From 9512a274839f081f463ca79c9edbfcaa9d65057e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 11:26:15 +0000 Subject: [PATCH 01/10] feat: add configurable unattended reboot hooks Agent-Logs-Url: https://github.com/aboutbits/ansible-base/sessions/8c25a300-3b5f-4ba7-82b6-f752ab3257dd Co-authored-by: alexlanz <3337260+alexlanz@users.noreply.github.com> --- defaults/main.yml | 4 +++- readme.md | 2 ++ tasks/main.yml | 55 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 60 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 426bb6f..a5781dc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,4 @@ --- -base_timezone: 'Europe/Rome' \ No newline at end of file +base_timezone: 'Europe/Rome' +base_unattended_reboot_time: '05:00' +base_unattended_add_k3s_drain_hook: false diff --git a/readme.md b/readme.md index daaede9..822ac9d 100644 --- a/readme.md +++ b/readme.md @@ -6,6 +6,8 @@ Base setup of a server. ## Role Variables - `base_timezone`: Timezone to configure on the host +- `base_unattended_reboot_time`: Time when unattended-upgrades should reboot if needed (default: `"05:00"`) +- `base_unattended_add_k3s_drain_hook`: Whether to install a k3s drain pre-reboot hook (default: `false`) ## Example Playbook diff --git a/tasks/main.yml b/tasks/main.yml index c722be7..dfe552b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -23,3 +23,58 @@ owner: root group: root mode: '0644' + +- name: Create unattended-upgrades pre-reboot hooks directory + ansible.builtin.file: + path: /etc/unattended-upgrades/pre-reboot-hooks.d + state: directory + owner: root + group: root + mode: '0755' + +- name: Deploy unattended-upgrades pre-reboot hooks runner + ansible.builtin.copy: + dest: /usr/local/bin/unattended-pre-reboot-hooks.sh + owner: root + group: root + mode: '0755' + content: | + #!/bin/bash + set -euo pipefail + hook_dir="/etc/unattended-upgrades/pre-reboot-hooks.d" + for hook in "${hook_dir}"/*; do + [ -f "$hook" ] || continue + [ -x "$hook" ] || continue + "$hook" + done + +- name: Deploy k3s pre-reboot drain hook + ansible.builtin.copy: + dest: /etc/unattended-upgrades/pre-reboot-hooks.d/10-k3s-drain + owner: root + group: root + mode: '0755' + content: | + #!/bin/bash + k3s kubectl drain "$(hostname)" \ + --ignore-daemonsets \ + --delete-emptydir-data \ + --timeout=120s + when: base_unattended_add_k3s_drain_hook + +- name: Remove k3s pre-reboot drain hook when disabled + ansible.builtin.file: + path: /etc/unattended-upgrades/pre-reboot-hooks.d/10-k3s-drain + state: absent + when: not base_unattended_add_k3s_drain_hook + +- name: Configure unattended-upgrades reboot behavior + ansible.builtin.blockinfile: + path: /etc/apt/apt.conf.d/50unattended-upgrades + create: true + marker: "// {mark} ANSIBLE MANAGED REBOOT SETTINGS" + block: | + Unattended-Upgrade::Automatic-Reboot "true"; + Unattended-Upgrade::Automatic-Reboot-WithUsers "false"; + Unattended-Upgrade::Automatic-Reboot-Time "{{ base_unattended_reboot_time }}"; + Unattended-Upgrade::Pre-Reboot-Hook "/usr/local/bin/unattended-pre-reboot-hooks.sh"; From 69ce22b614f0866d264b77a499c53c499d696b01 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 11:27:02 +0000 Subject: [PATCH 02/10] fix: harden unattended pre-reboot hook execution Agent-Logs-Url: https://github.com/aboutbits/ansible-base/sessions/8c25a300-3b5f-4ba7-82b6-f752ab3257dd Co-authored-by: alexlanz <3337260+alexlanz@users.noreply.github.com> --- tasks/main.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index dfe552b..7d99fd8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -40,12 +40,15 @@ mode: '0755' content: | #!/bin/bash - set -euo pipefail + set -uo pipefail + shopt -s nullglob hook_dir="/etc/unattended-upgrades/pre-reboot-hooks.d" for hook in "${hook_dir}"/*; do [ -f "$hook" ] || continue [ -x "$hook" ] || continue - "$hook" + if ! "$hook"; then + echo "Pre-reboot hook failed: $hook" >&2 + fi done - name: Deploy k3s pre-reboot drain hook @@ -56,10 +59,15 @@ mode: '0755' content: | #!/bin/bash - k3s kubectl drain "$(hostname)" \ + node_name="$(hostname)" + if ! k3s kubectl get node "${node_name}" >/dev/null 2>&1; then + echo "k3s node not found: ${node_name}" >&2 + exit 0 + fi + k3s kubectl drain "${node_name}" \ --ignore-daemonsets \ --delete-emptydir-data \ - --timeout=120s + --timeout=120s || echo "k3s drain failed for node: ${node_name}" >&2 when: base_unattended_add_k3s_drain_hook - name: Remove k3s pre-reboot drain hook when disabled From c68aa202c27b02299da6d60633ded2758aad5256 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 11:28:00 +0000 Subject: [PATCH 03/10] feat: add configurable pre-reboot hook failure and drain options Agent-Logs-Url: https://github.com/aboutbits/ansible-base/sessions/8c25a300-3b5f-4ba7-82b6-f752ab3257dd Co-authored-by: alexlanz <3337260+alexlanz@users.noreply.github.com> --- defaults/main.yml | 3 +++ readme.md | 3 +++ tasks/main.yml | 10 +++++++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index a5781dc..7793666 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,3 +2,6 @@ base_timezone: 'Europe/Rome' base_unattended_reboot_time: '05:00' base_unattended_add_k3s_drain_hook: false +base_unattended_pre_reboot_hooks_fail_on_error: false +base_unattended_k3s_drain_timeout: '120s' +base_unattended_k3s_drain_delete_emptydir_data: true diff --git a/readme.md b/readme.md index 822ac9d..b9208e6 100644 --- a/readme.md +++ b/readme.md @@ -8,6 +8,9 @@ Base setup of a server. - `base_timezone`: Timezone to configure on the host - `base_unattended_reboot_time`: Time when unattended-upgrades should reboot if needed (default: `"05:00"`) - `base_unattended_add_k3s_drain_hook`: Whether to install a k3s drain pre-reboot hook (default: `false`) +- `base_unattended_pre_reboot_hooks_fail_on_error`: Whether pre-reboot hook failures should stop the reboot hook runner (default: `false`) +- `base_unattended_k3s_drain_timeout`: Timeout for `k3s kubectl drain` in the optional k3s hook (default: `"120s"`) +- `base_unattended_k3s_drain_delete_emptydir_data`: Whether the optional k3s hook passes `--delete-emptydir-data` to drain (default: `true`) ## Example Playbook diff --git a/tasks/main.yml b/tasks/main.yml index 7d99fd8..e2b0e4a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,13 +43,19 @@ set -uo pipefail shopt -s nullglob hook_dir="/etc/unattended-upgrades/pre-reboot-hooks.d" + fail_on_error="{{ base_unattended_pre_reboot_hooks_fail_on_error | lower }}" + hook_failed=0 for hook in "${hook_dir}"/*; do [ -f "$hook" ] || continue [ -x "$hook" ] || continue if ! "$hook"; then echo "Pre-reboot hook failed: $hook" >&2 + hook_failed=1 fi done + if [ "${hook_failed}" -ne 0 ] && [ "${fail_on_error}" = "true" ]; then + exit 1 + fi - name: Deploy k3s pre-reboot drain hook ansible.builtin.copy: @@ -66,8 +72,10 @@ fi k3s kubectl drain "${node_name}" \ --ignore-daemonsets \ + {% if base_unattended_k3s_drain_delete_emptydir_data %} --delete-emptydir-data \ - --timeout=120s || echo "k3s drain failed for node: ${node_name}" >&2 + {% endif %} + --timeout={{ base_unattended_k3s_drain_timeout }} || echo "k3s drain failed for node: ${node_name}" >&2 when: base_unattended_add_k3s_drain_hook - name: Remove k3s pre-reboot drain hook when disabled From 9c0590eab978bf68e7beca8d77b219158bbba2db Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 May 2026 11:28:42 +0000 Subject: [PATCH 04/10] fix: propagate k3s drain failures to hook runner Agent-Logs-Url: https://github.com/aboutbits/ansible-base/sessions/8c25a300-3b5f-4ba7-82b6-f752ab3257dd Co-authored-by: alexlanz <3337260+alexlanz@users.noreply.github.com> --- tasks/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index e2b0e4a..f8c6806 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,7 +43,7 @@ set -uo pipefail shopt -s nullglob hook_dir="/etc/unattended-upgrades/pre-reboot-hooks.d" - fail_on_error="{{ base_unattended_pre_reboot_hooks_fail_on_error | lower }}" + fail_on_error="{{ base_unattended_pre_reboot_hooks_fail_on_error | bool | ternary('true', 'false') }}" hook_failed=0 for hook in "${hook_dir}"/*; do [ -f "$hook" ] || continue @@ -75,7 +75,10 @@ {% if base_unattended_k3s_drain_delete_emptydir_data %} --delete-emptydir-data \ {% endif %} - --timeout={{ base_unattended_k3s_drain_timeout }} || echo "k3s drain failed for node: ${node_name}" >&2 + --timeout={{ base_unattended_k3s_drain_timeout }} || { + echo "k3s drain failed for node: ${node_name}" >&2 + exit 1 + } when: base_unattended_add_k3s_drain_hook - name: Remove k3s pre-reboot drain hook when disabled From 3805372999ecb18e07bef3395ab6ef23c3d6e15a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 05:46:22 +0000 Subject: [PATCH 05/10] feat: add separate unattended update and reboot toggles Agent-Logs-Url: https://github.com/aboutbits/ansible-base/sessions/ebaa318b-c38a-4c2d-85fd-d64f68ed7044 Co-authored-by: alexlanz <3337260+alexlanz@users.noreply.github.com> --- defaults/main.yml | 8 ++++---- readme.md | 8 ++++---- tasks/main.yml | 35 +++++++++++++++++++++++++---------- 3 files changed, 33 insertions(+), 18 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7793666..a3da341 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ --- base_timezone: 'Europe/Rome' +base_unattended_update_enabled: true +base_unattended_reboot_enabled: true base_unattended_reboot_time: '05:00' -base_unattended_add_k3s_drain_hook: false -base_unattended_pre_reboot_hooks_fail_on_error: false -base_unattended_k3s_drain_timeout: '120s' -base_unattended_k3s_drain_delete_emptydir_data: true +base_unattended_reboot_k3s_drain_hook: false +base_unattended_reboot_k3s_drain_timeout: '120s' diff --git a/readme.md b/readme.md index b9208e6..acc3039 100644 --- a/readme.md +++ b/readme.md @@ -6,11 +6,11 @@ Base setup of a server. ## Role Variables - `base_timezone`: Timezone to configure on the host +- `base_unattended_update_enabled`: Whether unattended updates should be enabled (default: `true`) +- `base_unattended_reboot_enabled`: Whether unattended upgrades may reboot automatically if needed (default: `true`) - `base_unattended_reboot_time`: Time when unattended-upgrades should reboot if needed (default: `"05:00"`) -- `base_unattended_add_k3s_drain_hook`: Whether to install a k3s drain pre-reboot hook (default: `false`) -- `base_unattended_pre_reboot_hooks_fail_on_error`: Whether pre-reboot hook failures should stop the reboot hook runner (default: `false`) -- `base_unattended_k3s_drain_timeout`: Timeout for `k3s kubectl drain` in the optional k3s hook (default: `"120s"`) -- `base_unattended_k3s_drain_delete_emptydir_data`: Whether the optional k3s hook passes `--delete-emptydir-data` to drain (default: `true`) +- `base_unattended_reboot_k3s_drain_hook`: Whether to install a k3s drain pre-reboot hook (default: `false`) +- `base_unattended_reboot_k3s_drain_timeout`: Timeout for `k3s kubectl drain` in the optional k3s hook (default: `"120s"`) ## Example Playbook diff --git a/tasks/main.yml b/tasks/main.yml index f8c6806..93d1d85 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Set timezone community.general.timezone: - name: {{ base_timezone } } + name: "{{ base_timezone }}" - name: Restart service cron ansible.builtin.systemd: @@ -18,8 +18,8 @@ ansible.builtin.copy: dest: /etc/apt/apt.conf.d/20auto-upgrades content: | - APT::Periodic::Update-Package-Lists "1"; - APT::Periodic::Unattended-Upgrade "1"; + APT::Periodic::Update-Package-Lists "{{ base_unattended_update_enabled | bool | ternary('1', '0') }}"; + APT::Periodic::Unattended-Upgrade "{{ base_unattended_update_enabled | bool | ternary('1', '0') }}"; owner: root group: root mode: '0644' @@ -31,6 +31,7 @@ owner: root group: root mode: '0755' + when: base_unattended_reboot_enabled - name: Deploy unattended-upgrades pre-reboot hooks runner ansible.builtin.copy: @@ -43,7 +44,6 @@ set -uo pipefail shopt -s nullglob hook_dir="/etc/unattended-upgrades/pre-reboot-hooks.d" - fail_on_error="{{ base_unattended_pre_reboot_hooks_fail_on_error | bool | ternary('true', 'false') }}" hook_failed=0 for hook in "${hook_dir}"/*; do [ -f "$hook" ] || continue @@ -53,9 +53,16 @@ hook_failed=1 fi done - if [ "${hook_failed}" -ne 0 ] && [ "${fail_on_error}" = "true" ]; then + if [ "${hook_failed}" -ne 0 ]; then exit 1 fi + when: base_unattended_reboot_enabled + +- name: Remove unattended-upgrades pre-reboot hooks runner when reboot is disabled + ansible.builtin.file: + path: /usr/local/bin/unattended-pre-reboot-hooks.sh + state: absent + when: not base_unattended_reboot_enabled - name: Deploy k3s pre-reboot drain hook ansible.builtin.copy: @@ -72,20 +79,20 @@ fi k3s kubectl drain "${node_name}" \ --ignore-daemonsets \ - {% if base_unattended_k3s_drain_delete_emptydir_data %} --delete-emptydir-data \ - {% endif %} - --timeout={{ base_unattended_k3s_drain_timeout }} || { + --timeout={{ base_unattended_reboot_k3s_drain_timeout }} || { echo "k3s drain failed for node: ${node_name}" >&2 exit 1 } - when: base_unattended_add_k3s_drain_hook + when: + - base_unattended_reboot_enabled + - base_unattended_reboot_k3s_drain_hook - name: Remove k3s pre-reboot drain hook when disabled ansible.builtin.file: path: /etc/unattended-upgrades/pre-reboot-hooks.d/10-k3s-drain state: absent - when: not base_unattended_add_k3s_drain_hook + when: not base_unattended_reboot_enabled or not base_unattended_reboot_k3s_drain_hook - name: Configure unattended-upgrades reboot behavior ansible.builtin.blockinfile: @@ -97,3 +104,11 @@ Unattended-Upgrade::Automatic-Reboot-WithUsers "false"; Unattended-Upgrade::Automatic-Reboot-Time "{{ base_unattended_reboot_time }}"; Unattended-Upgrade::Pre-Reboot-Hook "/usr/local/bin/unattended-pre-reboot-hooks.sh"; + when: base_unattended_reboot_enabled + +- name: Remove unattended-upgrades reboot behavior when disabled + ansible.builtin.blockinfile: + path: /etc/apt/apt.conf.d/50unattended-upgrades + marker: "// {mark} ANSIBLE MANAGED REBOOT SETTINGS" + state: absent + when: not base_unattended_reboot_enabled From 3594a95b208ed8542b74ef1676aea63a7782aac7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 05:47:09 +0000 Subject: [PATCH 06/10] style: address unattended role review feedback Agent-Logs-Url: https://github.com/aboutbits/ansible-base/sessions/ebaa318b-c38a-4c2d-85fd-d64f68ed7044 Co-authored-by: alexlanz <3337260+alexlanz@users.noreply.github.com> --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 93d1d85..4de15e8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -49,7 +49,7 @@ [ -f "$hook" ] || continue [ -x "$hook" ] || continue if ! "$hook"; then - echo "Pre-reboot hook failed: $hook" >&2 + echo "Pre-reboot hook failed: ${hook}" >&2 hook_failed=1 fi done @@ -92,7 +92,7 @@ ansible.builtin.file: path: /etc/unattended-upgrades/pre-reboot-hooks.d/10-k3s-drain state: absent - when: not base_unattended_reboot_enabled or not base_unattended_reboot_k3s_drain_hook + when: not (base_unattended_reboot_enabled and base_unattended_reboot_k3s_drain_hook) - name: Configure unattended-upgrades reboot behavior ansible.builtin.blockinfile: From b8232e4914cbdaad960a9cd49d1d9847eb3514ff Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 05:47:34 +0000 Subject: [PATCH 07/10] fix: fail fast in unattended reboot hook runner Agent-Logs-Url: https://github.com/aboutbits/ansible-base/sessions/ebaa318b-c38a-4c2d-85fd-d64f68ed7044 Co-authored-by: alexlanz <3337260+alexlanz@users.noreply.github.com> --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 4de15e8..ef878e0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -41,7 +41,7 @@ mode: '0755' content: | #!/bin/bash - set -uo pipefail + set -euo pipefail shopt -s nullglob hook_dir="/etc/unattended-upgrades/pre-reboot-hooks.d" hook_failed=0 From 1e26d512ed0605a805c0ee41d448954edae456fe Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 11 May 2026 11:34:21 +0000 Subject: [PATCH 08/10] fix: remove pre-reboot hooks dir when reboot is disabled Agent-Logs-Url: https://github.com/aboutbits/ansible-base/sessions/e6b0fb63-6166-4672-bece-4cd44613c276 Co-authored-by: alexlanz <3337260+alexlanz@users.noreply.github.com> --- tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index ef878e0..8f55baf 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -94,6 +94,12 @@ state: absent when: not (base_unattended_reboot_enabled and base_unattended_reboot_k3s_drain_hook) +- name: Remove unattended-upgrades pre-reboot hooks directory when reboot is disabled + ansible.builtin.file: + path: /etc/unattended-upgrades/pre-reboot-hooks.d + state: absent + when: not base_unattended_reboot_enabled + - name: Configure unattended-upgrades reboot behavior ansible.builtin.blockinfile: path: /etc/apt/apt.conf.d/50unattended-upgrades From d36eb343330da28be06f5ff7e304d898906aea00 Mon Sep 17 00:00:00 2001 From: Alex Lanz Date: Mon, 11 May 2026 13:44:14 +0200 Subject: [PATCH 09/10] finalize automatic updates with automatic reboots --- tasks/main.yml | 57 ++++++++++++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 25 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 8f55baf..77f0666 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -23,6 +23,7 @@ owner: root group: root mode: '0644' + when: base_unattended_update_enabled - name: Create unattended-upgrades pre-reboot hooks directory ansible.builtin.file: @@ -58,12 +59,6 @@ fi when: base_unattended_reboot_enabled -- name: Remove unattended-upgrades pre-reboot hooks runner when reboot is disabled - ansible.builtin.file: - path: /usr/local/bin/unattended-pre-reboot-hooks.sh - state: absent - when: not base_unattended_reboot_enabled - - name: Deploy k3s pre-reboot drain hook ansible.builtin.copy: dest: /etc/unattended-upgrades/pre-reboot-hooks.d/10-k3s-drain @@ -88,33 +83,45 @@ - base_unattended_reboot_enabled - base_unattended_reboot_k3s_drain_hook -- name: Remove k3s pre-reboot drain hook when disabled - ansible.builtin.file: - path: /etc/unattended-upgrades/pre-reboot-hooks.d/10-k3s-drain - state: absent - when: not (base_unattended_reboot_enabled and base_unattended_reboot_k3s_drain_hook) - -- name: Remove unattended-upgrades pre-reboot hooks directory when reboot is disabled - ansible.builtin.file: - path: /etc/unattended-upgrades/pre-reboot-hooks.d - state: absent - when: not base_unattended_reboot_enabled - - name: Configure unattended-upgrades reboot behavior - ansible.builtin.blockinfile: - path: /etc/apt/apt.conf.d/50unattended-upgrades - create: true - marker: "// {mark} ANSIBLE MANAGED REBOOT SETTINGS" - block: | + ansible.builtin.copy: + dest: /etc/apt/apt.conf.d/50unattended-upgrades + content: | Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Automatic-Reboot-WithUsers "false"; Unattended-Upgrade::Automatic-Reboot-Time "{{ base_unattended_reboot_time }}"; Unattended-Upgrade::Pre-Reboot-Hook "/usr/local/bin/unattended-pre-reboot-hooks.sh"; + owner: root + group: root + mode: '0644' when: base_unattended_reboot_enabled +- name: Remove unattended-upgrades behavior when disabled + ansible.builtin.file: + path: /etc/apt/apt.conf.d/20auto-upgrades + state: absent + when: not base_unattended_update_enabled + - name: Remove unattended-upgrades reboot behavior when disabled - ansible.builtin.blockinfile: + ansible.builtin.file: path: /etc/apt/apt.conf.d/50unattended-upgrades - marker: "// {mark} ANSIBLE MANAGED REBOOT SETTINGS" + state: absent + when: not base_unattended_reboot_enabled + +- name: Remove unattended-upgrades pre-reboot hooks runner when reboot is disabled + ansible.builtin.file: + path: /usr/local/bin/unattended-pre-reboot-hooks.sh + state: absent + when: not base_unattended_reboot_enabled + +- name: Remove k3s pre-reboot drain hook when disabled + ansible.builtin.file: + path: /etc/unattended-upgrades/pre-reboot-hooks.d/10-k3s-drain + state: absent + when: not (base_unattended_reboot_enabled and base_unattended_reboot_k3s_drain_hook) + +- name: Remove unattended-upgrades pre-reboot hooks directory when reboot is disabled + ansible.builtin.file: + path: /etc/unattended-upgrades/pre-reboot-hooks.d state: absent when: not base_unattended_reboot_enabled From 4260306dd9f635ebd28c1d5dbc75688b94ac5aea Mon Sep 17 00:00:00 2001 From: Alex Lanz Date: Tue, 12 May 2026 10:05:41 +0200 Subject: [PATCH 10/10] apply PR feedback --- tasks/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 77f0666..0bbe260 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -18,8 +18,8 @@ ansible.builtin.copy: dest: /etc/apt/apt.conf.d/20auto-upgrades content: | - APT::Periodic::Update-Package-Lists "{{ base_unattended_update_enabled | bool | ternary('1', '0') }}"; - APT::Periodic::Unattended-Upgrade "{{ base_unattended_update_enabled | bool | ternary('1', '0') }}"; + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Unattended-Upgrade "1"; owner: root group: root mode: '0644' @@ -67,6 +67,8 @@ mode: '0755' content: | #!/bin/bash + set -euo pipefail + shopt -s nullglob node_name="$(hostname)" if ! k3s kubectl get node "${node_name}" >/dev/null 2>&1; then echo "k3s node not found: ${node_name}" >&2