Add system.autoupdates state (#61)
* Add support for autoupdates
only Debian-based systems are supported for now
(through unattended-upgrades package)
* Fix test on system.autoupdates.pkgs
diff --git a/README.rst b/README.rst
index c96ac59..cf61802 100644
--- a/README.rst
+++ b/README.rst
@@ -91,6 +91,21 @@
repo: 'custom-repo'
verify: false
+Linux with autoupdates (automatically install security package updates)
+
+.. code-block:: yaml
+
+ linux:
+ system:
+ ...
+ autoupdates:
+ enabled: true
+ mail: root@localhost
+ mail_only_on_error: true
+ remove_unused_dependencies: false
+ automatic_reboot: true
+ automatic_reboot_time: "02:00"
+
Linux with cron jobs
.. code-block:: yaml
diff --git a/linux/files/90autoupdates b/linux/files/90autoupdates
new file mode 100644
index 0000000..d5da285
--- /dev/null
+++ b/linux/files/90autoupdates
@@ -0,0 +1,29 @@
+{%- set autoupdates = salt['pillar.get']('linux:system:autoupdates') %}
+
+{%- if autoupdates.enabled %}
+APT::Periodic::Enable "1";
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+{%- else %}
+APT::Periodic::Unattended-Upgrade "0";
+{%- endif %}
+
+{%- if autoupdates.mail is defined %}
+Unattended-Upgrade::Mail "{{ autoupdates.mail }}";
+{%- endif %}
+
+{%- if autoupdates.mail_only_on_error is defined %}
+Unattended-Upgrade::MailOnlyOnError "{{ "true" if autoupdates.mail_only_on_error else "false"}}";
+{%- endif %}
+
+{%- if autoupdates.remove_unused_dependencies is defined %}
+Unattended-Upgrade::Remove-Unused-Dependencies "{{ "true" if autoupdates.remove_unused_dependencies else "false"}}";
+{%- endif %}
+
+{%- if autoupdates.automatic_reboot is defined %}
+Unattended-Upgrade::Automatic-Reboot "{{ "true" if autoupdates.automatic_reboot else "false"}}";
+{%- endif %}
+
+{%- if autoupdates.automatic_reboot_time is defined %}
+Unattended-Upgrade::Automatic-Reboot-Time "{{ autoupdates.automatic_reboot_time }}";
+{%- endif %}
diff --git a/linux/map.jinja b/linux/map.jinja
index c2cfc7c..79847c2 100644
--- a/linux/map.jinja
+++ b/linux/map.jinja
@@ -10,6 +10,10 @@
'motd': {},
'repo': {},
'package': {},
+ 'autoupdates': {
+ 'enabled': False,
+ 'pkgs': []
+ },
'selinux': 'permissive',
'ca_certs_dir': '/usr/local/share/ca-certificates',
'doc_validity_pkgs': ['python-yaml'],
@@ -25,6 +29,10 @@
'motd': {},
'repo': {},
'package': {},
+ 'autoupdates': {
+ 'enabled': False,
+ 'pkgs': ['unattended-upgrades']
+ },
'selinux': 'permissive',
'ca_certs_dir': '/usr/local/share/ca-certificates',
'doc_validity_pkgs': ['python-yaml'],
@@ -40,6 +48,10 @@
'motd': {},
'repo': {},
'package': {},
+ 'autoupdates': {
+ 'enabled': False,
+ 'pkgs': []
+ },
'selinux': 'permissive',
'ca_certs_dir': '/usr/local/share/ca-certificates',
'doc_validity_pkgs': ['PyYAML'],
diff --git a/linux/system/autoupdates.sls b/linux/system/autoupdates.sls
new file mode 100644
index 0000000..708f429
--- /dev/null
+++ b/linux/system/autoupdates.sls
@@ -0,0 +1,24 @@
+{%- from "linux/map.jinja" import system with context %}
+{%- if system.enabled %}
+
+{%- if system.autoupdates is defined %}
+
+{%- if system.autoupdates.pkgs %}
+linux_autoupdates_packages:
+ pkg.installed:
+ - pkgs: {{ system.autoupdates.pkgs }}
+{%- endif %}
+
+{%- if grains.os_family == 'Debian' %}
+/etc/apt/apt.conf.d/90autoupdates:
+ file.managed:
+ - source: salt://linux/files/90autoupdates
+ - template: jinja
+ - user: root
+ - group: root
+ - mode: 644
+{%- endif %}
+
+{%- endif %}
+
+{%- endif %}
diff --git a/linux/system/init.sls b/linux/system/init.sls
index fb1b34d..6cb9bd9 100644
--- a/linux/system/init.sls
+++ b/linux/system/init.sls
@@ -6,6 +6,9 @@
{%- if system.pkgs|length > 0 %}
- linux.system.package
{%- endif %}
+{%- if system.autoupdates is defined %}
+- linux.system.autoupdates
+{%- endif %}
{%- if system.timezone is defined %}
- linux.system.timezone
{%- endif %}
@@ -71,4 +74,4 @@
{%- endif %}
{%- if system.config is defined %}
- linux.system.config
-{%- endif %}
\ No newline at end of file
+{%- endif %}