From 760b14cc4bec3b3fc1e469a9e2ce77d799f7d715 Mon Sep 17 00:00:00 2001
From: "Philip (a-0)" <@ph:a-0.me>
Date: Wed, 13 Jul 2022 12:51:07 +0200
Subject: [PATCH] made role OS-specific

---
 defaults/main.yml                  |  2 ++
 handlers/main.yml                  |  1 +
 tasks/main.yml                     | 35 ++++++++++++++++++++++++++++++
 templates/90unattended-upgrades.j2 | 14 ++++++++++++
 vars/debian.yml                    |  2 ++
 5 files changed, 54 insertions(+)
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/90unattended-upgrades.j2
 create mode 100644 vars/debian.yml

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..deaca1a
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+unattended_upgrades_os_supported: False
\ No newline at end of file
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1 @@
+---
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..4e9fa14
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: Set OS dependent variables
+  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_distribution | lower }}_{{ ansible_distribution_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}.yml"
+        - "{{ ansible_os_family | lower }}.yml"
+        - "{{ ansible_system | lower }}.yml"
+      paths:
+        - '{{ role_path }}/vars'
+  ignore_errors: True
+
+- name: OS is supported
+  ansible.builtin.assert:
+    that: __os_supported
+    quiet: True
+  vars:
+    __os_supported: "{{ lookup('vars', '{}_os_supported'.format(role_name)) | bool }}"
+
+
+- name: Install unattended-upgrades
+  apt:
+    name: unattended-upgrades
+    state: present
+    update_cache: yes
+  
+- name: Set configuration
+  become: yes
+  template:
+    src: 90unattended-upgrades.j2
+    dest: /etc/apt/apt.conf.d/90unattended-upgrades
+    mode: 0644
\ No newline at end of file
diff --git a/templates/90unattended-upgrades.j2 b/templates/90unattended-upgrades.j2
new file mode 100644
index 0000000..20624fb
--- /dev/null
+++ b/templates/90unattended-upgrades.j2
@@ -0,0 +1,14 @@
+Unattended-Upgrade::Allowed-Origins {
+    "${distro_id}:${distro_codename}";
+    "${distro_id}:${distro_codename}-security";
+    
+    // Extended Security Maintenance; doesn't necessarily exist for
+    // every release and this system may not have it installed, but if
+    // available, the policy for updates is such that unattended-upgrades
+    // should also install from here by default.
+    "${distro_id}ESMApps:${distro_codename}-apps-security";
+    "${distro_id}ESM:${distro_codename}-infra-security";
+    //      "${distro_id}:${distro_codename}-updates";
+    //      "${distro_id}:${distro_codename}-proposed";
+    //      "${distro_id}:${distro_codename}-backports";
+};
\ No newline at end of file
diff --git a/vars/debian.yml b/vars/debian.yml
new file mode 100644
index 0000000..386426d
--- /dev/null
+++ b/vars/debian.yml
@@ -0,0 +1,2 @@
+---
+unattended_upgrades_os_supported: True
\ No newline at end of file