From e97776197e8a3c6d9c69850ee050c6b729772bb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Mon, 26 May 2025 12:08:42 +0200
Subject: [PATCH] fix: configure autoupdates for SLUB's local Debian repository
 as well, not just official repos

---
 defaults/main.yml                        |  2 ++
 tasks/configure_autoupdate.yml           | 29 +++++++++++++++++-------
 tasks/configure_package_repositories.yml |  8 +++----
 vars/main.yml                            |  2 ++
 4 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index e41a913..88b52ba 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -9,3 +9,5 @@ exim4_sendonly_password: ''
 exim_name: "{{ 'exim4' if ansible_distribution == 'Debian' else 'exim' }}"
 
 journal_maxsize: "300M"
+
+default_debrepo_url: ""
diff --git a/tasks/configure_autoupdate.yml b/tasks/configure_autoupdate.yml
index 3033439..aa9e20f 100644
--- a/tasks/configure_autoupdate.yml
+++ b/tasks/configure_autoupdate.yml
@@ -1,12 +1,12 @@
 ---
-- name: remove apt-cron autoupdate (Debian)
+- name: Remove apt-cron autoupdate (Debian).
   when: ansible_os_family == "Debian"
   block:
-    - name: Uninstall autoupdate packages (Debian)
+    - name: Uninstall autoupdate packages (Debian).
       ansible.builtin.apt:
         name: 'cron-apt'
         state: absent
-    - name: cron-apt Konfigurationsdateien entfernen
+    - name: cron-apt Konfigurationsdateien entfernen.
       ansible.builtin.file:
         path: "{{ item }}"
         state: absent
@@ -20,11 +20,11 @@
 - name: Install & configure unattended-upgrades (Debian/Ubuntu)
   when: ansible_os_family == "Debian"
   block:
-    - name: install unattended-upgrades
+    - name: Install unattended-upgrades package.
       ansible.builtin.apt:
         name: "unattended-upgrades"
         state: latest
-    - name: configure unattended upgrade conditions
+    - name: Configure unattended-upgrade conditions.
       ansible.builtin.lineinfile:
         path: "/etc/apt/apt.conf.d/10periodic"
         create: true
@@ -34,7 +34,7 @@
         - 'APT::Periodic::Update-Package-Lists "1";'
         - 'APT::Periodic::Unattended-Upgrade "1";'
         - 'APT::Periodic::AutocleanInterval "7";'
-    - name: configure unattended upgrade mail settings
+    - name: Configure unattended-upgrade mail settings.
       ansible.builtin.lineinfile:
         path: "/etc/apt/apt.conf.d/90unattended-upgrades-mail"
         create: true
@@ -47,11 +47,24 @@
     # upgrades to install security upgrades only. We want all updates, so we
     # delete it.
     # (refers to https://git.slub-dresden.de/slub-referat-2-4/sdvuda10/-/commit/4c265c91ffef7775cad8abbe69da35bc398622e9)
-    - name: install all upgrades, not only security patches
+    - name: Restore Apt's default behaviour with regards to automatic upgrades.
       ansible.builtin.file:
         path: "/etc/apt/apt.conf.d/51only-security-upgrades"
         state: absent
-    - name: cleanup after apt
+    # Use `apt-cache policy` to get information for "Origin-Patterns".
+    - name: Install all upgrades, not only security patches, including SLUB's local Debian package server.
+      ansible.builtin.blockinfile:
+        path: "/etc/apt/apt.conf.d/52unattended-upgrades-local"
+        create: true
+        mode: "0o644"
+        block: |
+          Unattended-Upgrade::Origins-Pattern {
+            "origin=Debian,codename=${distro_codename},label=Debian";
+            "origin=Debian,codename=${distro_codename},label=Debian-Security";
+            "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
+            "origin={{ debrepo_url }}";
+          };
+    - name: Cleanup after apt.
       ansible.builtin.lineinfile:
         path: "/etc/apt/apt.conf.d/50unattended-upgrades"
         create: true
diff --git a/tasks/configure_package_repositories.yml b/tasks/configure_package_repositories.yml
index 1bf3f99..a686de8 100644
--- a/tasks/configure_package_repositories.yml
+++ b/tasks/configure_package_repositories.yml
@@ -6,12 +6,12 @@
         REMOVE custom repo GPG key for SLUB's Debian repo
         (apt-key deprecated)
       ansible.builtin.apt_key:
-        url: "{{ vault_debrepo_url }}deb-repository/pub.gpg.key"
+        url: "{{ debrepo_url }}/deb-repository/pub.gpg.key"
         state: absent
 
     - name: REMOVE SLUB's custom Debian repo (legacy repo format)
       ansible.builtin.apt_repository:
-        repo: "deb {{ vault_debrepo_url }}deb-repository {{ ansible_lsb.codename }} main"
+        repo: "deb {{ debrepo_url }}/deb-repository {{ ansible_lsb.codename }} main"
         state: absent
     - name: >
         REMOVE files associated with SLUB's custom Debian repo (legacy repo
@@ -42,9 +42,9 @@
             enabled: true
             name: "slub"
             pdiffs: true
-            signed_by: "{{ vault_debrepo_url }}deb-repository/pub.gpg.key"
+            signed_by: "{{ debrepo_url }}/deb-repository/pub.gpg.key"
             suites: "{{ (ansible_distribution == 'Ubuntu') | ternary(releasenames[ansible_lsb.codename], ansible_lsb.codename) }}"
-            uris: "{{ vault_debrepo_url }}deb-repository"
+            uris: "{{ debrepo_url }}/deb-repository"
           notify: update package cache
         - name: >
             Flush handlers (we can't wait for the handler to fire if we want to
diff --git a/vars/main.yml b/vars/main.yml
index 59edfc8..c9b3b06 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,2 +1,4 @@
 ---
 journal_maxsize: "300M"
+
+debrepo_url: "{{ vault_debrepo_url | default(default_debrepo_url) }}"
-- 
GitLab