Skip to content

Add configurable unattended reboot orchestration with optional k3s drain hooks #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add configurable unattended reboot orchestration with optional k3s drain hooks #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9512a27
feat: add configurable unattended reboot hooks
Copilot May 8, 2026
69ce22b
fix: harden unattended pre-reboot hook execution
Copilot May 8, 2026
c68aa20
feat: add configurable pre-reboot hook failure and drain options
Copilot May 8, 2026
9c0590e
fix: propagate k3s drain failures to hook runner
Copilot May 8, 2026
3805372
feat: add separate unattended update and reboot toggles
Copilot May 9, 2026
3594a95
style: address unattended role review feedback
Copilot May 9, 2026
b8232e4
fix: fail fast in unattended reboot hook runner
Copilot May 9, 2026
1e26d51
fix: remove pre-reboot hooks dir when reboot is disabled
Copilot May 11, 2026
d36eb34
finalize automatic updates with automatic reboots
alexlanz May 11, 2026
4260306
apply PR feedback
alexlanz May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,7 @@
---
base_timezone: 'Europe/Rome'
base_timezone: 'Europe/Rome'
base_unattended_update_enabled: true
base_unattended_reboot_enabled: true
base_unattended_reboot_time: '05:00'
base_unattended_reboot_k3s_drain_hook: false
base_unattended_reboot_k3s_drain_timeout: '120s'
Comment thread
alexlanz marked this conversation as resolved.
5 changes: 5 additions & 0 deletions readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ Base setup of a server.
## Role Variables

- `base_timezone`: Timezone to configure on the host
- `base_unattended_update_enabled`: Whether unattended updates should be enabled (default: `true`)
- `base_unattended_reboot_enabled`: Whether unattended upgrades may reboot automatically if needed (default: `true`)
- `base_unattended_reboot_time`: Time when unattended-upgrades should reboot if needed (default: `"05:00"`)
- `base_unattended_reboot_k3s_drain_hook`: Whether to install a k3s drain pre-reboot hook (default: `false`)
- `base_unattended_reboot_k3s_drain_timeout`: Timeout for `k3s kubectl drain` in the optional k3s hook (default: `"120s"`)

## Example Playbook

Expand Down
106 changes: 105 additions & 1 deletion tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
- name: Set timezone
community.general.timezone:
name: {{ base_timezone } }
name: "{{ base_timezone }}"

- name: Restart service cron
ansible.builtin.systemd:
Expand All @@ -23,3 +23,107 @@
owner: root
group: root
mode: '0644'
when: base_unattended_update_enabled

- name: Create unattended-upgrades pre-reboot hooks directory
ansible.builtin.file:
Copy link
Copy Markdown

@stplasim stplasim May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This overrides the entire file, right? It also removes all the default settings, such as allowed origins and package blacklists. Is this what we want? Maybe we should check first to see if it would remove something that we still need or want.

https://github.com/mvo5/unattended-upgrades/blob/master/data/50unattended-upgrades.Ubuntu

path: /etc/unattended-upgrades/pre-reboot-hooks.d
state: directory
owner: root
group: root
mode: '0755'
when: base_unattended_reboot_enabled

- name: Deploy unattended-upgrades pre-reboot hooks runner
ansible.builtin.copy:
dest: /usr/local/bin/unattended-pre-reboot-hooks.sh
owner: root
group: root
mode: '0755'
content: |
#!/bin/bash
set -euo pipefail
Copy link
Copy Markdown

@stplasim stplasim May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand this right, the set -euo pipefail and if ! "$hook" are working against each other here, one says fail fast, the other is clearly trying to keep going after a failure.

Currently it would run them all, fail at the end. Is this intentional?

shopt -s nullglob
hook_dir="/etc/unattended-upgrades/pre-reboot-hooks.d"
hook_failed=0
for hook in "${hook_dir}"/*; do
[ -f "$hook" ] || continue
[ -x "$hook" ] || continue
if ! "$hook"; then
echo "Pre-reboot hook failed: ${hook}" >&2
hook_failed=1
fi
done
if [ "${hook_failed}" -ne 0 ]; then
exit 1
fi
when: base_unattended_reboot_enabled

- name: Deploy k3s pre-reboot drain hook
ansible.builtin.copy:
dest: /etc/unattended-upgrades/pre-reboot-hooks.d/10-k3s-drain
owner: root
group: root
mode: '0755'
content: |
#!/bin/bash
set -euo pipefail
shopt -s nullglob
node_name="$(hostname)"
if ! k3s kubectl get node "${node_name}" >/dev/null 2>&1; then
echo "k3s node not found: ${node_name}" >&2
exit 0
fi
k3s kubectl drain "${node_name}" \
--ignore-daemonsets \
--delete-emptydir-data \
--timeout={{ base_unattended_reboot_k3s_drain_timeout }} || {
echo "k3s drain failed for node: ${node_name}" >&2
exit 1
}
when:
- base_unattended_reboot_enabled
- base_unattended_reboot_k3s_drain_hook
Comment thread
alexlanz marked this conversation as resolved.

- name: Configure unattended-upgrades reboot behavior
ansible.builtin.copy:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
content: |
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::Automatic-Reboot-Time "{{ base_unattended_reboot_time }}";
Unattended-Upgrade::Pre-Reboot-Hook "/usr/local/bin/unattended-pre-reboot-hooks.sh";
owner: root
group: root
mode: '0644'
when: base_unattended_reboot_enabled

- name: Remove unattended-upgrades behavior when disabled
ansible.builtin.file:
path: /etc/apt/apt.conf.d/20auto-upgrades
state: absent
when: not base_unattended_update_enabled

- name: Remove unattended-upgrades reboot behavior when disabled
ansible.builtin.file:
path: /etc/apt/apt.conf.d/50unattended-upgrades
state: absent
when: not base_unattended_reboot_enabled

- name: Remove unattended-upgrades pre-reboot hooks runner when reboot is disabled
ansible.builtin.file:
path: /usr/local/bin/unattended-pre-reboot-hooks.sh
state: absent
when: not base_unattended_reboot_enabled

- name: Remove k3s pre-reboot drain hook when disabled
ansible.builtin.file:
path: /etc/unattended-upgrades/pre-reboot-hooks.d/10-k3s-drain
state: absent
when: not (base_unattended_reboot_enabled and base_unattended_reboot_k3s_drain_hook)

- name: Remove unattended-upgrades pre-reboot hooks directory when reboot is disabled
ansible.builtin.file:
path: /etc/unattended-upgrades/pre-reboot-hooks.d
state: absent
when: not base_unattended_reboot_enabled