--- # ── Security Updates Role ──────────────────────────────────────────────────── # Handles: Docker CE patches, container base image updates, k3s patches # Principle: security patches auto-applied; feature/major upgrades blocked # Admin email for alerts requiring manual intervention security_admin_email: "{{ smtp_admin_email }}" # SMTP for sending alerts (uses system mail if available, falls back to curl) security_smtp_host: "{{ smtp_host }}" security_smtp_port: "{{ smtp_port }}" security_smtp_user: "{{ smtp_user }}" security_smtp_pass: "{{ smtp_pass }}" security_smtp_from: "{{ smtp_from }}" # Docker container update schedule (cron) # Default: 3:30 AM daily (after unattended-upgrades at ~3 AM, before reboot at 4 AM) container_update_hour: "3" container_update_minute: "30" # k3s update check schedule k3s_update_hour: "3" k3s_update_minute: "45" # Project directories to scan for docker-compose.yml compose_projects: - "{{ project_dir }}" - "{{ dev_project_dir }}" # Docker major version pin (only allow patch updates within this major) # e.g. "27" means 27.x.y patches are auto-applied, 28.x requires manual docker_major_version_pin: "27"