sec(upgrades): Upgrade and reboot automation

Servers need to be updated regularly.

They should have operational unattended-upgrades.
Automatic reboot is to be done to apply new kernel. Reboot only at night and only if needed.

1. unattended-upgrades

This role haven't been reported from original project.

requirements.yml

  - name: jnv.unattended-upgrades
    version: v1.12.2

security.yml

# https://github.com/jnv/ansible-role-unattended-upgrades#readme
unattended_mail:                  "{{ admin_mail }}"
unattended_mail_only_on_error:    True
unattended_automatic_reboot:      False

2. Automatic reboot

Maybe set unattended_automatic_reboot to True is enough.
security.yml

# https://github.com/jnv/ansible-role-unattended-upgrades#readme
unattended_mail:                  "{{ admin_mail }}"
unattended_mail_only_on_error:    True
unattended_automatic_reboot:      True

If not, a script in crontab which test result of needrestart -q command.

Edited Dec 21, 2022 by Thomas MICHEL

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information