---
- name: ensure required packages are present
  ansible.builtin.apt:
    name:
      - unattended-upgrades
      - apt-listchanges
      - gpg
    state: present
    update_cache: true

- name: ensure debian-security repo is present
  ansible.builtin.apt_repository:
    repo: >-
      deb http://deb.debian.org/debian-security
      {{ ansible_facts.lsb.codename | default(ansible_facts.distribution_release) }}-security
      main contrib non-free non-free-firmware
    state: present
    filename: debian-security
    update_cache: true
  notify: restart apt timers

- name: deploy /etc/apt/apt.conf.d/50unattended-upgrades
  ansible.builtin.template:
    src: 50unattended-upgrades.j2
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    owner: root
    group: root
    mode: "0644"
  notify: restart unattended-upgrades

- name: deploy /etc/apt/apt.conf.d/20auto-upgrades
  ansible.builtin.template:
    src: 20auto-upgrades.j2
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    owner: root
    group: root
    mode: "0644"
  notify:
    - restart unattended-upgrades
    - restart apt timers

- name: enable & start apt timers
  ansible.builtin.systemd:
    name: "{{ item }}"
    state: started
    enabled: true
  loop:
    - apt-daily.timer
    - apt-daily-upgrade.timer