debops.unattended_upgrades default variables

Main configuration

unattended_upgrades__enabled

Enable or disable unattended package upgrades. If disabled, unattended-upgrades package won't be removed if it's installed, and its configuration will be restored to default values.

unattended_upgrades__enabled: True
unattended_upgrades__release

By default, unattended-upgrade performs only upgrades of packages from security repositories. This variable allows you to enable upgrades from all repositories (main, updates, backports).

unattended_upgrades__release: False
unattended_upgrades__base_packages

List of base APT packages which will be installed by the role.

unattended_upgrades__base_packages: [ 'unattended-upgrades' ]
unattended_upgrades__packages

List of additional APT packages which will be installed by the role.

unattended_upgrades__packages: []

Periodic APT updates

unattended_upgrades__periodic

Enable or disable daily execution of /etc/cron.daily/apt script. This script runs unattended-upgrade, but also performs some other actions which can be useful on their own. Enabling periodic APT runs automatically enables repository updates, but not upgrades.

unattended_upgrades__periodic: '{{ False
                                   if (ansible_local.apt.suite | d() == "archive")
                                   else unattended_upgrades__enabled }}'
unattended_upgrades__periodic_download

Download new versions of installed packages without upgrading.

unattended_upgrades__periodic_download: '{{ unattended_upgrades__periodic }}'
unattended_upgrades__periodic_autoclean

Clean up obsolete and removed packages in APT cache every n days.

unattended_upgrades__periodic_autoclean: '7'
unattended_upgrades__periodic_verbosity

Specify verbosity level of the /etc/cron.daily/apt script, supported levels are 0-3, higher level means higher verbosity. Enabling this option will result in mails from cron with the script output being sent to root.

unattended_upgrades__periodic_verbosity: '0'

Unattended upgrade origin patterns

See unattended_upgrades__origins for more details about how origin entries can be defined.

unattended_upgrades__origins

List of origin patterns which define repositories that will be considered for unattended package upgrades.

unattended_upgrades__origins: []
unattended_upgrades__origins_lookup

List of strings which are used to select different origin patterns depending on installed OS and its release. The first found match wins.

unattended_upgrades__origins_lookup:
  - '{{ ansible_distribution + "_" + (ansible_distribution_release.split("/")[0]) }}'
  - '{{ ansible_distribution }}'
  - 'default'
unattended_upgrades__security_origins

Map of the security repositories of different Linux distributions.

unattended_upgrades__security_origins:

  # https://www.debian.org/security/
  'Debian':
    - 'o=Debian,n=${distro_codename},l=Debian-Security'
    - 'o=Debian,n=${distro_codename}-security,l=Debian-Security'
    - 'o=${distro_id},n=${distro_codename}-updates'

  # https://www.devuan.org/
  'Devuan':
    - 'o=Devuan,n=${distro_codename}-security,l=Devuan-Security'
    - 'o=Devuan,n=${distro_codename}-updates'

  # https://www.ubuntu.com/usn/
  'Ubuntu':
    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-security'
    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-updates'

  'default':
    - 'o=${distro_id},n=${distro_codename},l=${distro_id}-Security'
    - 'o=${distro_id},n=${distro_codename}-updates'
unattended_upgrades__release_origins

List of origin patterns that specify the default repositories of the current OS release. Enabled/disabled by the unattended_upgrades__release variable.

unattended_upgrades__release_origins:

  'Debian':
    - 'o=${distro_id},n=${distro_codename}'
    - 'o=${distro_id} Backports,n=${distro_codename}-backports'

  'Devuan':
    - 'o=${distro_id},n=${distro_codename}'
    - 'o=${distro_id} Backports,n=${distro_codename}-backports'

  'Ubuntu':
    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}'
    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-backports'

  'default':
    - 'o=${distro_id},n=${distro_codename}'
    - 'o=${distro_id},n=${distro_codename}-backports'
unattended_upgrades__dependent_origins

List of origin patterns which can be used by other Ansible roles to add their own repositories to be automatically upgraded. This list is saved in the remote host Ansible local facts to avoid idempotency loops.

unattended_upgrades__dependent_origins: []

Unattended upgrade blacklists

See unattended_upgrades__blacklist for more details about how blacklist entries can be defined.

unattended_upgrades__default_blacklist

Default list of APT packages which should not be upgraded automatically.

unattended_upgrades__default_blacklist: []
unattended_upgrades__blacklist

List of APT packages that won't be upgraded automatically, used on all hosts.

unattended_upgrades__blacklist: []
unattended_upgrades__group_blacklist

List of APT packages that won't be upgraded automatically, specific to a group of hosts in Ansible inventory.

unattended_upgrades__group_blacklist: []
unattended_upgrades__host_blacklist

List of APT packages that won't be upgraded automatically, host-specific.

unattended_upgrades__host_blacklist: []
unattended_upgrades__dependent_blacklist

List of APT packages that won't be upgraded automatically. This list should be used by other Ansible roles through role dependencies. Its contents will be saved in the remote host Ansible local facts to avoid idempotency loops.

unattended_upgrades__dependent_blacklist: []

Unattended upgrade misc options

unattended_upgrades__auto_fix_interrupted_dpkg

Automatically run dpkg --force-confold --configure -a before unattended upgrades to fix any dpkg errors.

unattended_upgrades__auto_fix_interrupted_dpkg: True
unattended_upgrades__ignore_app_require_restart

The unattended-upgrade script will automatically upgrade packages that require a service restart. To disable this, set the option to False.

unattended_upgrades__ignore_app_require_restart: True
unattended_upgrades__minimal_steps

Split the upgrades into smallest possible steps so that the upgrade process can be interrupted if necessary.

unattended_upgrades__minimal_steps: True
unattended_upgrades__install_on_shutdown

Enable or disable unattended upgrades at the host shutdown instead of performing it in the background.

unattended_upgrades__install_on_shutdown: False
unattended_upgrades__mail_from

The email address used as the From: field. If empty, the default specified by /usr/bin/unattended-upgrade is used.

unattended_upgrades__mail_from: ''
unattended_upgrades__mail_to

List of email addresses to which the unattended-upgrade script will sent the emails with upgrade results. Specify an empty list to disable.

unattended_upgrades__mail_to: '{{ ansible_local.core.admin_private_email
                                  | d(["root@" + ansible_domain]) }}'
unattended_upgrades__mail_only_on_error

Enable or disable an option to only send mail messages when errors occur during unattended upgrades.

unattended_upgrades__mail_only_on_error: True
unattended_upgrades__remove_unused

Enable or disable automatic removal of the unused package dependencies after unattended upgrade (apt-get autoremove).

unattended_upgrades__remove_unused: False
unattended_upgrades__auto_reboot

Automatically reboot the host without confirmation after unattended upgrade if any packages require it.

unattended_upgrades__auto_reboot: False
unattended_upgrades__auto_reboot_time

Specify the time of the automatic reboot instead of now.

unattended_upgrades__auto_reboot_time: '{{ "02:30"
                                            if (ansible_virtualization_role in ["host", "NA"])
                                            else ("02:%02d" | format(55 | random(seed=inventory_hostname, start=40))) }}'
unattended_upgrades__bandwidth_limit

Limit the amount of bandwidth used by APT to download packages, in kb/s (kilobytes per second).

unattended_upgrades__bandwidth_limit: ''