- A set of Ansible roles for CentOS and Debian hosts that provides users with the option to enable and/or remove automatic updates for packages installed.
- Deploy -
centos_automatic_updates.yaml
anddebian_automatic_updates.yaml
playbooks will install packages that enable automatic updates. Custom configuration files to set automatic updates will then be copied to the remote hosts. If there are any existing configuration files, a task will fetch the files and store them in abackups
directory under thefiles
directory. - Remove -
centos_automatic_updates_remove.yaml
anddebian_automatic_updates_remove.yaml
will remove packages and configuration files from the hosts that enable automatic updates.
- Deploy -
- For reference, below is a demonstration of how the directory structure of
backups
will look like after a number ofdebian_automatic_updates.yaml
andcentos_automatic_updates.yaml
playbook runs at different time intervals.
# CentOS
.
└── <INVENTORY_HOSTNAME_001>
├── 2021-07-25T22:34:13Z-CentOS-8.4
│ └── automatic.conf
├── 2021-07-25T22:35:33Z-CentOS-8.4
│ └── automatic.conf
└── 2021-07-25T22:37:20Z-CentOS-8.4
└── automatic.conf
# Debian
.
└── <INVENTORY_HOSTNAME_002>
├── 2021-07-25T22:34:21Z-Debian-10
│ ├── 20auto-upgrades
│ ├── 50unattended-upgrades
│ └── listchanges.conf
├── 2021-07-25T22:35:42Z-Debian-10
│ ├── 20auto-upgrades
│ ├── 50unattended-upgrades
│ └── listchanges.conf
└── 2021-07-25T22:37:27Z-Debian-10
├── 20auto-upgrades
├── 50unattended-upgrades
└── listchanges.conf
- Debian and/or CentOS Stream host(s) that the playbooks will be run against.
dnf-automatic
,unattended-upgrades
,apt-listchanges
ansible-vault
- [optional] - can be used in thedebian_ssh.yaml
orcentos_ssh.yaml
playbook to encrypt and store sensitive data "at rest".- In this use case, the
ansible_sudo_password
variable, which is used as the privilege escalation password, is stored in a vault. - Once the secret has been created and added to the playbook, in order for a user be able to become
sudo
to run the playbook, they will need to decrypt the vault to access the variable. - This can be achieved by passing one of the following flags listed below when executing the the playbook;
--ask-vault-pass
--vault-password-file
- Below is a demonstration of how the encrypted variable is defined in the playbooks;
- In this use case, the
---
# playbook for the debian_automatic_updates role.
- hosts: debian_hosts
# vars_files:
# - become-secret
become: true
roles:
- debian_automatic_updates
- For more information on how to create encrypted variables, review the official
ansible
documentation.
- Tested on;
debian-10
,centos-8-stream
# clone the repository
$ git clone git@github.com:hubvu/automatic-updates-ansible.git
# navigate into the directory
$ cd automatic-updates-ansible/
# run the master playbook `site.yaml` with verbosity
# for non Ansible Vault users
$ ansible-playbook site.yaml \
--inventory-file=hosts \
--ask-become-pass \
--verbose
# run the master playbook `site.yaml` with verbosity
# for Ansible Vault users
$ ansible-playbook site_remove.yaml \
--inventory-file=hosts \
--ask-vault-pass \
--verbose
# review the `backups` directory for the configuration files of each host
$ ls /roles/<role_name>/files/backups/<inventory_hostname>/<date_time>-<distribution_name>-<distribution_version>/
- Contribution guidelines for this project can be found in the Contributing document.
- DNF Automatic - Documentation.
- Unattended Upgrades - Debian Wiki.
- Ansible Lint.
- Ansible Lint for GitHub Action.
- Licenced under the MIT License.