svsticky · romanpeters · Feb 5, 2019 · Feb 6, 2019 · Feb 6, 2019 · Feb 6, 2019
diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml
@@ -11,3 +11,7 @@ wifi_networks:
 
   - ssid: "Woestgaafsecure Gamehall"
     password: "fantazero"
+
+unattended_upgrades:
+  security: true
+  all: true
diff --git a/ansible/handlers/main.yml b/ansible/handlers/main.yml
@@ -3,3 +3,7 @@
   service:
     name: "sshd"
     state: "reloaded"
+
+- name: "systemctl daemon-reload"
+  systemd:
+    daemon_reload: true
diff --git a/ansible/main.yml b/ansible/main.yml
@@ -24,3 +24,6 @@
 
     - name: "install graphical environment"
       include_tasks: "tasks/graphical.yml"
+
+    - name: "configure unattended upgrades"
+      include_tasks: "tasks/security.yml"
diff --git a/ansible/scripts/authorize-github.sh b/ansible/scripts/authorize-github.sh
@@ -19,7 +19,7 @@ fi
 # Note that bash cannot return strings, and instead redirects the stdout of
 # commands called in the function to the caller.
 function get_without_otp() {
-  username = $1
+  username=$1
   curl                                                    \
     -u $username                                          \
     --data '{"scopes":["read:org"],"note":"hapPI token"}' \
@@ -44,7 +44,7 @@ read OTPCODE
 
 if [ -n $OTPCODE ]; then
   echo "Requesting token with OTP code."
-  HTTPRESULT=$(get_with_otp $USERNAME $OTPCODE)
+  HTTPRESULT=$(get_without_otp $USERNAME $OTPCODE)
 else
   echo "Requesting token without OTP code."
   HTTPRESULT=$(get_without_otp $USERNAME)

diff --git a/ansible/scripts/get-authorized-keys.sh b/ansible/scripts/get-authorized-keys.sh
@@ -39,6 +39,6 @@ for team in ${TEAMS[@]}; do
 done
 
 echo "Updating authorized-keys template."
-mv --backup=numbered .new-authorized-keys templates/home/pi/.ssh/authorized_keys.j2
+mv .new-authorized-keys templates/home/pi/.ssh/authorized_keys.j2
 
 echo "Done!"
diff --git a/ansible/tasks/security.yml b/ansible/tasks/security.yml
@@ -0,0 +1,38 @@
+---
+# Needed because of Ansible issue #25414
+- name: "check if unattended-upgrades is not in progress"
+  shell:
+    "while fuser /var/lib/dpkg/lock; do sleep 1; done;"
+  become: true
+  changed_when: false
+
+- name: "install common utilities"
+  apt:
+    name:
+      - "aptitude"
+      - "htop"
+      - "unattended-upgrades"
+      - "haveged"
+    state: "present"
+
+# uncomment in case of merge list error
+# https://www.ihaveapc.com/2011/05/how-to-fix-problem-with-mergelist-varlibaptlists-error-in-ubuntu-11-04/
+#- name: "remove merge list"
+#  command: "rm /var/lib/apt/lists/* -vf"
+
+- name: "update all packages"
+  apt:
+    upgrade: "yes"
+    update_cache: true
+    cache_valid_time: 100
+
+- name: "configure unattended-upgrades"
+  template:
+    src: "templates/{{ item }}.j2"
+    dest: "/{{ item }}"
+  with_items:
+    - "etc/apt/apt.conf.d/50unattended-upgrades"
+  notify:
+    - "systemctl daemon-reload"
+
+
diff --git a/ansible/templates/etc/apt/apt.cond.d/50unattended-upgrades.j2 b/ansible/templates/etc/apt/apt.cond.d/50unattended-upgrades.j2
@@ -0,0 +1,29 @@
+// {{ ansible_managed }}
+
+Unattended-Upgrade::Allowed-Origins {
+{% if unattended_upgrades.security %}
+"${distro_id} ${distro_codename}-security";
+{% endif %}
+{% if unattended_upgrades.all %}
+
+"${distro_id} stable";
+"${distro_id} ${distro_codename}-updates";
+"LP-PPA-certbot-certbot:${distro_codename}";
+"yarn:stable";
+{% endif %}
+};
+
+Unattended-Upgrade::Package-Blacklist { };
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+// Automatically reboot *WITHOUT CONFIRMATION*
+//  if the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+Unattended-Upgrade::Automatic-Reboot-Time "04:30";