Add voxpopulis's unattended_upgrade module.

3 files changed, 151 insertions, 0 deletions

diff --git a/code/environments/production/modules/unattended_upgrades/templates/options.erb b/code/environments/production/modules/unattended_upgrades/templates/options.erb
new file mode 100644
index 0000000..3c6e2d6
--- /dev/null
+++ b/code/environments/production/modules/unattended_upgrades/templates/options.erb
@@ -0,0 +1,11 @@
+Dpkg::Options {
+<%- @_options.sort_by{|key,value| key}.each do |config, value|
+  if %w(force_confdef force_confold force_confnew force_confmiss).include?(config) then
+    if value then -%>
+  "--<%= config.sub('_','-') -%>";
+    <%- end 
+  else 
+    scope.function_fail(["#{config} not a valid key for $unattended_upgrades::options"])
+  end
+end -%>
+}
diff --git a/code/environments/production/modules/unattended_upgrades/templates/periodic.erb b/code/environments/production/modules/unattended_upgrades/templates/periodic.erb
new file mode 100644
index 0000000..780821c
--- /dev/null
+++ b/code/environments/production/modules/unattended_upgrades/templates/periodic.erb
@@ -0,0 +1,62 @@
+APT::Periodic::Enable "<%= @enable %>";
+#  - Enable the update/upgrade script (0=disable)
+#
+APT::Periodic::BackupArchiveInterval "<%= @_backup['archive_interval'] %>";
+#  - Backup after n-days if archive contents changed.(0=disable)
+#
+APT::Periodic::BackupLevel "<%= @_backup['level'] %>";
+#  - Backup level.(0=disable), 1 is invalid.
+#
+APT::Periodic::MaxAge "<%= @_age['max'] %>";
+#  - Set maximum allowed age of a cache package file. If a cache
+#    package file is older it is deleted (0=disable)
+#
+APT::Periodic::MinAge "<%= @_age['min'] %>";
+#  - Set minimum age of a package file. If a file is younger it
+#    will not be deleted (0=disable). Usefull to prevent races
+#    and to keep backups of the packages for emergency.
+#
+APT::Periodic::MaxSize "<%= @size %>";
+#  - Set maximum size of the cache in MB (0=disable). If the cache
+#    is bigger, cached package files are deleted until the size
+#    requirement is met (the biggest packages will be deleted
+#    first).
+#
+APT::Periodic::Update-Package-Lists "<%= @update %>";
+#  - Do "apt-get update" automatically every n-days (0=disable)
+#
+APT::Periodic::Download-Upgradeable-Packages "<%= @_upgradeable_packages['download_only'] %>";
+#  - Do "apt-get upgrade --download-only" every n-days (0=disable)
+#
+APT::Periodic::Download-Upgradeable-Packages-Debdelta "<%= @_upgradeable_packages['debdelta'] %>";
+#  - Use debdelta-upgrade to download updates if available (0=disable)
+#
+APT::Periodic::Unattended-Upgrade "<%= @upgrade %>";
+#  - Run the "unattended-upgrade" security upgrade script
+#    every n-days (0=disabled)
+#    Requires the package "unattended-upgrades" and will write
+#    a log in /var/log/unattended-upgrades
+#
+APT::Periodic::AutocleanInterval "<%= @_auto['clean'] %>";
+#  - Do "apt-get autoclean" every n-days (0=disable)
+#
+APT::Periodic::Verbose "<%= @verbose %>";
+#  - Send report mail to root
+#      0:  no report             (or null string)
+#      1:  progress report       (actually any string)
+#      2:  + command outputs     (remove -qq, remove 2>/dev/null, add -d)
+#      3:  + trace on
+<%- unless @random_sleep.nil? -%>
+#
+APT::Periodic::RandomSleep "<%= @random_sleep %>";
+#  - The apt cron job will delay its execution by a random
+#    time span between zero and 'APT::Periodic::RandomSleep'
+#    seconds.
+#    This is done because otherwise everyone would access the
+#    mirror servers at the same time and put them collectively
+#    under very high strain.
+#    You can set this to '0' if you are using a local mirror and
+#    do not care about the load spikes.
+#    Note that sleeping in the apt job will be delaying the
+#    execution of all subsequent cron.daily jobs.
+<%- end -%>
diff --git a/code/environments/production/modules/unattended_upgrades/templates/unattended-upgrades.erb b/code/environments/production/modules/unattended_upgrades/templates/unattended-upgrades.erb
new file mode 100644
index 0000000..c31b2df
--- /dev/null
+++ b/code/environments/production/modules/unattended_upgrades/templates/unattended-upgrades.erb
@@ -0,0 +1,78 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+//
+// Note that in Ubuntu security updates may pull in new dependencies
+// from non-security sources (e.g. chromium). By allowing the release
+// pocket these get automatically pulled in.
+<%- if @legacy_origin -%>
+Unattended-Upgrade::Allowed-Origins {
+<%- else -%>
+Unattended-Upgrade::Origins-Pattern {
+<%- end -%>
+<% @origins.each do |origin| -%>
+	"<%= origin %>";
+<% end -%>
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+<% @blacklist.each do |package| -%>
+	"<%= package %>";
+<% end -%>
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+Unattended-Upgrade::AutoFixInterruptedDpkg "<%= @_auto['fix_interrupted_dpkg'].to_s %>";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+Unattended-Upgrade::MinimalSteps "<%= @minimal_steps.to_s %>";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+Unattended-Upgrade::InstallOnShutdown "<%= @install_on_shutdown.to_s %>";
+
+<%- unless @_mail['to'].nil? -%>
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+
+Unattended-Upgrade::Mail "<%= @_mail['to'] %>";
+
+<%- if @_mail['only_on_error'] -%>
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+Unattended-Upgrade::MailOnlyOnError "<%= @_mail['only_on_error'].to_s %>";
+<%- end -%>
+<%- end -%>
+
+<%- if @sender -%>
+// Use the specified value in the "From" field of outgoing mails.
+// Defaults to "root"
+Unattended-Upgrade::Sender "<%= @sender %>";
+
+<%- end -%>
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "<%= @_auto['remove'].to_s %>";
+
+// Automatically reboot *WITHOUT CONFIRMATION*
+// if the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "<%= @_auto['reboot'].to_s %>";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+Unattended-Upgrade::Automatic-Reboot-Time "<%= @_auto['reboot_time'].to_s %>";
+
+<%- unless @dl_limit.nil? -%>
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+Acquire::http::Dl-Limit "<%= @dl_limit %>";
+<%- end -%>