Added base patch management role

2023-05-07 12:01:52 +02:00
parent 2fd69c736b
commit 0ca263c251
14 changed files with 325 additions and 0 deletions
--- a/roles/unattended-upgrades/templates/mail_credentials.j2
+++ b/roles/unattended-upgrades/templates/mail_credentials.j2
@ -0,0 +1 @@
+[{{ relay_servername }}]:{{ smtp_port }}    {{ smtp_username }}:{{ smtp_password }}
--- a/roles/unattended-upgrades/templates/mail_generic.j2
+++ b/roles/unattended-upgrades/templates/mail_generic.j2
@ -0,0 +1 @@
+{{ upgrades_sender }} {{ smtp_username }}
--- a/roles/unattended-upgrades/templates/mail_headers.j2
+++ b/roles/unattended-upgrades/templates/mail_headers.j2
@ -0,0 +1 @@
+/^From:.*/ REPLACE From: {{ from_header }} <{{ from_email }}>
--- a/roles/unattended-upgrades/templates/main.cf.j2
+++ b/roles/unattended-upgrades/templates/main.cf.j2
@ -0,0 +1,29 @@
+myhostname={{ postfix_hostname }}
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+{% if custom_smtp_header %}smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
+{% endif %}
+{% if smtp_masquerade %}smtp_generic_maps = hash:/etc/postfix/generic
+{% endif %}
+
+relayhost = [{{ relay_servername }}]:{{ smtp_port }}
+smtp_use_tls = yes
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtp_sasl_security_options = noanonymous, noplaintext
+smtp_sasl_tls_security_options = noanonymous
+smtp_tls_security_level = encrypt
+
+mynetworks = 127.0.0.0/8
+inet_interfaces = loopback-only
+recipient_delimiter = +
+
+compatibility_level = 2
--- a/roles/unattended-upgrades/templates/reboot_alert.sh.j2
+++ b/roles/unattended-upgrades/templates/reboot_alert.sh.j2
@ -0,0 +1,5 @@
+#!/bin/bash
+
+if [ -f /var/run/reboot-required ]; then
+    echo "A reboot is required following updates to server `hostname -f` for packages: \n \n $(cat /var/run/reboot-required.pkgs)" | mail -s "Reboot Required" {{ smtp_username }}
+fi
--- a/roles/unattended-upgrades/templates/unattended-upgrades.j2
+++ b/roles/unattended-upgrades/templates/unattended-upgrades.j2
@ -0,0 +1,23 @@
+Unattended-Upgrade::Origins-Pattern {
+        "origin=Debian,codename=${distro_codename}-updates";
+        "origin=Debian,codename=${distro_codename},label=Debian";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
+{% for list in additional_lists %}
+        "{{ list }}";
+{% endfor %}
+};
+
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Verbose "2";
+
+Unattended-Upgrade::Mail "{{ smtp_username }}";
+Unattended-Upgrade::Sender "{{ upgrades_sender }}";
+Unattended-Upgrade::MailReport "on-change";
+
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "false";
				`@ -0,0 +1 @@`
				`[{{ relay_servername }}]:{{ smtp_port }} {{ smtp_username }}:{{ smtp_password }}`
				`@ -0,0 +1 @@`
				`/^From:.*/ REPLACE From: {{ from_header }} <{{ from_email }}>`