infra/roles/base/tasks/unattended_upgrades.yml

---
- name: Install unattended-upgrades
  ansible.builtin.apt:
    name:
      - unattended-upgrades
      - apt-listchanges
    state: present

- name: Configure unattended-upgrades
  ansible.builtin.copy:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    content: |
      Unattended-Upgrade::Allowed-Origins {
          "${distro_id}:${distro_codename}-security";
          "${distro_id}ESMApps:${distro_codename}-apps-security";
          "${distro_id}ESM:${distro_codename}-infra-security";
      };

      // Automatically reboot if required (kernel updates etc.)
      Unattended-Upgrade::Automatic-Reboot "false";

      // Remove unused dependencies
      Unattended-Upgrade::Remove-Unused-Dependencies "true";
      Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

      // Send email on errors (optional — comment out if no mail)
      // Unattended-Upgrade::Mail "admin@csrx.ru";

      // Minimum age of packages before auto-removing
      Unattended-Upgrade::MinimalSteps "true";      
    mode: "0644"

- name: Enable automatic upgrades
  ansible.builtin.copy:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
      APT::Periodic::AutocleanInterval "7";      
    mode: "0644"

- name: Ensure unattended-upgrades service is running
  ansible.builtin.systemd:
    name: unattended-upgrades
    state: started
    enabled: true