Comprehensive security update automation: 1. Debian OS (unattended-upgrades) — tightened to security-only: - Removed general Debian updates (prevents feature/breaking changes) - Only Debian-Security origins auto-installed - Email admin on every upgrade via ops@performancewest.net - Auto-reboot at 4 AM if kernel update requires it - needrestart auto-restarts services after library updates 2. Docker CE — major version guard: - Patch updates within pinned major version auto-applied - Major version jumps held + admin alerted for manual review - docker-ce, docker-ce-cli, containerd.io all version-guarded 3. Container base images — daily at 3:30 AM: - Pulls latest base images for all docker-compose services - Compares image digests — only rebuilds if changed - Restarts only affected services (not full stack) - Alerts admin on rebuild failures requiring manual intervention - Covers both prod and dev compose projects 4. k3s — weekly Sunday at 3:45 AM: - Patch updates within current minor auto-applied - Minor/major upgrades alert admin for manual review - Verifies node Ready status after update - Alerts on failures with investigation instructions 5. Admin notifications via SMTP: - [INFO] for successful patches - [WARNING] for available major upgrades needing review - [CRITICAL] for failures requiring immediate intervention - Falls back to syslog if SMTP unavailable Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
32 lines
1.2 KiB
YAML
32 lines
1.2 KiB
YAML
---
|
|
# ── Security Updates Role ────────────────────────────────────────────────────
|
|
# Handles: Docker CE patches, container base image updates, k3s patches
|
|
# Principle: security patches auto-applied; feature/major upgrades blocked
|
|
|
|
# Admin email for alerts requiring manual intervention
|
|
security_admin_email: "{{ smtp_admin_email }}"
|
|
|
|
# SMTP for sending alerts (uses system mail if available, falls back to curl)
|
|
security_smtp_host: "{{ smtp_host }}"
|
|
security_smtp_port: "{{ smtp_port }}"
|
|
security_smtp_user: "{{ smtp_user }}"
|
|
security_smtp_pass: "{{ smtp_pass }}"
|
|
security_smtp_from: "{{ smtp_from }}"
|
|
|
|
# Docker container update schedule (cron)
|
|
# Default: 3:30 AM daily (after unattended-upgrades at ~3 AM, before reboot at 4 AM)
|
|
container_update_hour: "3"
|
|
container_update_minute: "30"
|
|
|
|
# k3s update check schedule
|
|
k3s_update_hour: "3"
|
|
k3s_update_minute: "45"
|
|
|
|
# Project directories to scan for docker-compose.yml
|
|
compose_projects:
|
|
- "{{ project_dir }}"
|
|
- "{{ dev_project_dir }}"
|
|
|
|
# Docker major version pin (only allow patch updates within this major)
|
|
# e.g. "27" means 27.x.y patches are auto-applied, 28.x requires manual
|
|
docker_major_version_pin: "27"
|