fix: configure autoupdates for SLUB's local Debian repository as well, not just official repos

defaults/main.yml

@@ -9,3 +9,5 @@ exim4_sendonly_password: ''
 exim_name: "{{ 'exim4' if ansible_distribution == 'Debian' else 'exim' }}"
 
 journal_maxsize: "300M"
+
+default_debrepo_url: ""

tasks/configure_autoupdate.yml

 ---
-- name: remove apt-cron autoupdate (Debian)
+- name: Remove apt-cron autoupdate (Debian).
   when: ansible_os_family == "Debian"
   block:
-    - name: Uninstall autoupdate packages (Debian)
+    - name: Uninstall autoupdate packages (Debian).
       ansible.builtin.apt:
         name: 'cron-apt'
         state: absent
-    - name: cron-apt Konfigurationsdateien entfernen
+    - name: cron-apt Konfigurationsdateien entfernen.
       ansible.builtin.file:
         path: "{{ item }}"
         state: absent
@@ -20,11 +20,11 @@
 - name: Install & configure unattended-upgrades (Debian/Ubuntu)
   when: ansible_os_family == "Debian"
   block:
-    - name: install unattended-upgrades
+    - name: Install unattended-upgrades package.
       ansible.builtin.apt:
         name: "unattended-upgrades"
         state: latest
-    - name: configure unattended upgrade conditions
+    - name: Configure unattended-upgrade conditions.
       ansible.builtin.lineinfile:
         path: "/etc/apt/apt.conf.d/10periodic"
         create: true
@@ -34,7 +34,7 @@
         - 'APT::Periodic::Update-Package-Lists "1";'
         - 'APT::Periodic::Unattended-Upgrade "1";'
         - 'APT::Periodic::AutocleanInterval "7";'
-    - name: configure unattended upgrade mail settings
+    - name: Configure unattended-upgrade mail settings.
       ansible.builtin.lineinfile:
         path: "/etc/apt/apt.conf.d/90unattended-upgrades-mail"
         create: true
@@ -47,11 +47,24 @@
     # upgrades to install security upgrades only. We want all updates, so we
     # delete it.
     # (refers to https://git.slub-dresden.de/slub-referat-2-4/sdvuda10/-/commit/4c265c91ffef7775cad8abbe69da35bc398622e9)
-    - name: install all upgrades, not only security patches
+    - name: Restore Apt's default behaviour with regards to automatic upgrades.
       ansible.builtin.file:
         path: "/etc/apt/apt.conf.d/51only-security-upgrades"
         state: absent
-    - name: cleanup after apt
+    # Use `apt-cache policy` to get information for "Origin-Patterns".
+    - name: Install all upgrades, not only security patches, including SLUB's local Debian package server.
+      ansible.builtin.blockinfile:
+        path: "/etc/apt/apt.conf.d/52unattended-upgrades-local"
+        create: true
+        mode: "0o644"
+        block: |
+          Unattended-Upgrade::Origins-Pattern {
+            "origin=Debian,codename=${distro_codename},label=Debian";
+            "origin=Debian,codename=${distro_codename},label=Debian-Security";
+            "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
+            "origin={{ debrepo_url }}";
+          };
+    - name: Cleanup after apt.
       ansible.builtin.lineinfile:
         path: "/etc/apt/apt.conf.d/50unattended-upgrades"
         create: true

tasks/configure_package_repositories.yml

@@ -6,12 +6,12 @@
         REMOVE custom repo GPG key for SLUB's Debian repo
         (apt-key deprecated)
       ansible.builtin.apt_key:
-        url: "{{ vault_debrepo_url }}deb-repository/pub.gpg.key"
+        url: "{{ debrepo_url }}/deb-repository/pub.gpg.key"
         state: absent
 
     - name: REMOVE SLUB's custom Debian repo (legacy repo format)
       ansible.builtin.apt_repository:
-        repo: "deb {{ vault_debrepo_url }}deb-repository {{ ansible_lsb.codename }} main"
+        repo: "deb {{ debrepo_url }}/deb-repository {{ ansible_lsb.codename }} main"
         state: absent
     - name: >
         REMOVE files associated with SLUB's custom Debian repo (legacy repo
@@ -42,9 +42,9 @@
             enabled: true
             name: "slub"
             pdiffs: true
-            signed_by: "{{ vault_debrepo_url }}deb-repository/pub.gpg.key"
+            signed_by: "{{ debrepo_url }}/deb-repository/pub.gpg.key"
             suites: "{{ (ansible_distribution == 'Ubuntu') | ternary(releasenames[ansible_lsb.codename], ansible_lsb.codename) }}"
-            uris: "{{ vault_debrepo_url }}deb-repository"
+            uris: "{{ debrepo_url }}/deb-repository"
           notify: update package cache
         - name: >
             Flush handlers (we can't wait for the handler to fire if we want to

vars/main.yml

 ---
 journal_maxsize: "300M"
+
+debrepo_url: "{{ vault_debrepo_url | default(default_debrepo_url) }}"