131 lines
3.6 KiB
YAML
131 lines
3.6 KiB
YAML
---
|
|
- name: Refresh apt cache on Debian-based systems
|
|
ansible.builtin.apt:
|
|
update_cache: yes
|
|
cache_valid_time: "{{ system_apt_cache_valid_time }}"
|
|
become: yes
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
- system_update_packages | bool
|
|
|
|
- name: Upgrade packages on Debian-based systems
|
|
ansible.builtin.apt:
|
|
upgrade: "{{ system_apt_upgrade }}"
|
|
autoremove: yes
|
|
become: yes
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
- system_update_packages | bool
|
|
|
|
- name: Upgrade packages on RedHat-based systems
|
|
ansible.builtin.yum:
|
|
name: '*'
|
|
state: latest
|
|
become: yes
|
|
when:
|
|
- ansible_os_family == 'RedHat'
|
|
- system_update_packages | bool
|
|
|
|
- name: Warn about unsupported package manager
|
|
ansible.builtin.debug:
|
|
msg: "System package updates are not implemented for {{ ansible_os_family }}"
|
|
changed_when: false
|
|
when:
|
|
- system_update_packages | bool
|
|
- ansible_os_family not in ['Debian', 'RedHat']
|
|
|
|
- name: Install unattended-upgrades packages
|
|
ansible.builtin.package:
|
|
name:
|
|
- unattended-upgrades
|
|
- apt-listchanges
|
|
state: present
|
|
become: yes
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
- system_enable_unattended_upgrades | bool
|
|
|
|
- name: Configure unattended upgrades periodic execution
|
|
ansible.builtin.copy:
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
become: yes
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
- system_enable_unattended_upgrades | bool
|
|
|
|
- name: Configure unattended upgrade reboot preference
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
regexp: '^//?\s*Unattended-Upgrade::Automatic-Reboot\s+'
|
|
line: 'Unattended-Upgrade::Automatic-Reboot "{{ system_enable_unattended_reboot | ternary("true", "false") }}";'
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
create: yes
|
|
become: yes
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
- system_enable_unattended_upgrades | bool
|
|
|
|
- name: Configure unattended upgrade reboot time
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
regexp: '^//?\s*Unattended-Upgrade::Automatic-Reboot-Time\s+'
|
|
line: 'Unattended-Upgrade::Automatic-Reboot-Time "{{ system_unattended_reboot_time }}";'
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
create: yes
|
|
become: yes
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
- system_enable_unattended_upgrades | bool
|
|
- system_enable_unattended_reboot | bool
|
|
|
|
- name: Disable unattended reboot time when automatic reboot is off
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
regexp: '^Unattended-Upgrade::Automatic-Reboot-Time\s+'
|
|
state: absent
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
become: yes
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
- system_enable_unattended_upgrades | bool
|
|
- not system_enable_unattended_reboot | bool
|
|
|
|
- name: Ensure unattended upgrade timers are enabled
|
|
ansible.builtin.systemd:
|
|
name: "{{ item }}"
|
|
enabled: true
|
|
state: started
|
|
become: yes
|
|
loop:
|
|
- apt-daily.timer
|
|
- apt-daily-upgrade.timer
|
|
- unattended-upgrades.service
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
- system_enable_unattended_upgrades | bool
|
|
- system_enable_unattended_timer | bool
|
|
|
|
- name: Prune unused Docker data
|
|
community.docker.docker_prune:
|
|
containers: true
|
|
images: true
|
|
networks: true
|
|
volumes: false
|
|
builder_cache: true
|
|
become: yes
|
|
when: system_enable_docker_prune | bool
|