feat: add system maintenance automation

deployment/ansible/roles/system/tasks/main.yml

@@ -0,0 +1,130 @@
+---
+- name: Refresh apt cache on Debian-based systems
+  ansible.builtin.apt:
+    update_cache: yes
+    cache_valid_time: "{{ system_apt_cache_valid_time }}"
+  become: yes
+  when:
+    - ansible_os_family == 'Debian'
+    - system_update_packages | bool
+
+- name: Upgrade packages on Debian-based systems
+  ansible.builtin.apt:
+    upgrade: "{{ system_apt_upgrade }}"
+    autoremove: yes
+  become: yes
+  when:
+    - ansible_os_family == 'Debian'
+    - system_update_packages | bool
+
+- name: Upgrade packages on RedHat-based systems
+  ansible.builtin.yum:
+    name: '*'
+    state: latest
+  become: yes
+  when:
+    - ansible_os_family == 'RedHat'
+    - system_update_packages | bool
+
+- name: Warn about unsupported package manager
+  ansible.builtin.debug:
+    msg: "System package updates are not implemented for {{ ansible_os_family }}"
+  changed_when: false
+  when:
+    - system_update_packages | bool
+    - ansible_os_family not in ['Debian', 'RedHat']
+
+- name: Install unattended-upgrades packages
+  ansible.builtin.package:
+    name:
+      - unattended-upgrades
+      - apt-listchanges
+    state: present
+  become: yes
+  when:
+    - ansible_os_family == 'Debian'
+    - system_enable_unattended_upgrades | bool
+
+- name: Configure unattended upgrades periodic execution
+  ansible.builtin.copy:
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Download-Upgradeable-Packages "1";
+      APT::Periodic::AutocleanInterval "7";
+      APT::Periodic::Unattended-Upgrade "1";
+  become: yes
+  when:
+    - ansible_os_family == 'Debian'
+    - system_enable_unattended_upgrades | bool
+
+- name: Configure unattended upgrade reboot preference
+  ansible.builtin.lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: '^//?\s*Unattended-Upgrade::Automatic-Reboot\s+'
+    line: 'Unattended-Upgrade::Automatic-Reboot "{{ system_enable_unattended_reboot | ternary("true", "false") }}";'
+    owner: root
+    group: root
+    mode: '0644'
+    create: yes
+  become: yes
+  when:
+    - ansible_os_family == 'Debian'
+    - system_enable_unattended_upgrades | bool
+
+- name: Configure unattended upgrade reboot time
+  ansible.builtin.lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: '^//?\s*Unattended-Upgrade::Automatic-Reboot-Time\s+'
+    line: 'Unattended-Upgrade::Automatic-Reboot-Time "{{ system_unattended_reboot_time }}";'
+    owner: root
+    group: root
+    mode: '0644'
+    create: yes
+  become: yes
+  when:
+    - ansible_os_family == 'Debian'
+    - system_enable_unattended_upgrades | bool
+    - system_enable_unattended_reboot | bool
+
+- name: Disable unattended reboot time when automatic reboot is off
+  ansible.builtin.lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: '^Unattended-Upgrade::Automatic-Reboot-Time\s+'
+    state: absent
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  when:
+    - ansible_os_family == 'Debian'
+    - system_enable_unattended_upgrades | bool
+    - not system_enable_unattended_reboot | bool
+
+- name: Ensure unattended upgrade timers are enabled
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  become: yes
+  loop:
+    - apt-daily.timer
+    - apt-daily-upgrade.timer
+    - unattended-upgrades.service
+  when:
+    - ansible_os_family == 'Debian'
+    - system_enable_unattended_upgrades | bool
+    - system_enable_unattended_timer | bool
+
+- name: Prune unused Docker data
+  community.docker.docker_prune:
+    containers: true
+    images: true
+    networks: true
+    volumes: false
+    builder_cache: true
+  become: yes
+  when: system_enable_docker_prune | bool