michaelschiemer/deployment/infrastructure/roles/base-security/tasks/security-updates.yml

---
# Automatic Security Updates Configuration

- name: Install unattended-upgrades package
  package:
    name: unattended-upgrades
    state: present
  tags:
    - security
    - updates
    - packages

- name: Configure unattended-upgrades
  template:
    src: 50unattended-upgrades.j2
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    owner: root
    group: root
    mode: '0644'
    backup: true
  tags:
    - security
    - updates
    - config

- name: Enable automatic updates
  template:
    src: 20auto-upgrades.j2
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    owner: root
    group: root
    mode: '0644'
  tags:
    - security
    - updates
    - config

- name: Configure automatic reboot for kernel updates
  lineinfile:
    path: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '^Unattended-Upgrade::Automatic-Reboot\s+'
    line: 'Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_automatic_reboot | lower }}";'
    create: true
  tags:
    - security
    - updates
    - reboot

- name: Configure reboot time
  lineinfile:
    path: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '^Unattended-Upgrade::Automatic-Reboot-Time\s+'
    line: 'Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades_automatic_reboot_time }}";'
  when: unattended_upgrades_automatic_reboot | bool
  tags:
    - security
    - updates
    - reboot

- name: Configure email notifications for updates
  lineinfile:
    path: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '^Unattended-Upgrade::Mail\s+'
    line: 'Unattended-Upgrade::Mail "{{ ssl_email }}";'
  tags:
    - security
    - updates
    - notifications

- name: Install apt-listchanges for change notifications
  package:
    name: apt-listchanges
    state: present
  tags:
    - security
    - updates
    - packages

- name: Configure apt-listchanges
  template:
    src: listchanges.conf.j2
    dest: /etc/apt/listchanges.conf
    owner: root
    group: root
    mode: '0644'
  tags:
    - security
    - updates
    - notifications

- name: Install needrestart for service restart detection
  package:
    name: needrestart
    state: present
  tags:
    - security
    - updates
    - packages

- name: Configure needrestart
  template:
    src: needrestart.conf.j2
    dest: /etc/needrestart/needrestart.conf
    owner: root
    group: root
    mode: '0644'
  tags:
    - security
    - updates
    - services

- name: Create update notification script
  template:
    src: update-notification.sh.j2
    dest: /usr/local/bin/update-notification.sh
    owner: root
    group: root
    mode: '0755'
  tags:
    - security
    - updates
    - scripts

- name: Schedule regular security updates check
  cron:
    name: "Security updates check"
    minute: "0"
    hour: "2"
    job: "/usr/bin/unattended-upgrade --dry-run && /usr/local/bin/update-notification.sh"
    user: root
  tags:
    - security
    - updates
    - cron

- name: Verify unattended-upgrades service
  service:
    name: unattended-upgrades
    state: started
    enabled: true
  tags:
    - security
    - updates
    - service