Improve unattented-upgrades configuration

roles/common/tasks/security.yml

@@ -3,7 +3,10 @@
   when_boolean: ${with_auto_upgrade}
 
 - name: Configure auto upgrades
-  action: template src=apt/auto-upgrades.j2 dest=/etc/apt/apt.conf.d/20auto-upgrades owner=root group=root mode=0644
+  action: template src=${item} dest=/etc/apt/apt.conf.d/20auto-upgrades owner=root group=root mode=0644
+  first_available_file:
+    - apt/auto-upgrades.${ansible_lsb.codename}.j2
+    - apt/auto-upgrades.j2
   when_boolean: ${with_auto_upgrade}
 
 - name: Install logcheck packages

roles/common/templates/apt/auto-upgrades.j2

@@ -2,6 +2,7 @@
 {% from 'templates/ansible/prolog.j2' import prolog with context %}
 {{ prolog('//') }}
 {% endif -%}
+
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Unattended-Upgrade "1";
 Unattended-Upgrade::Mail "root";

roles/common/templates/apt/auto-upgrades.sid.j2

@@ -0,0 +1,18 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog('//') }}
+{% endif -%}
+
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+Unattended-Upgrade::Mail "root";
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Automatically upgrade packages from these origin patterns
+Unattended-Upgrade::Origins-Pattern {
+            // Archive or Suite based matching:
+            // Note that this will silently match a different release after
+            // migration to the specified archive (e.g. testing becomes the
+            // new stable).
+            "o=Debian,a=unstable";
+};

roles/common/templates/apt/auto-upgrades.wheezy.j2

@@ -0,0 +1,21 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog('//') }}
+{% endif -%}
+
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+Unattended-Upgrade::Mail "root";
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Automatically upgrade packages from these origin patterns
+Unattended-Upgrade::Origins-Pattern {
+            // Archive or Suite based matching:
+            // Note that this will silently match a different release after
+            // migration to the specified archive (e.g. testing becomes the
+            // new stable).
+    //      "o=Debian,a=stable";
+            "o=Debian,a=stable-updates";
+    //      "o=Debian,a=proposed-updates";
+            "origin=Debian,archive=stable,label=Debian-Security";
+};