APT Ansible Role¶
An Ansible role to configure APT repositories, package management, and automated security updates on Debian-based systems.
Features¶
- Configure APT sources.list for Debian and Ubuntu
- Manage package installations and removals
- Configure APT behavior
- Automated security updates (opt-in via unattended-upgrades)
- Highly configurable unattended-upgrades behavior
- Customizable periodic update schedules
Installation¶
Add the following to your requirements.yml:
roles:
- name: apt
src: https://gitlab.com/niclas-zone/tools/ansible/roles/apt.git
version: 1.0.0
scm: git
Then install:
Role Variables¶
Basic Configuration¶
| Variable | Default Value | Description |
|---|---|---|
apt_cache_valid_time |
3600 | Cache validity time in seconds |
apt_update_cache |
true | Whether to update cache when installing packages |
apt_force_apt_get |
true | Force usage of apt-get instead of aptitude |
apt_install_recommends |
false | Whether to install recommended packages |
apt_sources_list_path |
"/etc/apt/sources.list" | Path to sources.list file |
apt_packages_install |
[] | List of packages to install |
apt_packages_remove |
[] | List of packages to remove |
apt_conf_d_options |
{} | Dictionary of APT configuration options |
Unattended Upgrades (Security Updates)¶
| Variable | Default Value | Values | Description |
|---|---|---|---|
apt_unattended_upgrades_enabled |
false |
true, false |
Enable automatic security updates (opt-in) |
apt_unattended_upgrades_security_only |
true |
true, false |
Only install security updates |
apt_unattended_upgrades_auto_reboot |
false |
true, false |
Allow automatic reboots after updates |
apt_unattended_upgrades_auto_reboot_time |
"02:00" |
"now", "hh:mm", "+m" |
Time for automatic reboots |
Advanced Unattended Upgrades Configuration¶
| Variable | Default Value | Values | Description |
|---|---|---|---|
apt_unattended_upgrades_dev_release |
"auto" |
"true", "false", "auto" |
Development release upgrade behavior |
apt_unattended_upgrades_autofix_interrupted_dpkg |
"true" |
"true", "false" |
Fix interrupted dpkg operations |
apt_unattended_upgrades_minimal_steps |
"true" |
"true", "false" |
Use minimal upgrade steps |
apt_unattended_upgrades_install_on_shutdown |
"false" |
"true", "false" |
Install during shutdown |
apt_unattended_upgrades_mail |
"" |
"email@domain.com", "" |
Email address for notifications |
apt_unattended_upgrades_mail_report |
"on-change" |
"always", "only-on-error", "on-change" |
Email report frequency |
apt_unattended_upgrades_remove_unused_kernel_packages |
"true" |
"true", "false" |
Clean old kernels |
apt_unattended_upgrades_remove_new_unused_dependencies |
"true" |
"true", "false" |
Remove new unused deps |
apt_unattended_upgrades_remove_unused_dependencies |
"false" |
"true", "false" |
Remove unused deps |
apt_unattended_upgrades_auto_reboot_with_users |
"true" |
"true", "false" |
Reboot with users logged in |
apt_unattended_upgrades_syslog_enable |
"false" |
"true", "false" |
Enable syslog logging |
apt_unattended_upgrades_syslog_facility |
"daemon" |
"daemon", "mail", "user", "local0-7" |
Syslog facility |
apt_unattended_upgrades_only_on_ac_power |
"true" |
"true", "false" |
Only on AC power |
apt_unattended_upgrades_skip_updates_on_metered |
"true" |
"true", "false" |
Skip on metered connections |
apt_unattended_upgrades_verbose |
"false" |
"true", "false" |
Verbose logging |
apt_unattended_upgrades_debug |
"false" |
"true", "false" |
Debug logging |
apt_unattended_upgrades_allow_downgrade |
"false" |
"true", "false" |
Allow package downgrades |
Periodic Update Settings¶
| Variable | Default Value | Values | Description |
|---|---|---|---|
apt_periodic_enable |
"1" |
"0" (disable), "1" (enable) |
Enable periodic update system |
apt_periodic_update_package_lists |
"1" |
"0" (disable), "1+" (days) |
Update package lists every N days |
apt_periodic_download_upgradeable_packages |
"1" |
"0" (disable), "1+" (days) |
Download packages every N days |
apt_periodic_unattended_upgrade |
"1" |
"0" (disable), "1+" (days) |
Run unattended upgrades every N days |
apt_periodic_autoclean_interval |
"7" |
"0" (disable), "1+" (days) |
Clean package cache every N days |
apt_periodic_verbose |
"0" |
"0" (quiet), "1" (progress), "2" (detailed), "3" (trace) |
Verbosity level for reporting |
Example Playbooks¶
Basic: Configure APT with defaults¶
Enable automated security updates¶
---
- hosts: servers
become: true
roles:
- role: apt
vars:
apt_unattended_upgrades_enabled: true
apt_unattended_upgrades_mail: "admin@example.com"
Custom configuration with packages and security updates¶
---
- hosts: servers
become: true
roles:
- role: apt
vars:
apt_packages_install:
- htop
- tmux
apt_packages_remove:
- nano
apt_install_recommends: true
# Enable security updates
apt_unattended_upgrades_enabled: true
apt_unattended_upgrades_auto_reboot: true
apt_unattended_upgrades_auto_reboot_time: "03:00"
apt_unattended_upgrades_mail: "admin@example.com"
apt_unattended_upgrades_mail_report: "always"
Advanced unattended upgrades configuration¶
---
- hosts: production
become: true
roles:
- role: apt
vars:
# Basic security updates
apt_unattended_upgrades_enabled: true
# Email notifications
apt_unattended_upgrades_mail: "ops-team@exampple.com"
apt_unattended_upgrades_mail_report: "only-on-error"
# Conservative settings for production
apt_unattended_upgrades_auto_reboot: false
apt_unattended_upgrades_only_on_ac_power: false
apt_unattended_upgrades_skip_updates_on_metered: false
# Cleanup settings
apt_unattended_upgrades_remove_unused_dependencies: true
apt_unattended_upgrades_remove_unused_kernel_packages: true
# Custom schedule - check every 2 days
apt_periodic_update_package_lists: "2"
apt_periodic_unattended_upgrade: "2"
Security Updates¶
This role provides opt-in automated security updates via the unattended-upgrades package:
- Security-only updates: Only security patches are installed automatically
- Ubuntu ESM support: Extended Security Maintenance updates included when available
- Email notifications: Get notified of successful updates or errors
- Automatic reboots: Optional scheduled reboots when required
- Battery/metered awareness: Skip updates on battery or metered connections
- Comprehensive logging: Detailed logs in
/var/log/unattended-upgrades/