10 жил өмнө · a525454c6f
--- a/roles/common/handlers/security.yml
+++ b/roles/common/handlers/security.yml
@@ -1,2 +1,5 @@
 
				+- name: Reconfigure unattended-upgrades
			
 
				+  raw: rm -f /etc/apt/apt.conf.d/20auto-upgrades* ; UCF_FORCE_CONFFMISS=1 UCF_FORCE_CONFFNEW=1 dpkg-reconfigure --frontend noninteractive unattended-upgrades
			
 
				+
			
 
				 - name: Remount /proc
			
 
				   shell: mount -o remount /proc
			
--- a/roles/common/tasks/security.yml
+++ b/roles/common/tasks/security.yml
@@ -2,8 +2,14 @@
 
				   apt: pkg=unattended-upgrades state=installed update_cache=yes
			
 
				   when: with_auto_upgrade
			
 
				 
			
 
				-- name: Configure auto upgrades
			
 
				-  template: src={{ item }} dest=/etc/apt/apt.conf.d/20auto-upgrades owner=root group=root mode=0644
			
 
				+- name: Reconfigure unattended-upgrades package
			
 
				+  debconf: name="unattended-upgrades" question="unattended-upgrades/enable_auto_updates" value="true" vtype="boolean"
			
 
				+  notify:
			
 
				+    - Reconfigure unattended-upgrades
			
 
				+  when: with_auto_upgrade
			
 
				+
			
 
				+- name: Update unattended-upgrades configuration
			
 
				+  template: src={{ item }} dest=/etc/apt/apt.conf.d/90unattended-upgrades-local owner=root group=root mode=0644
			
 
				   first_available_file:
			
 
				     - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2
			
 
				     - apt/auto-upgrades.j2
			
--- a/roles/common/templates/apt/auto-upgrades.jessie.j2
+++ b/roles/common/templates/apt/auto-upgrades.jessie.j2
@@ -0,0 +1,21 @@
 
				+{% if ansible_prolog -%}
			
 
				+{% from 'templates/ansible/prolog.j2' import prolog with context %}
			
 
				+{{ prolog('//') }}
			
 
				+{% endif -%}
			
 
				+
			
 
				+APT::Periodic::Update-Package-Lists "1";
			
 
				+APT::Periodic::Unattended-Upgrade "1";
			
 
				+Unattended-Upgrade::Mail "root";
			
 
				+//Unattended-Upgrade::MailOnlyOnError "true";
			
 
				+
			
 
				+// Automatically upgrade packages from these origin patterns
			
 
				+Unattended-Upgrade::Origins-Pattern {
			
 
				+            // Archive or Suite based matching:
			
 
				+            // Note that this will silently match a different release after
			
 
				+            // migration to the specified archive (e.g. testing becomes the
			
 
				+            // new stable).
			
 
				+            "o=Debian,a=stable";
			
 
				+            "o=Debian,a=stable-updates";
			
 
				+    //      "o=Debian,a=stable-proposed-updates";
			
 
				+            "origin=Debian,archive=stable,label=Debian-Security";
			
 
				+};
			
--- a/roles/common/templates/apt/auto-upgrades.sid.j2
+++ b/roles/common/templates/apt/auto-upgrades.sid.j2
@@ -6,13 +6,13 @@
 
				 APT::Periodic::Update-Package-Lists "1";
			
 
				 APT::Periodic::Unattended-Upgrade "1";
			
 
				 Unattended-Upgrade::Mail "root";
			
 
				-//Unattended-Upgrade::MailOnlyOnError "true";
			
 
				+Unattended-Upgrade::MailOnlyOnError "true";
			
 
				 
			
 
				 // Automatically upgrade packages from these origin patterns
			
 
				 Unattended-Upgrade::Origins-Pattern {
			
 
				-            // Archive or Suite based matching:
			
 
				-            // Note that this will silently match a different release after
			
 
				-            // migration to the specified archive (e.g. testing becomes the
			
 
				-            // new stable).
			
 
				-            "o=Debian,a=unstable";
			
 
				+    // Archive or Suite based matching:
			
 
				+    // Note that this will silently match a different release after
			
 
				+    // migration to the specified archive (e.g. testing becomes the
			
 
				+    // new stable).
			
 
				+    "o=Debian,a=unstable";
			
 
				 };
			
--- a/roles/common/templates/apt/auto-upgrades.squeeze.j2
+++ b/roles/common/templates/apt/auto-upgrades.squeeze.j2
@@ -0,0 +1,16 @@
 
				+{% if ansible_prolog -%}
			
 
				+{% from 'templates/ansible/prolog.j2' import prolog with context %}
			
 
				+{{ prolog('//') }}
			
 
				+{% endif -%}
			
 
				+
			
 
				+APT::Periodic::Update-Package-Lists "1";
			
 
				+APT::Periodic::Unattended-Upgrade "1";
			
 
				+Unattended-Upgrade::Mail "root";
			
 
				+//Unattended-Upgrade::MailOnlyOnError "true";
			
 
				+
			
 
				+// Automatically upgrade packages from these origin patterns
			
 
				+Unattended-Upgrade::Origins-Pattern {
			
 
				+    "o=Debian,a=squeeze-lts";
			
 
				+//  "origin=Debian,archive=stable,label=Debian-Security";
			
 
				+//  "origin=Debian,archive=oldstable,label=Debian-Security";
			
 
				+};
			
--- a/roles/common/templates/apt/auto-upgrades.wheezy.j2
+++ b/roles/common/templates/apt/auto-upgrades.wheezy.j2
@@ -10,12 +10,13 @@ Unattended-Upgrade::Mail "root";
 
				 
			
 
				 // Automatically upgrade packages from these origin patterns
			
 
				 Unattended-Upgrade::Origins-Pattern {
			
 
				-            // Archive or Suite based matching:
			
 
				-            // Note that this will silently match a different release after
			
 
				-            // migration to the specified archive (e.g. testing becomes the
			
 
				-            // new stable).
			
 
				-    //      "o=Debian,a=stable";
			
 
				-            "o=Debian,a=stable-updates";
			
 
				-    //      "o=Debian,a=proposed-updates";
			
 
				-            "origin=Debian,archive=stable,label=Debian-Security";
			
 
				+    // Archive or Suite based matching:
			
 
				+    // Note that this will silently match a different release after
			
 
				+    // migration to the specified archive (e.g. testing becomes the
			
 
				+    // new stable).
			
 
				+    "o=Debian,a=stable";
			
 
				+//  "o=Debian,a=stable-updates";
			
 
				+//  "o=Debian,a=proposed-updates";
			
 
				+//  "origin=Debian,archive=stable,label=Debian-Security";
			
 
				+//  "origin=Debian,archive=oldstable,label=Debian-Security";
			
 
				 };