commit 142c70337a209940a5cbf3378f18887deba939f4 Author: Aaron Guise Date: Mon Oct 31 09:02:42 2022 +1300 Initial project import diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..8827676 --- /dev/null +++ b/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/README.md b/README.md new file mode 100644 index 0000000..cb656f7 --- /dev/null +++ b/README.md @@ -0,0 +1,29 @@ +# Cron-APT - Ansible Role + +Install and configure of the cron-apt package for Debian based machines. + +## Configuring + +The below configuration variables are available: + +```yaml +cron_apt_mailto: monitoring@somedomain.net.nz # The email to receive notifications +cron_apt_apply_security: false # If set to true, security updates will automatically be applied +``` + +## Example playbook + +```yaml +--- +- hosts: all + become: true + roles: + - name: cron-apt + vars: + cron_apt_mailto: admin@somedomain.net.nz + cron_apt_apply_security: true +``` +You can of course configure variables instead at group_vars/host_vars level. This is just here as an example. + + + diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..6803550 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,4 @@ +--- +cron_apt_mailto: monitoring@hannover.freifunk.net\ +cron_apt_apply_security: false # If set to true, security updates will automatically be applied + diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..089106a --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart cron + service: + name: cron + state: restarted \ No newline at end of file diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..2a3249c --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,10 @@ +--- +- name: Converge + hosts: all + vars: + cron_apt_apply_security: true + tasks: + - name: "Include cron-apt" + include_role: + name: "cron-apt" + diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..b60cb0d --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,15 @@ +--- +role_name_check: 1 +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: docker.io/guisea/docker-ubuntu22.04-ansible + command: /usr/bin/systemctl + pre_build_image: true +provisioner: + name: ansible +verifier: + name: ansible diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..626f4da --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,18 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: fetch /etc/apt/sources.list + command: cat /etc/apt/sources.list + register: sources + + - name: Output info + debug: + var: sources + + - name: Example assertion + ansible.builtin.assert: + that: true diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..dd9e208 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: Ensure cron-apt is installed + apt: + name: cron-apt + update_cache: yes + notify: + - Restart cron + +- name: Deploy config file + template: + src: config.j2 + dest: /etc/cron-apt/config + +- name: Apply security updates on download + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: action.5-secupdates.j2 + dest: /etc/cron-apt/action.d/5-security-updates + - src: config.5-secupdates.j2 + dest: /etc/cron-apt/config.d/5-security-updates + when: cron_apt_apply_security + +- name: Create separate file for security updates + shell: | + cat /etc/apt/sources.list | grep security \ + | grep -v '#' \ + > /etc/apt/sources.list.d/security.list + args: + creates: /etc/apt/sources.list.d/security.list + when: cron_apt_apply_security + +- name: Comment out security lines in /etc/apt/sources.list + lineinfile: + dest: /etc/apt/sources.list + regexp: '^(deb.*security.*?main.*)' + line: '# \1' + backrefs: yes + state: present + when: cron_apt_apply_security + + diff --git a/templates/action.5-secupdates.j2 b/templates/action.5-secupdates.j2 new file mode 100644 index 0000000..a183627 --- /dev/null +++ b/templates/action.5-secupdates.j2 @@ -0,0 +1 @@ +upgrade -y -o APT::Get::Show-Upgraded=true diff --git a/templates/config.5-secupdates.j2 b/templates/config.5-secupdates.j2 new file mode 100644 index 0000000..c5a88e4 --- /dev/null +++ b/templates/config.5-secupdates.j2 @@ -0,0 +1 @@ +OPTIONS="-q -o Dir::Etc::SourceList=/etc/apt/sources.list.d/security.list -o Dir::Etc::SourceParts=\"/dev/null\"" diff --git a/templates/config.j2 b/templates/config.j2 new file mode 100644 index 0000000..c89edf7 --- /dev/null +++ b/templates/config.j2 @@ -0,0 +1,6 @@ +# Configuration for cron-apt. For further information about the possible +# configuration settings see /usr/share/doc/cron-apt/README.gz. + +# AUTOGENERATED via Ansible - DO NOT EDIT +MAILTO="{{ cron_apt_mailto }}" +MAILON="error" diff --git a/templates/security.list.j2 b/templates/security.list.j2 new file mode 100644 index 0000000..c21dc05 --- /dev/null +++ b/templates/security.list.j2 @@ -0,0 +1,7 @@ +{% if ansible_distribution_release == "bullseye" -%} +deb http://security.debian.org/debian-security bullseye-security main +deb-src http://security.debian.org/debian-security bullseye-security main +{% else %} +deb http://security.debian.org/ {{ ansible_distribution_release }}/updates main +deb-src http://security.debian.org/ {{ ansible_distribution_release }}/updates main +{% endif %}