From f92583f367b1b80907d47bd2fb8f626dd59bed8a Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 3 Jul 2024 12:55:27 +0100
Subject: [PATCH 1/2] Correctly enable security origins on Debian

---
 README.md                          | 2 +-
 templates/50unattended-upgrades.j2 | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 81d2a18..612045e 100644
--- a/README.md
+++ b/README.md
@@ -82,7 +82,7 @@ Whether to install/enable `yum-cron` (RedHat-based systems) or `unattended-upgra
     # - "${distro_id}ESM:${distro_codename}-infra-security"
     # - "Docker:${distro_codename}"
 
-(Debian/Ubuntu only) A listing of origins to reference.
+(Debian/Ubuntu only) A listing of origins to reference. Debian's "Debian-Security" and Ubuntu's "${distro_codename}-security" origins are enabled by default.
 
     security_autoupdate_reboot: false
 
diff --git a/templates/50unattended-upgrades.j2 b/templates/50unattended-upgrades.j2
index 827a100..d45e833 100644
--- a/templates/50unattended-upgrades.j2
+++ b/templates/50unattended-upgrades.j2
@@ -9,8 +9,11 @@ Unattended-Upgrade::MailOnlyOnError "true";
 {% endif %}
 
 Unattended-Upgrade::Allowed-Origins {
+{% if ansible_distribution == 'Debian' %}
+        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"
+{% else %}
         "${distro_id} ${distro_codename}-security";
-//      "${distro_id} ${distro_codename}-updates";
+{% endif %}
 {% for origin in security_autoupdate_additional_origins %}
         "{{ origin }}";
 {% endfor %}

From 3611d7cc7f3bd3cebc15fd88af0385bf46e53149 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 3 Jul 2024 14:56:52 +0100
Subject: [PATCH 2/2] Use legacy syntax for Debian origin

---
 templates/50unattended-upgrades.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/50unattended-upgrades.j2 b/templates/50unattended-upgrades.j2
index d45e833..e8347ff 100644
--- a/templates/50unattended-upgrades.j2
+++ b/templates/50unattended-upgrades.j2
@@ -10,7 +10,7 @@ Unattended-Upgrade::MailOnlyOnError "true";
 
 Unattended-Upgrade::Allowed-Origins {
 {% if ansible_distribution == 'Debian' %}
-        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"
+        "${distro_id} stable-security"
 {% else %}
         "${distro_id} ${distro_codename}-security";
 {% endif %}