From 50c2fbafe6bf15909b893ddf0c862af3f7e848cb Mon Sep 17 00:00:00 2001 From: Daniel Weipert Date: Wed, 28 Apr 2021 14:49:16 +0200 Subject: Initial commit --- files/auto-upgrades.twig | 25 +++++++ files/config.php | 143 +++++++++++++++++++++++++++++++++++++++++ files/unattended-upgrades.twig | 121 ++++++++++++++++++++++++++++++++++ 3 files changed, 289 insertions(+) create mode 100644 files/auto-upgrades.twig create mode 100644 files/config.php create mode 100644 files/unattended-upgrades.twig (limited to 'files') diff --git a/files/auto-upgrades.twig b/files/auto-upgrades.twig new file mode 100644 index 0000000..dbbf1a2 --- /dev/null +++ b/files/auto-upgrades.twig @@ -0,0 +1,25 @@ +APT::Periodic::Unattended-Upgrade "1"; + +{% if unattended_update_package_list is defined %} + APT::Periodic::Update-Package-Lists "{{unattended_update_package_list}}"; +{% endif %} + +{% if unattended_download_upgradeable is defined %} + APT::Periodic::Download-Upgradeable-Packages "{{unattended_download_upgradeable}}"; +{% endif %} + +{% if unattended_autoclean_interval is defined %} + APT::Periodic::AutocleanInterval "{{unattended_autoclean_interval}}"; +{% endif %} + +{% if unattended_clean_interval is defined %} + APT::Periodic::CleanInterval "{{unattended_clean_interval}}"; +{% endif %} + +{% if unattended_verbose is defined %} + APT::Periodic::Verbose "{{unattended_verbose}}"; +{% endif %} + +{% if unattended_random_sleep is defined %} + APT::Periodic::RandomSleep "{{unattended_random_sleep}}"; +{% endif %} diff --git a/files/config.php b/files/config.php new file mode 100644 index 0000000..03d0593 --- /dev/null +++ b/files/config.php @@ -0,0 +1,143 @@ + 3600, + + #Unattended-Upgrade::Origins-Pattern + # Automatically upgrade packages from these origin patterns + # e.g.: 'o=Debian,a=stable', 'o=Debian,a=stable-updates' + # + # Left unset, distribution-specific defaults will be used through + # __unattended_origins_patterns variable only if this variable + # is not provided externally + # REFS https://github.com/ansible/ansible/issues/8121 + #'unattended_origins_patterns' => [], + '__unattended_origins_patterns' => [ + 'o=${distro_id},a=${distro_codename}-security', + ], + + #Unattended-Upgrade::Package-Blacklist + # List of packages to not update + 'unattended_package_blacklist' => [], + + #Unattended-Upgrade::AutoFixInterruptedDpkg + # On a unclean dpkg exit unattended-upgrades will run + # dpkg --force-confold --configure -a + # The default is true, to ensure updates keep getting installed + 'unattended_autofix_interrupted_dpkg' => true, + + #Unattended-Upgrade::MinimalSteps + # Split the upgrade into the smallest possible chunks so that + # they can be interrupted with SIGUSR1. This makes the upgrade + # a bit slower but it has the benefit that shutdown while a upgrade + # is running is possible (with a small delay) + 'unattended_minimal_steps' => true, + + #Unattended-Upgrade::InstallOnShutdown + # Install all unattended-upgrades when the machine is shuting down + # instead of doing it in the background while the machine is running + # This will (obviously) make shutdown slower + 'unattended_install_on_shutdown' => false, + + #Unattended-Upgrade::Mail + # Send email to this address for problems or packages upgrades + # If empty or unset then no email is sent, make sure that you + # have a working mail setup on your system. A package that provides + # 'mailx' must be installed. + 'unattended_mail' => false, + + #Unattended-Upgrade::MailOnlyOnError + # Set this value to "true" to get emails only on errors. Default + # is to always send a mail if Unattended-Upgrade::Mail is set + 'unattended_mail_only_on_error' => false, + + #Unattended-Upgrade::Remove-Unused-Dependencies + # Do automatic removal of all unused dependencies after the upgrade + # (equivalent to apt-get autoremove) + 'unattended_remove_unused_dependencies' => false, + + #Unattended-Upgrade::Remove-New-Unused-Dependencies + # Remove any new unused dependencies after the upgrade + 'unattended_remove_new_unused_dependencies' => true, + + #Unattended-Upgrade::Automatic-Reboot + # Automatically reboot *WITHOUT CONFIRMATION* if a + # the file /var/run/reboot-required is found after the upgrade + 'unattended_automatic_reboot' => false, + + #Unattended-Upgrade::Automatic-Reboot-Time + # If automatic reboot is enabled and needed, reboot at the specific + # time instead of immediately + 'unattended_automatic_reboot_time' => false, + + #Unattended-Upgrade::IgnoreAppsRequireRestart + # Do upgrade application even if it requires restart after upgrade + # I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file + 'unattended_ignore_apps_require_restart' => false, + + #Unattended-Upgrade::SyslogEnable + # Write events to syslog, which is useful in environments where syslog + # messages are sent to a central store. + 'unattended_syslog_enable' => false, + + #Unattended-Upgrade::SyslogFacility + # Write events to the specified syslog facility, or the daemon facility if + # not specified. Requires the Unattended-Upgrade::SyslogEnable option to be + # set to true. + #'unattended_syslog_facility' => 'daemon', + + ### APT::Periodic configuration + # Snatched from /usr/lib/apt/apt.systemd.daily + + #APT::Periodic::Update-Package-Lists "0"; + # - Do "apt-get update" automatically every n-days (0=disable) + 'unattended_update_package_list' => 1, + + #APT::Periodic::Download-Upgradeable-Packages "0"; + # - Do "apt-get upgrade --download-only" every n-days (0=disable) + #'unattended_download_upgradeable' => 0, + + #APT::Periodic::AutocleanInterval "0"; + # - Do "apt-get autoclean" every n-days (0=disable) + 'unattended_autoclean_interval' => 7, + + #APT::Periodic::CleanInterval "0"; + # - Do "apt-get clean" every n-days (0=disable) + #'unattended_clean_interval' => 0, + + #APT::Periodic::Verbose "0"; + # - Send report mail to root + # 0: no report (or null string) + # 1: progress report (actually any string) + # 2: + command outputs (remove -qq, remove 2>/dev/null, add -d) + # 3: + trace on + #'unattended_verbose' => 0, + + ## Cron systems only + + #APT::Periodic::RandomSleep + # When the apt job starts, it will sleep for a random period between 0 + # and APT::Periodic::RandomSleep seconds + # The default value is "1800" so that the script will stall for up to 30 + # minutes (1800 seconds) so that the mirror servers are not crushed by + # everyone running their updates all at the same time + # Kept undefined to allow default (1800) + #'unattended_random_sleep' => 0, + + #Dpkg::Options + # Provide dpkg options that take effect during unattended upgrades. + # By default no flags are appended. Configuration file changes can + # block installation of certain packages. Passing the flags + # "--force-confdef" and "--force-confold" will ensure updates are applied + # and old configuration files are preserved. + 'unattended_dpkg_options' => [], + + # 'unattended_dpkg_options' => [ + # '--force-confdef', + # '--force-confold', + # ], + + # Use apt bandwidth limit feature, this example limits the download speed to 70kb/sec + #'unattended_dl_limit' => 70, +]; diff --git a/files/unattended-upgrades.twig b/files/unattended-upgrades.twig new file mode 100644 index 0000000..9532094 --- /dev/null +++ b/files/unattended-upgrades.twig @@ -0,0 +1,121 @@ +// Unattended-Upgrade::Origins-Pattern controls which packages are +// upgraded. +Unattended-Upgrade::Origins-Pattern { +{% if unattended_origins_patterns is defined %} + {% for origin in unattended_origins_patterns %} + "{{ origin }}"; + {% endfor %} +{% else %} + {% for origin in __unattended_origins_patterns %} + "{{ origin }}"; + {% endfor %} +{% endif %} +}; + +// List of packages to not update (regexp are supported) +Unattended-Upgrade::Package-Blacklist { +{% for package in unattended_package_blacklist %} + "{{ package }}"; +{% endfor %} +}; + +{% if not unattended_autofix_interrupted_dpkg %} + // This option allows you to control if on a unclean dpkg exit + // unattended-upgrades will automatically run + // dpkg --force-confold --configure -a + // The default is true, to ensure updates keep getting installed + Unattended-Upgrade::AutoFixInterruptedDpkg "false"; +{% endif %} + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGUSR1. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +Unattended-Upgrade::MinimalSteps "{{ unattended_minimal_steps | lower }}"; + +{% if unattended_install_on_shutdown %} + // Install all unattended-upgrades when the machine is shuting down + // instead of doing it in the background while the machine is running + // This will (obviously) make shutdown slower + Unattended-Upgrade::InstallOnShutdown "true"; +{% endif %} + +{% if unattended_mail %} + // Send email to this address for problems or packages upgrades + // If empty or unset then no email is sent, make sure that you + // have a working mail setup on your system. A package that provides + // 'mailx' must be installed. + Unattended-Upgrade::Mail "{{ unattended_mail }}"; +{% endif %} + +{% if unattended_mail_only_on_error %} + // Set this value to "true" to get emails only on errors. Default + // is to always send a mail if Unattended-Upgrade::Mail is set + Unattended-Upgrade::MailOnlyOnError "true"; +{% endif %} + +{% if unattended_remove_unused_dependencies %} + // Do automatic removal of all unused dependencies after the upgrade + // (equivalent to apt-get autoremove) + Unattended-Upgrade::Remove-Unused-Dependencies "true"; +{% endif %} + +{% if not unattended_remove_new_unused_dependencies %} + // Do automatic removal of new unused dependencies after the upgrade + Unattended-Upgrade::Remove-New-Unused-Dependencies "false"; +{% endif %} + +{% if unattended_automatic_reboot %} + // Automatically reboot *WITHOUT CONFIRMATION* if a + // the file /var/run/reboot-required is found after the upgrade + Unattended-Upgrade::Automatic-Reboot "true"; +{% endif %} + +{% if unattended_automatic_reboot_time %} + // If automatic reboot is enabled and needed, reboot at the specific + // time instead of immediately + // Default: "now" + Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_automatic_reboot_time }}"; +{% endif %} + +{% if unattended_update_days is defined %} + // Set the days of the week that updates should be applied. The days can be specified + // as localized abbreviated or full names. Or as integers where "0" is Sunday, "1" is + // Monday etc. + // Example - apply updates only on Monday and Friday: + // {"Mon";"Fri"}; + Unattended-Upgrade::Update-Days {{ unattended_update_days }}; +{% endif %} + +{% if unattended_ignore_apps_require_restart %} + // Do upgrade application even if it requires restart after upgrade + // I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file + Unattended-Upgrade::IgnoreAppsRequireRestart "true"; +{% endif %} + +{% if unattended_syslog_enable %} + // Write events to syslog, which is useful in environments where syslog + // messages are sent to a central store. + Unattended-Upgrade::SyslogEnable "{{ unattended_syslog_enable }}"; + {% if unattended_syslog_facility is defined %} + // Write events to the specified syslog facility, or the daemon facility + // if not specified. Requires the Unattended-Upgrade::SyslogEnable option + // to be set to true. + Unattended-Upgrade::SyslogFacility "{{ unattended_syslog_facility }}"; + {% endif %} +{% endif %} + +{% if unattended_dpkg_options %} + // Append options for governing dpkg behavior, e.g. --force-confdef. + Dpkg::Options { + {% for dpkg_option in unattended_dpkg_options %} + "{{ dpkg_option }}"; + {% endfor %} + }; +{% endif %} + +{% if unattended_dl_limit is defined %} + // Use apt bandwidth limit feature, this example limits the download + // speed to 70kb/sec + Acquire::http::Dl-Limit "{{ unattended_dl_limit }}"; +{% endif %} -- cgit v1.2.3