made role OS-specific

defaults/main.yml

@@ -0,0 +1,2 @@
+---
+unattended_upgrades_os_supported: False

handlers/main.yml

@@ -0,0 +1 @@
+---

tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: Set OS dependent variables
+  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_distribution | lower }}_{{ ansible_distribution_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}.yml"
+        - "{{ ansible_os_family | lower }}.yml"
+        - "{{ ansible_system | lower }}.yml"
+      paths:
+        - '{{ role_path }}/vars'
+  ignore_errors: True
+
+- name: OS is supported
+  ansible.builtin.assert:
+    that: __os_supported
+    quiet: True
+  vars:
+    __os_supported: "{{ lookup('vars', '{}_os_supported'.format(role_name)) | bool }}"
+
+
+- name: Install unattended-upgrades
+  apt:
+    name: unattended-upgrades
+    state: present
+    update_cache: yes
+  
+- name: Set configuration
+  become: yes
+  template:
+    src: 90unattended-upgrades.j2
+    dest: /etc/apt/apt.conf.d/90unattended-upgrades
+    mode: 0644

templates/90unattended-upgrades.j2

@@ -0,0 +1,14 @@
+Unattended-Upgrade::Allowed-Origins {
+    "${distro_id}:${distro_codename}";
+    "${distro_id}:${distro_codename}-security";
+    
+    // Extended Security Maintenance; doesn't necessarily exist for
+    // every release and this system may not have it installed, but if
+    // available, the policy for updates is such that unattended-upgrades
+    // should also install from here by default.
+    "${distro_id}ESMApps:${distro_codename}-apps-security";
+    "${distro_id}ESM:${distro_codename}-infra-security";
+    //      "${distro_id}:${distro_codename}-updates";
+    //      "${distro_id}:${distro_codename}-proposed";
+    //      "${distro_id}:${distro_codename}-backports";
+};

vars/debian.yml

@@ -0,0 +1,2 @@
+---
+unattended_upgrades_os_supported: True