From 6d96eb1ce8eee0a1fa393c3aa1679b61baa66ffd Mon Sep 17 00:00:00 2001
From: Paul Belanger <pabelanger@redhat.com>
Date: Thu, 2 May 2019 09:38:43 -0400
Subject: [PATCH] Add support for unattended-updates

This allow us to start managing updates on windmill deployments.

Change-Id: Iacfa1f59e1e0da97c354c81f0c9d3ae0bd2c8cda
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
---
 .../unattended-upgrades/defaults/main.yaml    | 17 ++++++++++++++
 .../unattended-upgrades/tasks/config.yaml     | 22 +++++++++++++++++++
 .../roles/unattended-upgrades/tasks/main.yaml | 21 ++++++++++++++++++
 .../etc/apt/apt.conf.d/50unattended-upgrades  | 14 ++++++++++++
 .../unattended-upgrades/vars/debian.yaml      | 14 ++++++++++++
 .../unattended-upgrades/vars/redhat.yaml      | 14 ++++++++++++
 playbooks/bootstrap/site.yaml                 |  7 ++++++
 7 files changed, 109 insertions(+)
 create mode 100644 playbooks/bootstrap/roles/unattended-upgrades/defaults/main.yaml
 create mode 100644 playbooks/bootstrap/roles/unattended-upgrades/tasks/config.yaml
 create mode 100644 playbooks/bootstrap/roles/unattended-upgrades/tasks/main.yaml
 create mode 100644 playbooks/bootstrap/roles/unattended-upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades
 create mode 100644 playbooks/bootstrap/roles/unattended-upgrades/vars/debian.yaml
 create mode 100644 playbooks/bootstrap/roles/unattended-upgrades/vars/redhat.yaml

diff --git a/playbooks/bootstrap/roles/unattended-upgrades/defaults/main.yaml b/playbooks/bootstrap/roles/unattended-upgrades/defaults/main.yaml
new file mode 100644
index 0000000..5ac1394
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/defaults/main.yaml
@@ -0,0 +1,17 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+---
+# tasks/main.yaml
+unattended_upgrades_task_manager:
+  - config
diff --git a/playbooks/bootstrap/roles/unattended-upgrades/tasks/config.yaml b/playbooks/bootstrap/roles/unattended-upgrades/tasks/config.yaml
new file mode 100644
index 0000000..ccf0945
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/tasks/config.yaml
@@ -0,0 +1,22 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+---
+- name: Install unattended-upgrades configuration
+  become: true
+  template:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    group: root
+    mode: 0644
+    owner: root
+    src: etc/apt/apt.conf.d/50unattended-upgrades.j2
diff --git a/playbooks/bootstrap/roles/unattended-upgrades/tasks/main.yaml b/playbooks/bootstrap/roles/unattended-upgrades/tasks/main.yaml
new file mode 100644
index 0000000..a82e16b
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/tasks/main.yaml
@@ -0,0 +1,21 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+---
+- name: Include OS-specific variables
+  include_vars: "{{ ansible_os_family | lower }}.yaml"
+
+- include: "{{ unattended_upgrades_task }}.yaml"
+  with_items: "{{ unattended_upgrades_task_manager }}"
+  loop_control:
+    loop_var: unattended_upgrades_task
diff --git a/playbooks/bootstrap/roles/unattended-upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades b/playbooks/bootstrap/roles/unattended-upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades
new file mode 100644
index 0000000..a6a51d0
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades
@@ -0,0 +1,14 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+//
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	"${distro_id}:${distro_codename}-updates";
+};
+
+Unattended-Upgrade::Package-Blacklist {
+};
+
+Unattended-Upgrade::DevRelease "false";
+Unattended-Upgrade::Mail "root";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
diff --git a/playbooks/bootstrap/roles/unattended-upgrades/vars/debian.yaml b/playbooks/bootstrap/roles/unattended-upgrades/vars/debian.yaml
new file mode 100644
index 0000000..009f762
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/vars/debian.yaml
@@ -0,0 +1,14 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+---
diff --git a/playbooks/bootstrap/roles/unattended-upgrades/vars/redhat.yaml b/playbooks/bootstrap/roles/unattended-upgrades/vars/redhat.yaml
new file mode 100644
index 0000000..009f762
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/vars/redhat.yaml
@@ -0,0 +1,14 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+---
diff --git a/playbooks/bootstrap/site.yaml b/playbooks/bootstrap/site.yaml
index 040d87b..3cca907 100644
--- a/playbooks/bootstrap/site.yaml
+++ b/playbooks/bootstrap/site.yaml
@@ -55,6 +55,13 @@
         name: iptables
       when: ansible_os_family == 'Debian'
 
+    # NOTE(pabelanger): We currently only support debuntu, this needs to be
+    # fixed!
+    - name: Setup unattended-upgrades role
+      include_role:
+        name: unattended-upgrades
+      when: ansible_os_family == 'Debian'
+
 - name: Bootstrap bastion hosts
   hosts: bastion:!disabled
   tasks: