debops.unattended_upgrades default variables

Main configuration


Enable or disable unattended package upgrades. If disabled, unattended-upgrades package won't be removed if it's installed, and its configuration will be restored to default values.

unattended_upgrades__enabled: True

By default, unattended-upgrade performs only upgrades of packages from security repositories. This variable allows you to enable upgrades from all repositories (main, updates, backports).

unattended_upgrades__release: False

List of base APT packages which will be installed by the role.

unattended_upgrades__base_packages: [ 'unattended-upgrades' ]

List of additional APT packages which will be installed by the role.

unattended_upgrades__packages: []

Periodic APT updates


Enable or disable daily execution of /etc/cron.daily/apt script. This script runs unattended-upgrade, but also performs some other actions which can be useful on their own. Enabling periodic APT runs automatically enables repository updates, but not upgrades.

unattended_upgrades__periodic: '{{ False
                                   if (ansible_local.apt.suite | d() == "archive")
                                   else unattended_upgrades__enabled }}'

Download new versions of installed packages without upgrading.

unattended_upgrades__periodic_download: '{{ unattended_upgrades__periodic }}'

Clean up obsolete and removed packages in APT cache every n days.

unattended_upgrades__periodic_autoclean: '7'

Specify verbosity level of the /etc/cron.daily/apt script, supported levels are 0-3, higher level means higher verbosity. Enabling this option will result in mails from cron with the script output being sent to root.

unattended_upgrades__periodic_verbosity: '0'

Unattended upgrade origin patterns

See unattended_upgrades__origins for more details about how origin entries can be defined.


List of origin patterns which define repositories that will be considered for unattended package upgrades.

unattended_upgrades__origins: []

List of strings which are used to select different origin patterns depending on installed OS and its release. The first found match wins.

  - '{{ ansible_distribution + "_" + (ansible_distribution_release.split("/")[0]) }}'
  - '{{ ansible_distribution }}'
  - 'default'

Map of the security repositories of different Linux distributions.


    - 'o=Debian,n=${distro_codename},l=Debian-Security'
    - 'o=Debian,n=${distro_codename}-security,l=Debian-Security'
    - 'o=${distro_id},n=${distro_codename}-updates'

    - 'o=Devuan,n=${distro_codename}-security,l=Devuan-Security'
    - 'o=Devuan,n=${distro_codename}-updates'

    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-security'
    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-updates'

    - 'o=${distro_id},n=${distro_codename},l=${distro_id}-Security'
    - 'o=${distro_id},n=${distro_codename}-updates'

List of origin patterns that specify the default repositories of the current OS release. Enabled/disabled by the unattended_upgrades__release variable.


    - 'o=${distro_id},n=${distro_codename}'
    - 'o=${distro_id} Backports,n=${distro_codename}-backports'

    - 'o=${distro_id},n=${distro_codename}'
    - 'o=${distro_id} Backports,n=${distro_codename}-backports'

    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}'
    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-backports'

    - 'o=${distro_id},n=${distro_codename}'
    - 'o=${distro_id},n=${distro_codename}-backports'

List of origin patterns which can be used by other Ansible roles to add their own repositories to be automatically upgraded. This list is saved in the remote host Ansible local facts to avoid idempotency loops.

unattended_upgrades__dependent_origins: []

Unattended upgrade blacklists

See unattended_upgrades__blacklist for more details about how blacklist entries can be defined.


Default list of APT packages which should not be upgraded automatically.

unattended_upgrades__default_blacklist: []

List of APT packages that won't be upgraded automatically, used on all hosts.

unattended_upgrades__blacklist: []

List of APT packages that won't be upgraded automatically, specific to a group of hosts in Ansible inventory.

unattended_upgrades__group_blacklist: []

List of APT packages that won't be upgraded automatically, host-specific.

unattended_upgrades__host_blacklist: []

List of APT packages that won't be upgraded automatically. This list should be used by other Ansible roles through role dependencies. Its contents will be saved in the remote host Ansible local facts to avoid idempotency loops.

unattended_upgrades__dependent_blacklist: []

Unattended upgrade misc options


Automatically run dpkg --force-confold --configure -a before unattended upgrades to fix any dpkg errors.

unattended_upgrades__auto_fix_interrupted_dpkg: True

The unattended-upgrade script will automatically upgrade packages that require a service restart. To disable this, set the option to False.

unattended_upgrades__ignore_app_require_restart: True

Split the upgrades into smallest possible steps so that the upgrade process can be interrupted if necessary.

unattended_upgrades__minimal_steps: True

Enable or disable unattended upgrades at the host shutdown instead of performing it in the background.

unattended_upgrades__install_on_shutdown: False

The email address used as the From: field. If empty, the default specified by /usr/bin/unattended-upgrade is used.

unattended_upgrades__mail_from: ''

List of email addresses to which the unattended-upgrade script will sent the emails with upgrade results. Specify an empty list to disable.

unattended_upgrades__mail_to: '{{ ansible_local.core.admin_private_email
                                  | d(["root@" + ansible_domain]) }}'

Enable or disable an option to only send mail messages when errors occur during unattended upgrades.

unattended_upgrades__mail_only_on_error: True

Enable or disable automatic removal of the unused package dependencies after unattended upgrade (apt-get autoremove).

unattended_upgrades__remove_unused: False

Automatically reboot the host without confirmation after unattended upgrade if any packages require it.

unattended_upgrades__auto_reboot: False

Specify the time of the automatic reboot instead of now.

unattended_upgrades__auto_reboot_time: '{{ "02:30"
                                            if (ansible_virtualization_role in ["host", "NA"])
                                            else ("02:%02d" | format(55 | random(seed=inventory_hostname, start=40))) }}'

Limit the amount of bandwidth used by APT to download packages, in kb/s (kilobytes per second).

unattended_upgrades__bandwidth_limit: ''