From c685ec9120fa7a93452a404285531e717e6df875 Mon Sep 17 00:00:00 2001
From: decentral1se <cellarspoon@riseup.net>
Date: Mon, 30 May 2022 10:54:07 +0200
Subject: [PATCH] init

---
 .ansible-lint.yml               |  4 ++
 .drone.yml                      | 16 ++++++++
 .envrc.sample                   | 18 +++++++++
 .yamllint.yml                   | 16 ++++++++
 LICENSE                         | 15 ++++++++
 README.md                       |  3 ++
 meta/main.yml                   | 14 +++++++
 molecule/default/converge.yml   |  7 ++++
 molecule/default/molecule.yml   | 19 +++++++++
 requirements.txt                |  4 ++
 tasks/main.yml                  | 16 ++++++++
 templates/50unattended-upgrades | 68 +++++++++++++++++++++++++++++++++
 12 files changed, 200 insertions(+)
 create mode 100644 .ansible-lint.yml
 create mode 100644 .drone.yml
 create mode 100644 .envrc.sample
 create mode 100755 .yamllint.yml
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 meta/main.yml
 create mode 100644 molecule/default/converge.yml
 create mode 100644 molecule/default/molecule.yml
 create mode 100644 requirements.txt
 create mode 100644 tasks/main.yml
 create mode 100644 templates/50unattended-upgrades

diff --git a/.ansible-lint.yml b/.ansible-lint.yml
new file mode 100644
index 0000000..25636f8
--- /dev/null
+++ b/.ansible-lint.yml
@@ -0,0 +1,4 @@
+---
+skip_list:
+  - fqcn-builtins
+  - experimental
diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..d38ceba
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,16 @@
+----
+kind: pipeline
+name: default
+steps:
+  - name: integration test
+    image: python:3.9-buster
+    environment:
+      REMOTE_USER: molecule
+      HCLOUD_TOKEN:
+        from_secret: HCLOUD_TOKEN
+    commands:
+      - apt update && apt install -y pwgen
+      - mkdir -p /root/.ansible/roles && ln -sr . /root/.ansible/roles/autonomic.auto-apt-upgrades
+      - export INSTANCE_UUID=$(pwgen 8 1)
+      - pip install -r requirements.txt
+      - molecule test
diff --git a/.envrc.sample b/.envrc.sample
new file mode 100644
index 0000000..8a266bf
--- /dev/null
+++ b/.envrc.sample
@@ -0,0 +1,18 @@
+# Your username that you use for accounts on our machines.
+export REMOTE_USER=
+export ANSIBLE_USER=$REMOTE_USER
+
+# The path to our pass credentials store
+export PASSWORD_STORE_DIR=
+
+# The Hetzner Cloud API token for managing our instances
+# Uncomment the prod/test line below depending on what you're doing
+# export HCLOUD_TOKEN=$(pass show logins/hetzner/prod/api_key)
+# export HCLOUD_TOKEN=$(pass show logins/hetzner/test/api_key)
+export HCLOUD_TOKEN=$(pass show logins/hetzner/cicd/api_key)
+
+# For molecule role testing
+export INSTANCE_UUID=$RANDOM
+
+# So molecule will show credentials in the logs
+export MOLECULE_NO_LOG=False
diff --git a/.yamllint.yml b/.yamllint.yml
new file mode 100755
index 0000000..456c99c
--- /dev/null
+++ b/.yamllint.yml
@@ -0,0 +1,16 @@
+---
+extends: default
+
+yaml-files:
+  - "*.yaml"
+  - "*.yml"
+
+ignore: |
+  .venv
+  .drone.yml
+
+rules:
+  line-length: disable
+  braces:
+    max-spaces-inside: 1
+    level: error
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..0a65460
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,15 @@
+autonomic.auto-apt-upgrades: Enabled automatic unattended-upgrades for apt security packages
+Copyright (C) 2022  Autonomic Co-operative <helo@autonomic.zone>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..fe1824b
--- /dev/null
+++ b/README.md
@@ -0,0 +1,3 @@
+# autonomic.auto-apt-upgrades
+
+[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/autonomic.auto-apt-upgrades/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/autonomic-cooperative/autonomic.auto-apt-upgrades)
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..7a4052b
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,14 @@
+---
+dependencies: []
+galaxy_info:
+  role_name: auto_apt_upgrades
+  namespace: autonomic
+  author: autonomic
+  description: Enabled automatic unattended-upgrades for apt security packages
+  company: Autonomic
+  license: GPLv3
+  min_ansible_version: 2.9
+  platforms:
+    - name: Debian
+      versions:
+        - buster
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
new file mode 100644
index 0000000..38f51a4
--- /dev/null
+++ b/molecule/default/converge.yml
@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: Include autonomic.auto-apt-upgrades
+      include_role:
+        name: autonomic.auto-apt-upgrades
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
new file mode 100644
index 0000000..abf1685
--- /dev/null
+++ b/molecule/default/molecule.yml
@@ -0,0 +1,19 @@
+---
+dependency:
+  name: galaxy
+
+driver:
+  name: hetznercloud
+
+platforms:
+  - name: "autonomic.auto-apt-upgrades-${INSTANCE_UUID}"
+    server_type: "cx11"
+    image: "debian-10"
+
+provisioner:
+  name: ansible
+
+lint: |
+  set -e
+  yamllint -c .yamllint.yml .
+  ansible-lint --exclude .drone.yml -c .ansible-lint.yml .
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..7d6c96a
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,4 @@
+ansible-lint==6.0.0
+ansible==5.4.0
+molecule-hetznercloud==1.3.0
+molecule==3.6.1
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..28efee1
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Update the package cache
+  apt:
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: Install unattended upgrades
+  apt:
+    name: unattended-upgrades
+    state: present
+
+- name: Add our unattended-upgrades config file
+  template:
+    backup: true
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    src: templates/50unattended-upgrades
diff --git a/templates/50unattended-upgrades b/templates/50unattended-upgrades
new file mode 100644
index 0000000..e51f12a
--- /dev/null
+++ b/templates/50unattended-upgrades
@@ -0,0 +1,68 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+Unattended-Upgrade::Allowed-Origins {
+//	"${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	// Extended Security Maintenance; doesn't necessarily exist for
+	// every release and this system may not have it installed, but if
+	// available, the policy for updates is such that unattended-upgrades
+	// should also install from here by default.
+//	"${distro_id}ESM:${distro_codename}";
+//	"${distro_id}:${distro_codename}-updates";
+//	"${distro_id}:${distro_codename}-proposed";
+//	"${distro_id}:${distro_codename}-backports";
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+//	"vim";
+//	"libc6";
+//	"libc6-dev";
+//	"libc6-i686";
+	"docker-ce";
+	"docker-ce-cli";
+	"docker-ce-rootless-extras";
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run 
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+//Unattended-Upgrade::Mail "root";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+// Automatically reboot *WITHOUT CONFIRMATION*
+//  if the file /var/run/reboot-required is found after the upgrade 
+//Unattended-Upgrade::Automatic-Reboot "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
\ No newline at end of file