diff options
| author |  copilot-swe-agent[bot] <[email protected]> | 2025-07-08 12:27:55 +0000 |
|---|---|---|
| committer | copilot-swe-agent[bot] <[email protected]> | 2025-07-08 12:27:55 +0000 |
| commit | 5d7d3e3a4ecf0cab731fe800711402fba008b31f (patch) | |
| tree | 5613319aea5ca9dbc413cf7529596b0ad40d6ab7 | |
| parent | Initial analysis of LDAP automatic updates requirement (diff) | |
Add dnf-automatic configuration for LDAP server automatic updates
Co-authored-by: jb3 <[email protected]>
| -rw-r--r-- | ansible/roles/ldap/README.md | 16 | ||||
| -rw-r--r-- | ansible/roles/ldap/handlers/main.yml | 14 | ||||
| -rw-r--r-- | ansible/roles/ldap/tasks/main.yml | 31 | ||||
| -rw-r--r-- | ansible/roles/ldap/templates/dnf-automatic.conf.j2 | 58 |
4 files changed, 119 insertions, 0 deletions
diff --git a/ansible/roles/ldap/README.md b/ansible/roles/ldap/README.md index a3b79c8..448e781 100644 --- a/ansible/roles/ldap/README.md +++ b/ansible/roles/ldap/README.md @@ -7,3 +7,19 @@ Note that the actual installation process and subsequent setup steps from `ipa-server-install` must unfortunately be performed manually, as the automation of this process is not something that we have deemed critical to automate at this stage. + +## Automatic Updates + +This role configures `dnf-automatic` on Rocky Linux hosts to automatically +install security updates. The configuration: + +- Downloads and installs security updates automatically +- Uses the default systemd timer schedule (daily) +- Sends notifications to stdio (visible in systemd journal) +- Reduces the manual maintenance burden for security patches + +The dnf-automatic service runs via systemd timer and can be monitored using: +```bash +systemctl status dnf-automatic.timer +journalctl -u dnf-automatic.service +``` diff --git a/ansible/roles/ldap/handlers/main.yml b/ansible/roles/ldap/handlers/main.yml new file mode 100644 index 0000000..fd20152 --- /dev/null +++ b/ansible/roles/ldap/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: Reload the firewall + service: + name: firewalld + state: reloaded + tags: + - role::ldap + +- name: Restart dnf-automatic timer + systemd: + name: dnf-automatic.timer + state: restarted + tags: + - role::ldap diff --git a/ansible/roles/ldap/tasks/main.yml b/ansible/roles/ldap/tasks/main.yml index 5e1c5c8..ddee81c 100644 --- a/ansible/roles/ldap/tasks/main.yml +++ b/ansible/roles/ldap/tasks/main.yml @@ -7,6 +7,37 @@ tags: - role::ldap +- name: Install dnf-automatic for automatic updates + package: + name: + - dnf-automatic + state: present + when: ansible_distribution == "Rocky" + tags: + - role::ldap + +- name: Configure dnf-automatic + template: + src: dnf-automatic.conf.j2 + dest: /etc/dnf/automatic.conf + owner: root + group: root + mode: '0644' + when: ansible_distribution == "Rocky" + notify: + - Restart dnf-automatic timer + tags: + - role::ldap + +- name: Enable and start dnf-automatic timer + systemd: + name: dnf-automatic.timer + enabled: true + state: started + when: ansible_distribution == "Rocky" + tags: + - role::ldap + - name: Create firewall rules for FreeIPA ansible.posix.firewalld: service: "{{ item }}" diff --git a/ansible/roles/ldap/templates/dnf-automatic.conf.j2 b/ansible/roles/ldap/templates/dnf-automatic.conf.j2 new file mode 100644 index 0000000..3a4ff48 --- /dev/null +++ b/ansible/roles/ldap/templates/dnf-automatic.conf.j2 @@ -0,0 +1,58 @@ +# {{ ansible_managed }} + +[commands] +# What kind of upgrade to perform: +# default = all available upgrades +# security = only the security upgrades +upgrade_type = security +random_sleep = 0 + +# Maximum time in seconds to wait until the system is on-line and able to +# connect to remote repositories. +network_online_timeout = 60 + +# To just receive updates use dnf-automatic-notifyonly.timer + +# Whether updates should be downloaded when they are available. +download_updates = yes + +# Whether updates should be applied when they are available. Note that +# download_updates must also be yes for the update to be applied. +apply_updates = yes + +[emitters] +# Name to use for this system in messages that are emitted. Default is the +# hostname. +# system_name = my-host + +# How to send messages. Valid options are stdio, email and motd. If +# emit_via includes stdio, messages will be sent to stdout; this is useful +# to have cron send the messages. If emit_via includes email, this +# program will send email itself according to the configured options. +# If emit_via includes motd, /etc/motd file will have a message appended. +# Default is email,stdio. +# emit_via = stdio +emit_via = stdio + +[email] +# The address to send email messages from. +email_from = root@{{ ansible_fqdn }} + +# List of addresses to send messages to. +email_to = root + +# Name of the host to connect to to send email messages. +email_host = localhost + +[base] +# This section overrides dnf.conf + +# Use this to filter Yum core messages +# -4: critical +# -3: error +# -2: warning +# -1: info (default) +# 0: debug +# 1: trace +# 2: all +# debuglevel = 1
\ No newline at end of file |