chore: extend automatic updates' resources

2026-02-08 21:34:25 +00:00 · 2025-06-18 19:37:27 +02:00
parent 8a5a138120
commit 102d0c7c51
3 changed files with 68 additions and 13 deletions
--- a/ansible/playbooks/os.automatic-upgrades.setup.yml
+++ b/ansible/playbooks/os.automatic-upgrades.setup.yml
@@ -0,0 +1,49 @@
+---
+
+- name: Configure automatic updates
+  tags: configure_automatic_updates
+  hosts: all
+  tasks:
+    - name: Configure 'unattended-upgrades' on APT-based systems
+      when: ansible_pkg_mgr | lower == 'apt'
+      block:
+        - name: Install 'unattended-upgrades'
+          become: true
+          ansible.builtin.apt:
+            name: unattended-upgrades
+            install_recommends: false
+            update_cache: true
+        - name: Configure 'unattended-upgrades'
+          become: true
+          ansible.builtin.copy:
+            dest: /etc/apt/apt.conf.d/20auto-upgrades
+            content: |-
+              APT::Periodic::Update-Package-Lists "1";
+              APT::Periodic::Unattended-Upgrade "1";
+            owner: root
+            group: root
+            mode: u=rw,g=r,o=r
+            backup: true
+        - name: Test configuration with a dry run
+          tags:
+            - never
+            - test_unattended_upgrades
+          become: true
+          ansible.builtin.command: unattended-upgrade --dry-run
+    - name: Configure 'unattended-upgrades' on DNF and YUM-based systems
+      when: ansible_pkg_mgr | lower in ['dnf', 'yum']
+      block:
+        - name: Install a cron daemon
+          become: true
+          ansible.builtin.package:
+            name: chrony
+        - name: Create the cron job
+          ansible.builtin.copy:
+            dest: /etc/cron.daily/security-updates
+            content: |-
+              #!/bin/bash
+              {{ ansible_pkg_mgr }} -y upgrade --bugfix --security
+            owner: root
+            group: root
+            mode: u=rwx,g=rx,o=rx
+            backup: true
--- a/base/apt.md
+++ b/base/apt.md
@@ -90,11 +90,14 @@ EOF
 Leverage `unattended-upgrades` for this.

 ```sh
-# Configure the packages to keep up to date.
+# Install the tool.
+sudo apt install 'unattended-upgrades'
+
+# Configure self updating.
 sudo dpkg-reconfigure -p 'low' 'unattended-upgrades'

-# Check what packages would be installed.
-sudo unattended-upgrade -d --dry-run
+# Check what packages would be installed or upgraded.
+sudo unattended-upgrade --debug --dry-run

 # Run manually.
 sudo unattended-upgrade
@@ -184,7 +187,8 @@ sudo apt update
         100 /var/lib/dpkg/status
   ```

-1. The package might depend on other packages which are not upgradable at the moment, i.e. their current version might be required by other packages.<br/>
+1. The package might depend on other packages which are not upgradable at the moment, i.e. their current version might
+   be required by other packages.<br/>
   Try installing/upgrading it specifying the desired release and version of the package:

   ```sh
@@ -230,15 +234,10 @@ All the references in the [further readings] section, plus the following:
 - [Fix a "Problem with MergeList" or "status file could not be parsed" error]

 <!--
-  References
+  Reference
+  ═╬═Time══
  -->

-<!-- Upstream -->
-[apt configuration]: https://wiki.debian.org/AptConfiguration
-[apt_preferences man page]: https://manpages.debian.org/testing/apt/apt_preferences.5.en.html
-[configuring apt sources]: https://wiki.debian.org/SourcesList
-[unattended upgrades]: https://wiki.debian.org/UnattendedUpgrades
-
 <!-- In-article sections -->
 [further readings]: #further-readings

@@ -247,6 +246,12 @@ All the references in the [further readings] section, plus the following:
 [dpkg]: dpkg.md
 [netselect-apt]: netselect-apt.md

+<!-- Upstream -->
+[apt configuration]: https://wiki.debian.org/AptConfiguration
+[apt_preferences man page]: https://manpages.debian.org/testing/apt/apt_preferences.5.en.html
+[configuring apt sources]: https://wiki.debian.org/SourcesList
+[unattended upgrades]: https://wiki.debian.org/UnattendedUpgrades
+
 <!-- Others -->
 [cheat.sh]: https://cheat.sh/apt
 [fix a "problem with mergelist" or "status file could not be parsed" error]: https://askubuntu.com/questions/30072/how-do-i-fix-a-problem-with-mergelist-or-status-file-could-not-be-parsed-err#30199
--- a/snippets/dnf.sh
+++ b/snippets/dnf.sh
@@ -4,14 +4,15 @@ sudo dnf makecache

 sudo dnf list --available --showduplicates 'gitlab-runner'

-sudo dnf check-update --bugfix --security
-
 sudo dnf install 'https://prerelease.keybase.io/keybase_amd64.rpm'
 sudo dnf --assumeyes install 'git-lfs'
 sudo dnf --assumeyes install \
 	"https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm" \
 	"https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"

+sudo dnf check-update --bugfix --security
+sudo dnf check-update --releasever='2023.7.20250609' --allowerasing --changelogs
+
 sudo dnf upgrade --security --sec-severity 'Critical' --downloadonly
 sudo dnf -y upgrade --security --nobest --sec-severity 'Important'