Unattended upgrades improvments

README.md

@@ -217,7 +217,10 @@ sending the message to syslog.
 ```yaml
 automatic_updates:
   enabled: true
+  only_security: true
   reboot: false
+  reboot_from_time: "2:00"
+  reboot_time_margin_mins: "20"
 ```
 
 If `automatic_updates` is enabled it will install and configure
@@ -229,6 +232,13 @@ If the `reboot` option is set to `true`, it will reboot the system if needed,
 see [Unattended-Upgrade::Automatic-Reboot](https://help.ubuntu.com/community/AutomaticSecurityUpdates)
 and [dnf_automatic: reboot](https://dnf.readthedocs.io/en/latest/automatic.html).
 
+The reboot time scheduling is currently only supported on Debian-based distros.
+The reboot is by default scheduled randomly betweem 2:00-2:20AM, server time. The 
+reboot time is chosen randomly from `reboot_from_time`, adding a random time within
+`reboot_time_margin_mins` to avoid overloading hypervisors.
+
+When overwriting any part of `automatic_updates`, you need to re-specify all values above.
+
 ### ./defaults/main/compilers.yml
 
 ```yaml

defaults/main/automatic_updates.yml

@@ -1,4 +1,7 @@
 ---
 automatic_updates:
   enabled: true
+  only_security: true
   reboot: false
+  reboot_from_time: "2:00"
+  reboot_time_margin_mins: "20"

molecule/custom/molecule.yml

@@ -18,7 +18,12 @@ provisioner:
   inventory:
     host_vars:
       jammy:
-        automatic_updates: true
+        automatic_updates:
+          enabled: true
+          only_security: true
+          reboot: false
+          reboot_from_time: "2:00"
+          reboot_time_margin_mins: "20"
         fallback_ntp:
           - 169.254.169.123
         journald_storage: persistent

tasks/automatic_updates.yml

@@ -89,6 +89,24 @@
         mode: "0644"
         create: true
 
+    - name: Set base time and margin for reboot calculation
+      ansible.builtin.set_fact:
+        reboot_base_time: "{{ automatic_updates.reboot_from_time.split(':') }}"
+        reboot_time_margin_mins: "{{ automatic_updates.reboot_time_margin_mins | int }}"
+
+    - name: Calculate random margin
+      ansible.builtin.set_fact:
+        random_margin: "{{ range(0, (reboot_time_margin_mins | int)) | random }}"
+
+    - name: Calculate total minutes for reboot
+      ansible.builtin.set_fact:
+        total_minutes: "{{ (reboot_base_time[0] | int) * 60 + (reboot_base_time[1] | int) + (random_margin | int) }}"
+
+    - name: Translates to hours, and minutes
+      ansible.builtin.set_fact:
+        reboot_hour: "{{ ((total_minutes | int) // 60) % 24 }}"
+        reboot_minute: "{{ (total_minutes | int) % 60 }}"
+
     - name: Configure unattended-upgrades
       ansible.builtin.template:
         src: "{{ unattended_upgrades_template }}"

templates/etc/apt/apt.conf.d/50unattended-upgrades.j2

@@ -1,5 +1,7 @@
 Unattended-Upgrade::Allowed-Origins {
+        {% if not automatic_updates.only_security %}
         "${distro_id}:${distro_codename}";
+        {% endif %}
         "${distro_id}:${distro_codename}-security";
         "${distro_id}ESMApps:${distro_codename}-apps-security";
         "${distro_id}ESM:${distro_codename}-infra-security";
@@ -11,4 +13,10 @@ Unattended-Upgrade::Package-Blacklist {
 Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
 Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
 Unattended-Upgrade::Remove-Unused-Dependencies "true";
-Unattended-Upgrade::Automatic-Reboot "{{ 'true' if automatic_updates.reboot else 'false' }}";
+
+{% if automatic_updates.reboot %}
+Unattended-Upgrade::Automatic-Reboot "true";
+Unattended-Upgrade::Automatic-Reboot-Time "{{ '%02d:%02d'|format((reboot_hour | int), (reboot_minute | int)) }}";
+{% else %}
+Unattended-Upgrade::Automatic-Reboot "false";
+{% endif %}