From b9be376f13981c899c6d0b973ea1190e9fa21f4d Mon Sep 17 00:00:00 2001
From: sonny <sonnyba871@gmail.com>
Date: Sat, 15 Feb 2025 15:29:23 +0100
Subject: [PATCH] Add unattended upgrades setup

---
 handlers.yml                     |   5 ++
 session                          | 130 +++++++++++++++++++++++++++++++
 tasks/setup.yml                  |  38 +++++----
 templates/unattended-upgrades.j2 |  81 +++++++++++++++++++
 vars/main.yml                    |   1 +
 5 files changed, 241 insertions(+), 14 deletions(-)
 create mode 100644 session
 create mode 100644 templates/unattended-upgrades.j2

diff --git a/handlers.yml b/handlers.yml
index e9ec4cb..d151e17 100644
--- a/handlers.yml
+++ b/handlers.yml
@@ -44,3 +44,8 @@
     name: certbot
     state: restarted
     enabled: false
+
+- name: Compile wezterm terminfo file
+  become: true
+  when: wezterm_copy.changed
+  ansible.builtin.command: 'tic -x {{ ansible_env.HOME }}/.terminfo'
diff --git a/session b/session
new file mode 100644
index 0000000..e3104ef
--- /dev/null
+++ b/session
@@ -0,0 +1,130 @@
+let SessionLoad = 1
+let s:so_save = &g:so | let s:siso_save = &g:siso | setg so=0 siso=0 | setl so=-1 siso=-1
+let v:this_session=expand("<sfile>:p")
+silent only
+silent tabonly
+cd ~/development/ansible/debian-setup
+if expand('%') == '' && !&modified && line('$') <= 1 && getline(1) == ''
+  let s:wipebuf = bufnr('%')
+endif
+let s:shortmess_save = &shortmess
+if &shortmess =~ 'A'
+  set shortmess=aoOA
+else
+  set shortmess=aoO
+endif
+badd +15 playbook.yml
+badd +35 ~/development/ansible/debian-setup/tasks/setup.yml
+badd +0 templates/apt.j2
+badd +13 vars/main.yml
+argglobal
+%argdel
+$argadd playbook.yml
+edit ~/development/ansible/debian-setup/tasks/setup.yml
+let s:save_splitbelow = &splitbelow
+let s:save_splitright = &splitright
+set splitbelow splitright
+wincmd _ | wincmd |
+vsplit
+1wincmd h
+wincmd w
+wincmd _ | wincmd |
+split
+1wincmd k
+wincmd w
+let &splitbelow = s:save_splitbelow
+let &splitright = s:save_splitright
+wincmd t
+let s:save_winminheight = &winminheight
+let s:save_winminwidth = &winminwidth
+set winminheight=0
+set winheight=1
+set winminwidth=0
+set winwidth=1
+exe 'vert 1resize ' . ((&columns * 30 + 82) / 164)
+exe '2resize ' . ((&lines * 42 + 43) / 87)
+exe 'vert 2resize ' . ((&columns * 133 + 82) / 164)
+exe '3resize ' . ((&lines * 42 + 43) / 87)
+exe 'vert 3resize ' . ((&columns * 133 + 82) / 164)
+argglobal
+enew
+file NvimTree_1
+balt playbook.yml
+setlocal fdm=manual
+setlocal fde=v:lua.vim.treesitter.foldexpr()
+setlocal fmr={{{,}}}
+setlocal fdi=#
+setlocal fdl=99
+setlocal fml=1
+setlocal fdn=20
+setlocal nofen
+wincmd w
+argglobal
+balt vars/main.yml
+setlocal fdm=expr
+setlocal fde=v:lua.vim.treesitter.foldexpr()
+setlocal fmr={{{,}}}
+setlocal fdi=#
+setlocal fdl=99
+setlocal fml=1
+setlocal fdn=20
+setlocal fen
+1
+normal! zo
+11
+normal! zo
+21
+normal! zo
+let s:l = 32 - ((31 * winheight(0) + 21) / 42)
+if s:l < 1 | let s:l = 1 | endif
+keepjumps exe s:l
+normal! zt
+keepjumps 32
+normal! 0
+wincmd w
+argglobal
+if bufexists(fnamemodify("templates/apt.j2", ":p")) | buffer templates/apt.j2 | else | edit templates/apt.j2 | endif
+if &buftype ==# 'terminal'
+  silent file templates/apt.j2
+endif
+balt playbook.yml
+setlocal fdm=expr
+setlocal fde=v:lua.vim.treesitter.foldexpr()
+setlocal fmr={{{,}}}
+setlocal fdi=#
+setlocal fdl=99
+setlocal fml=1
+setlocal fdn=20
+setlocal fen
+let s:l = 50 - ((41 * winheight(0) + 21) / 42)
+if s:l < 1 | let s:l = 1 | endif
+keepjumps exe s:l
+normal! zt
+keepjumps 50
+normal! 0
+wincmd w
+2wincmd w
+exe 'vert 1resize ' . ((&columns * 30 + 82) / 164)
+exe '2resize ' . ((&lines * 42 + 43) / 87)
+exe 'vert 2resize ' . ((&columns * 133 + 82) / 164)
+exe '3resize ' . ((&lines * 42 + 43) / 87)
+exe 'vert 3resize ' . ((&columns * 133 + 82) / 164)
+tabnext 1
+if exists('s:wipebuf') && len(win_findbuf(s:wipebuf)) == 0 && getbufvar(s:wipebuf, '&buftype') isnot# 'terminal'
+  silent exe 'bwipe ' . s:wipebuf
+endif
+unlet! s:wipebuf
+set winheight=1 winwidth=20
+let &shortmess = s:shortmess_save
+let &winminheight = s:save_winminheight
+let &winminwidth = s:save_winminwidth
+let s:sx = expand("<sfile>:p:r")."x.vim"
+if filereadable(s:sx)
+  exe "source " . fnameescape(s:sx)
+endif
+let &g:so = s:so_save | let &g:siso = s:siso_save
+set hlsearch
+nohlsearch
+doautoall SessionLoadPost
+unlet SessionLoad
+" vim: set ft=vim :
diff --git a/tasks/setup.yml b/tasks/setup.yml
index 12bfad0..dcbe180 100644
--- a/tasks/setup.yml
+++ b/tasks/setup.yml
@@ -1,6 +1,6 @@
-- name: copy firewall template
+- name: Copy firewall template
   become: true
-  template:
+  ansible.builtin.template:
     src: 'templates/nftables.j2'
     dest: '/etc/nftables.conf'
     owner: root
@@ -8,9 +8,9 @@
     mode: '0644'
   notify: restart nftables
 
-- name: copy ssh template
+- name: Copy ssh template
   become: true
-  template:
+  ansible.builtin.template:
     src: 'templates/ssh.j2'
     dest: '/etc/ssh/sshd_config'
     owner: root
@@ -18,19 +18,29 @@
     mode: '0644'
   notify: reload ssh
 
-# TODO: provision default grub menu entry for now
-# linux-image-6.1.0-17 kernel seems to break networking
- #
-
-- name: copy wezterm terminfo file
-  copy:
+- name: Copy wezterm terminfo file
+  ansible.builtin.copy:
     src: 'files/wezterm.terminfo'
     dest: '{{ ansible_env.HOME }}/.terminfo'
+    mode: '0755'
+  notify: Compile wezterm terminfo file
 
-- name: compile wezterm terminfo file
+- name: Disable user lingering
   become: true
-  command: 'tic -x {{ ansible_env.HOME }}/.terminfo'
+  ansible.builtin.command: 'loginctl disable-linger sonny'
 
-- name: disable user lingering
+- name: Copy unattended upgrades configuration
   become: true
-  command: 'loginctl disable-linger sonny'
+  ansible.builtin.template:
+    src: 'templates/unattended-upgrades.j2'
+    dest: '/etc/apt/apt.conf.d/10periodic'
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Enable unattended upgrades timer
+  become: true
+  ansible.builtin.systemd:
+    name: apt-daily-upgrade.timer
+    state: started
+    enabled: true
diff --git a/templates/unattended-upgrades.j2 b/templates/unattended-upgrades.j2
new file mode 100644
index 0000000..d648265
--- /dev/null
+++ b/templates/unattended-upgrades.j2
@@ -0,0 +1,81 @@
+# This file understands the following apt configuration variables:
+# Values here are the default.
+# Create /etc/apt/apt.conf.d/10periodic file to set your preference.
+#
+# All of the n-days interval options also accept the suffixes
+# s for seconds, m for minutes, h for hours, d for days or
+# the "always" value to do the action for every job run,
+# which can be used with systemd OnCalendar overrides to
+# define custom schedules for the apt update/upgrade jobs.
+#
+#  Dir "/";
+#  - RootDir for all configuration files
+#
+#  Dir::Cache "var/cache/apt/";
+#  - Set apt package cache directory
+#
+#  Dir::Cache::Archives "archives/";
+#  - Set package archive directory
+#
+#  APT::Periodic::Enable "1";
+#  - Enable the update/upgrade script (0=disable)
+#
+#  APT::Periodic::BackupArchiveInterval "0";
+#  - Backup after n-days if archive contents changed.(0=disable)
+#
+#  APT::Periodic::BackupLevel "3";
+#  - Backup level.(0=disable), 1 is invalid.
+#
+#  Dir::Cache::Backup "backup/";
+#  - Set periodic package backup directory
+#
+#  APT::Archives::MaxAge "0"; (old, deprecated)
+#  APT::Periodic::MaxAge "0"; (new)
+#  - Set maximum allowed age of a cache package file. If a cache
+#    package file is older it is deleted (0=disable)
+#
+#  APT::Archives::MinAge "2"; (old, deprecated)
+#  APT::Periodic::MinAge "2"; (new)
+#  - Set minimum age of a package file. If a file is younger it
+#    will not be deleted (0=disable). Useful to prevent races
+#    and to keep backups of the packages for emergency.
+#
+#  APT::Archives::MaxSize "0"; (old, deprecated)
+#  APT::Periodic::MaxSize "0"; (new)
+#  - Set maximum size of the cache in MB (0=disable). If the cache
+#    is bigger, cached package files are deleted until the size
+#    requirement is met (the oldest packages will be deleted
+#    first).
+#
+
+APT::Periodic::Update-Package-Lists "1";
+#  - Do "apt-get update" automatically every n-days (0=disable)
+#
+
+APT::Periodic::Download-Upgradeable-Packages "1";
+#  - Do "apt-get upgrade --download-only" every n-days (0=disable)
+#
+#  APT::Periodic::Download-Upgradeable-Packages-Debdelta "1";
+#  - Use debdelta-upgrade to download updates if available (0=disable)
+#
+#
+#
+APT::Periodic::Unattended-Upgrade "1";
+#  - Run the "unattended-upgrade" security upgrade script
+#    every n-days (0=disabled)
+#    Requires the package "unattended-upgrades" and will write
+#    a log in /var/log/unattended-upgrades
+#
+
+APT::Periodic::AutocleanInterval "21";
+#  - Do "apt-get autoclean" every n-days (0=disable)
+#
+#  APT::Periodic::CleanInterval "0";
+#  - Do "apt-get clean" every n-days (0=disable)
+#
+#  APT::Periodic::Verbose "0";
+#  - Send report mail to root
+#      0:  no report             (or null string)
+#      1:  progress report       (actually any string)
+#      2:  + command outputs     (remove -qq, remove 2>/dev/null, add -d)
+#      3:  + trace on
diff --git a/vars/main.yml b/vars/main.yml
index ea123db..4426b8e 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -10,3 +10,4 @@ packages:
   - gnupg
   - radeontop
   - certbot
+  - unattended-upgrades