Merge pull request 'Enable unattended-upgrades' (#598) from bugfix/499-unattended_upgrades into master

Reviewed-on: #598 Reviewed-by: Râu Cao <raucao@kosmos.org>
2025-09-10 08:47:52 +00:00
parent 41339c1040 a828d92185
commit dbf0e50abf
16 changed files with 121 additions and 46 deletions
--- a/site-cookbooks/kosmos-base/recipes/default.rb
+++ b/site-cookbooks/kosmos-base/recipes/default.rb
@@ -30,9 +30,16 @@ include_recipe 'ntp'
 include_recipe 'kosmos-base::journald_conf'
 include_recipe 'kosmos-base::systemd_emails'

+node.override["apt"]["unattended_upgrades"]["enable"] = true
+node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false
+node.override["apt"]["unattended_upgrades"]["sender"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
  "${distro_id}:${distro_codename}-security",
-  "${distro_id}:${distro_codename}-updates"
+  "${distro_id}:${distro_codename}-updates",
+  "${distro_id}ESMApps:${distro_codename}-apps-security",
+  "${distro_id}ESMApps:${distro_codename}-apps-updates",
+  "${distro_id}ESM:${distro_codename}-infra-security",
+  "${distro_id}ESM:${distro_codename}-infra-updates"
 ]
 node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true
--- a/site-cookbooks/kosmos-postfix/recipes/default.rb
+++ b/site-cookbooks/kosmos-postfix/recipes/default.rb
@@ -3,20 +3,23 @@
 # Recipe:: default
 #

-node.default['postfix']['main']['smtp_tls_CAfile']  = '/etc/ssl/certs/ca-certificates.crt'
-node.default['postfix']['main']['smtpd_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
+node.default["postfix"]["main"]["smtp_tls_CAfile"]  = "/etc/ssl/certs/ca-certificates.crt"
+node.default["postfix"]["main"]["smtpd_tls_CAfile"] = "/etc/ssl/certs/ca-certificates.crt"

 return if node.run_list.roles.include?("email_server")

-smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
+smtp_credentials = Chef::EncryptedDataBagItem.load("credentials", "smtp")

-node.default['postfix']['sasl']['smtp_sasl_user_name']        = smtp_credentials['user_name']
-node.default['postfix']['sasl']['smtp_sasl_passwd']           = smtp_credentials['password']
-node.default['postfix']['sasl_password_file']                 = "#{node['postfix']['conf_dir']}/sasl_passwd"
-# Postfix doesn't support smtps relayhost, use STARTSSL instead
-node.default['postfix']['main']['relayhost']                  = smtp_credentials['relayhost']
-node.default['postfix']['main']['smtp_sasl_auth_enable']      = 'yes'
-node.default['postfix']['main']['smtp_sasl_password_maps']    = "hash:#{node['postfix']['sasl_password_file']}"
-node.default['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
+node.default["postfix"]["sasl"] = {
+  smtp_credentials["relayhost"] => {
+    "username" => smtp_credentials["user_name"],
+    "password" => smtp_credentials["password"]
+  }
+}

-include_recipe 'postfix::default'
+# Postfix doesn"t support smtps relayhost, use STARTSSL instead
+node.default["postfix"]["main"]["relayhost"]                  = smtp_credentials["relayhost"]
+node.default["postfix"]["main"]["smtp_sasl_auth_enable"]      = "yes"
+node.default["postfix"]["main"]["smtp_sasl_security_options"] = "noanonymous"
+
+include_recipe "postfix::default"