new-site/infra/ansible/roles/security-updates/defaults/main.yml
justin 97e8664cbf Add security-updates Ansible role for automated patching
Comprehensive security update automation:

1. Debian OS (unattended-upgrades) — tightened to security-only:
   - Removed general Debian updates (prevents feature/breaking changes)
   - Only Debian-Security origins auto-installed
   - Email admin on every upgrade via ops@performancewest.net
   - Auto-reboot at 4 AM if kernel update requires it
   - needrestart auto-restarts services after library updates

2. Docker CE — major version guard:
   - Patch updates within pinned major version auto-applied
   - Major version jumps held + admin alerted for manual review
   - docker-ce, docker-ce-cli, containerd.io all version-guarded

3. Container base images — daily at 3:30 AM:
   - Pulls latest base images for all docker-compose services
   - Compares image digests — only rebuilds if changed
   - Restarts only affected services (not full stack)
   - Alerts admin on rebuild failures requiring manual intervention
   - Covers both prod and dev compose projects

4. k3s — weekly Sunday at 3:45 AM:
   - Patch updates within current minor auto-applied
   - Minor/major upgrades alert admin for manual review
   - Verifies node Ready status after update
   - Alerts on failures with investigation instructions

5. Admin notifications via SMTP:
   - [INFO] for successful patches
   - [WARNING] for available major upgrades needing review
   - [CRITICAL] for failures requiring immediate intervention
   - Falls back to syslog if SMTP unavailable

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-30 01:24:57 -05:00

32 lines
1.2 KiB
YAML

---
# ── Security Updates Role ────────────────────────────────────────────────────
# Handles: Docker CE patches, container base image updates, k3s patches
# Principle: security patches auto-applied; feature/major upgrades blocked
# Admin email for alerts requiring manual intervention
security_admin_email: "{{ smtp_admin_email }}"
# SMTP for sending alerts (uses system mail if available, falls back to curl)
security_smtp_host: "{{ smtp_host }}"
security_smtp_port: "{{ smtp_port }}"
security_smtp_user: "{{ smtp_user }}"
security_smtp_pass: "{{ smtp_pass }}"
security_smtp_from: "{{ smtp_from }}"
# Docker container update schedule (cron)
# Default: 3:30 AM daily (after unattended-upgrades at ~3 AM, before reboot at 4 AM)
container_update_hour: "3"
container_update_minute: "30"
# k3s update check schedule
k3s_update_hour: "3"
k3s_update_minute: "45"
# Project directories to scan for docker-compose.yml
compose_projects:
- "{{ project_dir }}"
- "{{ dev_project_dir }}"
# Docker major version pin (only allow patch updates within this major)
# e.g. "27" means 27.x.y patches are auto-applied, 28.x requires manual
docker_major_version_pin: "27"