Set unattended-upgrades config.

CHANGELOG.md

@@ -11,4 +11,4 @@
 * Ensure to never remove some packages pattern.
 * Manage general, periodic and dpkg config files.
 * Purge default configuration files sets by others apps.
-* Manage `unattended-upgrades`.
+* Manage `unattended-upgrades` (package and config).

README.md

@@ -35,6 +35,7 @@ Manage APT repos, preferences and configuration for IPR's servers.
 * **apt_old_pkg_state** : State of old packages [default : `absent`].
 * **apt_old_pkg_manage** : If those old packages should be managed by the role [default : `true`].
 * **apt_unattended_upgrades** : If `unattended-upgrades` should be managed by the role [default : `yes`].
+* **apt_unattended_upgrades_blacklist** : List of packages to not update (regexp are supported) [default : `[]`].
 
 ## Example Playbook
 
@@ -49,11 +50,12 @@ Manage APT repos, preferences and configuration for IPR's servers.
 ## Configuration
 
 ### APT Configuration
-- Ensure to never remove some packages pattern.
-- Set general APT configurations.
-- Set periodic actions.
-- Set dpkg default values.
-- Purge default configuration files sets by others apps.
+* Ensure to never remove some packages pattern.
+* Set general APT configurations.
+* Set periodic actions.
+* Set dpkg default values.
+* Set unattended-upgrades config.
+* Purge default configuration files sets by others apps.
 
 ### Sources List
 Manage Debian's sources.list :

defaults/main.yml

@@ -36,3 +36,4 @@ apt_old_pkg_manage: true
 
 # unattended-upgrades
 apt_unattended_upgrades: yes
+apt_unattended_upgrades_blacklist: []

tasks/config.yml

@@ -23,6 +23,17 @@
   with_items:
     - "etc/apt/apt.conf.d/20dpkg.conf"
 
+- name: CONFIG unattended-upgrades
+  template:
+    src: "{{ item }}.j2"
+    dest: "/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - "etc/apt/apt.conf.d/50unattended-upgrades.conf"
+  when: apt_unattended_upgrades
+
 - name: CONFIG purge default config
   file:
     path: "/etc/apt/apt.conf.d/{{ item }}"

templates/etc/apt/apt.conf.d/50unattended-upgrades.conf.j2

@@ -0,0 +1,30 @@
+# {{ ansible_managed }}
+
+# Automatically upgrade packages from these (origin:archive) pairs
+Unattended-Upgrade::Allowed-Origins {
+	"${distro_id}:${distro_codename}-security";
+	#"${distro_id}:${distro_codename}-updates";
+	#"${distro_id}:${distro_codename}-proposed";
+	#"${distro_id}:${distro_codename}-backports";
+};
+
+# List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+{% for package in apt_unattended_upgrades_blacklist %}
+	"{{ package }}";
+{% endfor %}
+};
+
+# Send email to this address for problems or packages upgrades
+# If empty or unset then no email is sent, make sure that you
+# have a working mail setup on your system. A package that provides
+# 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "root";
+
+# Set this value to "true" to get emails only on errors. Default
+# is to always send a mail if Unattended-Upgrade::Mail is set
+Unattended-Upgrade::MailOnlyOnError "true";
+
+# Do automatic removal of new unused dependencies after the upgrade
+# (equivalent to apt-get autoremove)
+#Unattended-Upgrade::Remove-Unused-Dependencies "false";