autonomic-cooperative/autonomic.auto-apt-upgrades
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

init
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
decentral1se 2022-05-30 10:54:07 +02:00
commit c685ec9120
No known key found for this signature in database
GPG Key ID: 03789458B3D0C410
12 changed files with 200 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.ansible-lint.yml Normal file
View File

@ -0,0 +1,4 @@
---
skip_list:
- fqcn-builtins
- experimental

16
.drone.yml Normal file
View File

@ -0,0 +1,16 @@
----
kind: pipeline
name: default
steps:
- name: integration test
image: python:3.9-buster
environment:
REMOTE_USER: molecule
HCLOUD_TOKEN:
from_secret: HCLOUD_TOKEN
commands:
- apt update && apt install -y pwgen
- mkdir -p /root/.ansible/roles && ln -sr . /root/.ansible/roles/autonomic.auto-apt-upgrades
- export INSTANCE_UUID=$(pwgen 8 1)
- pip install -r requirements.txt
- molecule test

18
.envrc.sample Normal file
View File

@ -0,0 +1,18 @@
# Your username that you use for accounts on our machines.
export REMOTE_USER=
export ANSIBLE_USER=$REMOTE_USER
# The path to our pass credentials store
export PASSWORD_STORE_DIR=
# The Hetzner Cloud API token for managing our instances
# Uncomment the prod/test line below depending on what you're doing
# export HCLOUD_TOKEN=$(pass show logins/hetzner/prod/api_key)
# export HCLOUD_TOKEN=$(pass show logins/hetzner/test/api_key)
export HCLOUD_TOKEN=$(pass show logins/hetzner/cicd/api_key)
# For molecule role testing
export INSTANCE_UUID=$RANDOM
# So molecule will show credentials in the logs
export MOLECULE_NO_LOG=False

16
.yamllint.yml Executable file
View File

@ -0,0 +1,16 @@
---
extends: default
yaml-files:
- "*.yaml"
- "*.yml"
ignore: |
.venv
.drone.yml
rules:
line-length: disable
braces:
max-spaces-inside: 1
level: error

15
LICENSE Normal file
View File

@ -0,0 +1,15 @@
autonomic.auto-apt-upgrades: Enabled automatic unattended-upgrades for apt security packages
Copyright (C) 2022 Autonomic Co-operative <helo@autonomic.zone>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.

3
README.md Normal file
View File

@ -0,0 +1,3 @@
# autonomic.auto-apt-upgrades
[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/autonomic.auto-apt-upgrades/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/autonomic-cooperative/autonomic.auto-apt-upgrades)

14
meta/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
dependencies: []
galaxy_info:
role_name: auto_apt_upgrades
namespace: autonomic
author: autonomic
description: Enabled automatic unattended-upgrades for apt security packages
company: Autonomic
license: GPLv3
min_ansible_version: 2.9
platforms:
- name: Debian
versions:
- buster

7
molecule/default/converge.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Converge
hosts: all
tasks:
- name: Include autonomic.auto-apt-upgrades
include_role:
name: autonomic.auto-apt-upgrades

19
molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,19 @@
---
dependency:
name: galaxy
driver:
name: hetznercloud
platforms:
- name: "autonomic.auto-apt-upgrades-${INSTANCE_UUID}"
server_type: "cx11"
image: "debian-10"
provisioner:
name: ansible
lint: |
set -e
yamllint -c .yamllint.yml .
ansible-lint --exclude .drone.yml -c .ansible-lint.yml .

4
requirements.txt Normal file
View File

@ -0,0 +1,4 @@
ansible-lint==6.0.0
ansible==5.4.0
molecule-hetznercloud==1.3.0
molecule==3.6.1

16
tasks/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: Update the package cache
apt:
update_cache: true
cache_valid_time: 3600
- name: Install unattended upgrades
apt:
name: unattended-upgrades
state: present
- name: Add our unattended-upgrades config file
template:
backup: true
dest: /etc/apt/apt.conf.d/50unattended-upgrades
src: templates/50unattended-upgrades

68
templates/50unattended-upgrades Normal file
View File

@ -0,0 +1,68 @@
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
// "${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
// "${distro_id}ESM:${distro_codename}";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
"docker-ce";
"docker-ce-cli";
"docker-ce-rootless-extras";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";