgrade
- # I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file
- 'unattended_ignore_apps_require_restart' => false,
-
- #Unattended-Upgrade::SyslogEnable
- # Write events to syslog, which is useful in environments where syslog
- # messages are sent to a central store.
- 'unattended_syslog_enable' => false,
-
- #Unattended-Upgrade::SyslogFacility
- # Write events to the specified syslog facility, or the daemon facility if
- # not specified. Requires the Unattended-Upgrade::SyslogEnable option to be
- # set to true.
- #'unattended_syslog_facility' => 'daemon',
-
- ### APT::Periodic configuration
- # Snatched from /usr/lib/apt/apt.systemd.daily
-
- #APT::Periodic::Update-Package-Lists "0";
- # - Do "apt-get update" automatically every n-days (0=disable)
- 'unattended_update_package_list' => 1,
-
- #APT::Periodic::Download-Upgradeable-Packages "0";
- # - Do "apt-get upgrade --download-only" every n-days (0=disable)
- #'unattended_download_upgradeable' => 0,
-
- #APT::Periodic::AutocleanInterval "0";
- # - Do "apt-get autoclean" every n-days (0=disable)
- 'unattended_autoclean_interval' => 7,
-
- #APT::Periodic::CleanInterval "0";
- # - Do "apt-get clean" every n-days (0=disable)
- #'unattended_clean_interval' => 0,
-
- #APT::Periodic::Verbose "0";
- # - Send report mail to root
- # 0: no report (or null string)
- # 1: progress report (actually any string)
- # 2: + command outputs (remove -qq, remove 2>/dev/null, add -d)
- # 3: + trace on
- #'unattended_verbose' => 0,
-
- ## Cron systems only
-
- #APT::Periodic::RandomSleep
- # When the apt job starts, it will sleep for a random period between 0
- # and APT::Periodic::RandomSleep seconds
- # The default value is "1800" so that the script will stall for up to 30
- # minutes (1800 seconds) so that the mirror servers are not crushed by
- # everyone running their updates all at the same time
- # Kept undefined to allow default (1800)
- #'unattended_random_sleep' => 0,
-
- #Dpkg::Options
- # Provide dpkg options that take effect during unattended upgrades.
- # By default no flags are appended. Configuration file changes can
- # block installation of certain packages. Passing the flags
- # "--force-confdef" and "--force-confold" will ensure updates are applied
- # and old configuration files are preserved.
- 'unattended_dpkg_options' => [],
-
- # 'unattended_dpkg_options' => [
- # '--force-confdef',
- # '--force-confold',
- # ],
-
- # Use apt bandwidth limit feature, this example limits the download speed to 70kb/sec
- #'unattended_dl_limit' => 70,
-];
diff --git a/src/unattended-upgrades/unattended-upgrades.twig b/src/unattended-upgrades/unattended-upgrades.twig
deleted file mode 100644
index 0796f6b..0000000
--- a/src/unattended-upgrades/unattended-upgrades.twig
+++ /dev/null
@@ -1,117 +0,0 @@
-// Unattended-Upgrade::Origins-Pattern controls which packages are
-// upgraded.
-Unattended-Upgrade::Origins-Pattern {
-{% if unattended_origins_patterns is defined %}
-{% for origin in unattended_origins_patterns %}
- "{{ origin }}";
-{% endfor %}
-{% endif %}
-};
-
-// List of packages to not update (regexp are supported)
-Unattended-Upgrade::Package-Blacklist {
-{% for package in unattended_package_blacklist %}
- "{{ package }}";
-{% endfor %}
-};
-
-{% if not unattended_autofix_interrupted_dpkg %}
-// This option allows you to control if on a unclean dpkg exit
-// unattended-upgrades will automatically run
-// dpkg --force-confold --configure -a
-// The default is true, to ensure updates keep getting installed
-Unattended-Upgrade::AutoFixInterruptedDpkg "false";
-{% endif %}
-
-// Split the upgrade into the smallest possible chunks so that
-// they can be interrupted with SIGUSR1. This makes the upgrade
-// a bit slower but it has the benefit that shutdown while a upgrade
-// is running is possible (with a small delay)
-Unattended-Upgrade::MinimalSteps "{{ unattended_minimal_steps | lower }}";
-
-{% if unattended_install_on_shutdown %}
-// Install all unattended-upgrades when the machine is shuting down
-// instead of doing it in the background while the machine is running
-// This will (obviously) make shutdown slower
-Unattended-Upgrade::InstallOnShutdown "true";
-{% endif %}
-
-{% if unattended_mail %}
-// Send email to this address for problems or packages upgrades
-// If empty or unset then no email is sent, make sure that you
-// have a working mail setup on your system. A package that provides
-// 'mailx' must be installed.
-Unattended-Upgrade::Mail "{{ unattended_mail }}";
-{% endif %}
-
-{% if unattended_mail_only_on_error %}
-// Set this value to "true" to get emails only on errors. Default
-// is to always send a mail if Unattended-Upgrade::Mail is set
-Unattended-Upgrade::MailOnlyOnError "true";
-{% endif %}
-
-{% if unattended_remove_unused_dependencies %}
-// Do automatic removal of all unused dependencies after the upgrade
-// (equivalent to apt-get autoremove)
-Unattended-Upgrade::Remove-Unused-Dependencies "true";
-{% endif %}
-
-{% if not unattended_remove_new_unused_dependencies %}
-// Do automatic removal of new unused dependencies after the upgrade
-Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
-{% endif %}
-
-{% if unattended_automatic_reboot %}
-// Automatically reboot *WITHOUT CONFIRMATION* if a
-// the file /var/run/reboot-required is found after the upgrade
-Unattended-Upgrade::Automatic-Reboot "true";
-{% endif %}
-
-{% if unattended_automatic_reboot_time %}
-// If automatic reboot is enabled and needed, reboot at the specific
-// time instead of immediately
-// Default: "now"
-Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_automatic_reboot_time }}";
-{% endif %}
-
-{% if unattended_update_days is defined %}
-// Set the days of the week that updates should be applied. The days can be specified
-// as localized abbreviated or full names. Or as integers where "0" is Sunday, "1" is
-// Monday etc.
-// Example - apply updates only on Monday and Friday:
-// {"Mon";"Fri"};
-Unattended-Upgrade::Update-Days {{ unattended_update_days }};
-{% endif %}
-
-{% if unattended_ignore_apps_require_restart %}
-// Do upgrade application even if it requires restart after upgrade
-// I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file
-Unattended-Upgrade::IgnoreAppsRequireRestart "true";
-{% endif %}
-
-{% if unattended_syslog_enable %}
-// Write events to syslog, which is useful in environments where syslog
-// messages are sent to a central store.
-Unattended-Upgrade::SyslogEnable "{{ unattended_syslog_enable }}";
-{% if unattended_syslog_facility is defined %}
-// Write events to the specified syslog facility, or the daemon facility
-// if not specified. Requires the Unattended-Upgrade::SyslogEnable option
-// to be set to true.
-Unattended-Upgrade::SyslogFacility "{{ unattended_syslog_facility }}";
-{% endif %}
-{% endif %}
-
-{% if unattended_dpkg_options %}
-// Append options for governing dpkg behavior, e.g. --force-confdef.
-Dpkg::Options {
-{% for dpkg_option in unattended_dpkg_options %}
- "{{ dpkg_option }}";
-{% endfor %}
-};
-{% endif %}
-
-{% if unattended_dl_limit is defined %}
-// Use apt bandwidth limit feature, this example limits the download
-// speed to 70kb/sec
-Acquire::http::Dl-Limit "{{ unattended_dl_limit }}";
-{% endif %}