init

2026-02-19 11:34:13 +00:00
commit f243f440c3
191 changed files with 6183 additions and 0 deletions
--- a/ansible/roles/harden/unattended_upgrades/handlers/main.yml
+++ b/ansible/roles/harden/unattended_upgrades/handlers/main.yml
@@ -0,0 +1,15 @@
+---
+- name: restart unattended-upgrades
+  ansible.builtin.service:
+    name: unattended-upgrades
+    state: restarted
+    enabled: true
+
+- name: restart apt timers
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: restarted
+    enabled: true
+  loop:
+    - apt-daily.timer
+    - apt-daily-upgrade.timer
--- a/ansible/roles/harden/unattended_upgrades/readme.md
+++ b/ansible/roles/harden/unattended_upgrades/readme.md
@@ -0,0 +1,17 @@
+```bash
+## Проверить, что таймеры включены и “тикают”
+systemctl status apt-daily.timer apt-daily-upgrade.timer
+systemctl list-timers --all | egrep 'apt-daily|apt-daily-upgrade'
+
+## Проверить, что unattended-upgrades реально запускался
+systemctl status unattended-upgrades.service
+journalctl -u unattended-upgrades --no-pager -n 200
+
+## Проверить логи и фактические действия
+ls -l /var/log/unattended-upgrades/
+tail -n 200 /var/log/unattended-upgrades/unattended-upgrades.log
+tail -n 200 /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
+
+## Быстрый “самотест” (прогон в dry-run)
+unattended-upgrade --dry-run --debug
+```
--- a/ansible/roles/harden/unattended_upgrades/tasks/main.yml
+++ b/ansible/roles/harden/unattended_upgrades/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+- name: ensure required packages are present
+  ansible.builtin.apt:
+    name:
+      - unattended-upgrades
+      - apt-listchanges
+      - gpg
+    state: present
+    update_cache: true
+
+- name: ensure debian-security repo is present
+  ansible.builtin.apt_repository:
+    repo: >-
+      deb http://deb.debian.org/debian-security
+      {{ ansible_facts.lsb.codename | default(ansible_facts.distribution_release) }}-security
+      main contrib non-free non-free-firmware
+    state: present
+    filename: debian-security
+    update_cache: true
+  notify: restart apt timers
+
+- name: deploy /etc/apt/apt.conf.d/50unattended-upgrades
+  ansible.builtin.template:
+    src: 50unattended-upgrades.j2
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart unattended-upgrades
+
+- name: deploy /etc/apt/apt.conf.d/20auto-upgrades
+  ansible.builtin.template:
+    src: 20auto-upgrades.j2
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - restart unattended-upgrades
+    - restart apt timers
+
+- name: enable & start apt timers
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  loop:
+    - apt-daily.timer
+    - apt-daily-upgrade.timer
--- a/ansible/roles/harden/unattended_upgrades/templates/20auto-upgrades.j2
+++ b/ansible/roles/harden/unattended_upgrades/templates/20auto-upgrades.j2
@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::Unattended-Upgrade "1";
+APT::Periodic::AutocleanInterval "7";
--- a/ansible/roles/harden/unattended_upgrades/templates/50unattended-upgrades.j2
+++ b/ansible/roles/harden/unattended_upgrades/templates/50unattended-upgrades.j2
@@ -0,0 +1,10 @@
+Unattended-Upgrade::Origins-Pattern {
+        "origin=Debian,codename=${distro_codename}-security";
+};
+
+Unattended-Upgrade::Automatic-Reboot "false";
+Unattended-Upgrade::Automatic-Reboot-Time "03:30";
+Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
+
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::MinimalSteps "true";