Enable unattended-upgrades on server

Doesn't block on boot up by installing packages, so updates will be delayed by ~1d, but would prefer to update packages async after the tunnel is up anyway. Deferring that change for now so it'd involve a complicated refactor of the mgr.up logic.
conorsch · Aug 7, 2021 · fdb4306 · fdb4306
1 parent 831d710
commit fdb4306
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Innisfree changelog
 
+## 0.2.9
+
+* Enable unattended-upgrades
+* Support graceful termination in systemd service
+
 ## 0.2.8
 
 * Updates all dependencies to latest

diff --git a/TODO.md b/TODO.md
@@ -30,7 +30,7 @@
 
 * [x] SSH should use tmpfiles, not clobber primary dir
 * [ ] Package upgrade should be async
-* [ ] Configure unattended-upgrades
+* [x] Configure unattended-upgrades
 * [x] Add cleanup methods - dir
 * [x] Add cleanup methods - droplet
 * [x] Add cleanup methods - wg
@@ -50,6 +50,7 @@
 * [x] Add lots of results for better error handling
 * [x] Add doctor subcommand for checking
 
+* [ ] Service stop should clean up resources
 * [x] Make 'release' builds reproducible
 * [ ] Make deb package builds reproducible
 * [x] Use a build.rs file for setting remap on rustcflags https://doc.rust-lang.org/cargo/reference/build-scripts.html

diff --git a/files/cloudinit.cfg b/files/cloudinit.cfg
@@ -59,7 +59,17 @@ write_files:
   path: /etc/nginx/sites-available/default
   permissions: '0644'
 
+- content: |
+    Unattended-Upgrade::Allowed-Origins {
+      "*:*"
+    };
+
+  owner: root:root
+  path: /etc/apt/apt.conf.d/51unattended-upgrades
+  permissions: '0644'
+
 packages:
   - nginx
+  - unattended-upgrades
   - wireguard
   - wireguard-tools