Add auto-upgrade feature

group_vars/all

@@ -15,6 +15,7 @@ admin_email: kolter@openics.org
 hosts_deny_nfs: False
 host_deny_paranoid: True
 
+with_auto_upgrade: True
 with_logcheck: True
 with_rkhunter: True
 with_chkrootkit: True

roles/common/tasks/security.yml

@@ -1,3 +1,11 @@
+- name: Install auto upgrades package
+  action: ${ansible_pkg_mgr} pkg=unattended-upgrades state=installed update_cache=yes
+  when_boolean: ${with_auto_upgrade}
+
+- name: Configure auto upgrades
+  action: template src=apt/auto-upgrades.j2 dest=/etc/apt/apt.conf.d/20auto-upgrades owner=root group=root mode=0644
+  when_boolean: ${with_auto_upgrade}
+
 - name: Install logcheck packages
   action: ${ansible_pkg_mgr} pkg=${item} state=installed update_cache=yes
   with_items:

roles/common/templates/apt/auto-upgrades.j2

@@ -0,0 +1,8 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog('//') }}
+{% endif -%}
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+Unattended-Upgrade::Mail "root";
+//Unattended-Upgrade::MailOnlyOnError "true";