sec(upgrades): Upgrade and reboot automation

7f2abe59 · Arthur BOUDREAULT · 61b8ae00 · 7f2abe59 · 7f2abe59 · 7f2abe59
Commit 7f2abe59 authored 2 years ago by Arthur BOUDREAULT
--- a/roles/ynh_config/README-FR.md
+++ b/roles/ynh_config/README-FR.md
@@ -26,7 +26,7 @@ ynh_smtp_relay:
 Yunohost possède son propre serveur SMTP natif mais il est aussi possible de configurer Yunohost pour qu'il utilise un relais SMTP à la place.
 Pour faire cela, créez la variable `ynh_smtp_relay` et mettez vos propres valeurs. Vous pouvez en apprendre plus sur les relais SMTP [ici](https://yunohost.org/fr/administrate/specific_use_cases/email_relay).
-### Configuration des mises à jour
+### Configuration des mises à jour de Yunohost
 ```yml
 # Autoupdate Yunohost and its apps
@@ -50,6 +50,25 @@ Si des mises à jour sont disponibles, elles sont faites automatiquement. En cas
 Pour en savoir plus sur le fonctionnement des mises à jour dans Yunohost vous pouvez vous rendre [ici](https://yunohost.org/fr/update). Le changelog des versions de Yunohost est aussi disponible [ici](https://forum.yunohost.org/tag/ynh_release).
+### Configuration des mises à jour du système Debian
+```yml
+ynh_autoupdate_scheduled:                  true
+hifis_ansible_unattended_upgrades_version: v2.0.1
+unattended_mail:                           "{{ admin_mail }}"
+unattended_mail_only_on_error:             true
+unattended_automatic_reboot:               true
+unattended_automatic_reboot_time:          01:00
+```
+- `ynh_autoupdate_scheduled` : Activer la gestion automatique des mises à jour Debian en mettant la valeur à `true`. Par défaut, la valeur est à `false`. Attention, vous êtes responsables de vos actions sur le serveur. Cette gestion automatisée peut créer des problèmes inattendus avec YunoHost.
+- `hifis_ansible_unattended_upgrades_version` : Vous permet de spécifier la version du rôle Ansible unattended upgrades à utiliser. La version par défaut du rôle est v2.0.1. Vous pouvez vérifier les versions du rôle [ici](https://github.com/hifis-net/ansible-role-unattended-upgrades/releases).
+- `unattended_mail` : Adresse mail à utiliser pour envoyer des informations sur les mises à jour qui ont eu lieues ou s'il y a eu des problèmes. La valeur par défaut est à `false`, ce qui n'envoie pas de mails.
+- `unattended_mail_only_on_error` : Envoie un mail uniquement en cas d'erreur (valeur par défaut, `true`) ou envoie un mail à chaque mise à jour système (valeur à `false`).
+- `unattended_automatic_reboot` : Redémarre le système si des paquets mis à jour en ont besoin.
+- `unattended_automatic_reboot_time` : Vous permet de spécifier l'heure à laquelle redémarrer le système si des paquets mis à jour en ont besoin. L'heure par défaut est réglée à 1h du matin.
+Pour en savoir plus sur le fonctionnement de ce rôle, rendez vous [ici](https://github.com/hifis-net/ansible-role-unattended-upgrades).
 ## Dépendances
 Aucune.

--- a/roles/ynh_config/README.md
+++ b/roles/ynh_config/README.md
@@ -50,6 +50,25 @@ If available, updates are done automatically. In case of problems following an a
 To learn more about how updates work in Yunohost you can go [here](https://yunohost.org/fr/update). The changelog of Yunohost versions is also available [here](https://forum.yunohost.org/tag/ynh_release).
+### Configure Debian unattended upgrades
+``yml
+ynh_autoupdate_scheduled:                  true
+hifis_ansible_unattended_upgrades_version: v2.0.1
+unattended_mail:                           "{{ admin_mail }}"
+unattended_mail_only_on_error:             true
+unattended_automatic_reboot:               true
+unattended_automatic_reboot_time:          01:00
+```
+- `ynh_autoupdate_scheduled`: Enable automatic Debian update management by setting the value to `true`. By default, the value is `false`. Be careful, you are responsible for your actions on the server. This automated management can create unexpected problems with YunoHost.
+- `hifis_ansible_unattended_upgrades_version`: Allows you to specify the version of the Ansible unattended upgrades role to use. The default version of the role is v2.0.1. You can check the versions of the role [here](https://github.com/hifis-net/ansible-role-unattended-upgrades/releases).
+- unattended_mail`: Email address to use to send feedback about upgrades that have been performed or if there have been any issues. The default value is `false`, which does not send mail.
+- unattended_mail_only_error`: Send mail only on error (default is `true`) or send mail on every system update (default is `false`).
+- unattended_automatic_reboot`: Reboot the system if updated packages need it.
+- unattended_automatic_reboot_time`: Allows you to specify the time to reboot the system if updated packages need it. The default time is set to 1am.
+To learn more about how this role works, go [here](https://github.com/hifis-net/ansible-role-unattended-upgrades).
 ## Dependencies
 None.

--- a/roles/ynh_config/defaults/main.yml
+++ b/roles/ynh_config/defaults/main.yml
@@ -38,3 +38,12 @@ ynh_autoupdate:
  # apps: True
  # system: True
  # dest_script: "/usr/local/bin/"
+# https://galaxy.ansible.com/hifis/unattended_upgrades
+# https://github.com/YunoHost-Apps/unattended_upgrades_ynh
+unattended_upgrade_scheduled:                false
+# hifis_ansible_unattended_upgrades_version: v2.0.1
+# unattended_mail:                           "{{ admin_mail }}"
+# unattended_mail_only_on_error:             true
+# unattended_automatic_reboot:               true
+# unattended_automatic_reboot_time:          01:00
--- a/roles/ynh_config/tasks/main.yml
+++ b/roles/ynh_config/tasks/main.yml
@@ -26,9 +26,16 @@
    - yunohost
    - smtp
- name: Configures Yunohost autoupdate
+- name: Configure Yunohost autoupdate
-  ansible.builtin.include_tasks: autoupdate.yml
+  ansible.builtin.include_tasks: ynh_autoupdate.yml
  when: ynh_autoupdate.scheduled
  tags:
    - yunohost
    - update
+- name: Configure System unattended upgrades
+  ansible.builtin.include_tasks: unattended_upgrade.yml
+  when: unattended_upgrade_scheduled
+  tags:
+    - linux
+    - update
--- a/roles/ynh_config/tasks/unattended_upgrade.yml
+++ b/roles/ynh_config/tasks/unattended_upgrade.yml
+---
+#-----------------------------------------------------------------------------#
+# ansible-yunohost allows to deploy Yunohost using Ansible                    #
+# Copyright 2021-present Lydra https://www.lydra.fr/                          #
+#                                                                             #
+# this program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# this program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the                #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program. If not, see <http://www.gnu.org/licenses/>.        #
+#                                                                             #
+#-----------------------------------------------------------------------------#
+    - name: Download unattended upgrades
+      ansible.builtin.command: ansible-galaxy install hifis.unattended_upgrades,"{{ hifis_ansible_unattended_upgrades_version }}" -p "{{ _ansible_role_directory }}"
+      delegate_to: localhost
+      become: false
+      tags:
+      - linux
+      - update
+    - name: Gather facts for the role
+      ansible.builtin.setup:
+    - name: Run the role
+      ansible.builtin.include_role:
+        name: hifis_unattended_upgrades
--- a/roles/ynh_config/tasks/autoupdate.yml
+++ b/roles/ynh_config/tasks/autoupdate.yml
--- a/roles/ynh_config/vars/main.yml
+++ b/roles/ynh_config/vars/main.yml
+---
+#-----------------------------------------------------------------------------#
+# ansible-yunohost allows to deploy Yunohost using Ansible                    #
+# Copyright 2021-present Lydra https://www.lydra.fr/                          #
+#                                                                             #
+# this program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# this program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the                #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program. If not, see <http://www.gnu.org/licenses/>.        #
+#                                                                             #
+#-----------------------------------------------------------------------------#
+_ansible_role_directory: "~/.ansible/roles"