Add system.autoupdates state (#61)

* Add support for autoupdates

only Debian-based systems are supported for now
(through unattended-upgrades package)

* Fix test on system.autoupdates.pkgs

README.rst

@@ -91,6 +91,21 @@ Linux with package from certail repo, version with no GPG verification
             repo: 'custom-repo'
             verify: false
 
+Linux with autoupdates (automatically install security package updates)
+
+.. code-block:: yaml
+
+    linux:
+      system:
+        ...
+        autoupdates:
+          enabled: true
+          mail: root@localhost
+          mail_only_on_error: true
+          remove_unused_dependencies: false
+          automatic_reboot: true
+          automatic_reboot_time: "02:00"
+
 Linux with cron jobs
 
 .. code-block:: yaml

linux/files/90autoupdates

@@ -0,0 +1,29 @@
+{%- set autoupdates = salt['pillar.get']('linux:system:autoupdates') %}
+
+{%- if autoupdates.enabled %}
+APT::Periodic::Enable "1";
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+{%- else %}
+APT::Periodic::Unattended-Upgrade "0";
+{%- endif %}
+
+{%- if autoupdates.mail is defined %}
+Unattended-Upgrade::Mail "{{ autoupdates.mail }}";
+{%- endif %}
+
+{%- if autoupdates.mail_only_on_error is defined %}
+Unattended-Upgrade::MailOnlyOnError "{{ "true" if autoupdates.mail_only_on_error else "false"}}";
+{%- endif %}
+
+{%- if autoupdates.remove_unused_dependencies is defined %}
+Unattended-Upgrade::Remove-Unused-Dependencies "{{ "true" if autoupdates.remove_unused_dependencies else "false"}}";
+{%- endif %}
+
+{%- if autoupdates.automatic_reboot is defined %}
+Unattended-Upgrade::Automatic-Reboot "{{ "true" if autoupdates.automatic_reboot else "false"}}";
+{%- endif %}
+
+{%- if autoupdates.automatic_reboot_time is defined %}
+Unattended-Upgrade::Automatic-Reboot-Time "{{ autoupdates.automatic_reboot_time }}";
+{%- endif %}

linux/map.jinja

@@ -10,6 +10,10 @@
         'motd': {},
         'repo': {},
         'package': {},
+        'autoupdates': {
+             'enabled': False,
+             'pkgs': []
+         },
         'selinux': 'permissive',
         'ca_certs_dir': '/usr/local/share/ca-certificates',
         'doc_validity_pkgs': ['python-yaml'],
@@ -25,6 +29,10 @@
         'motd': {},
         'repo': {},
         'package': {},
+        'autoupdates': {
+             'enabled': False,
+             'pkgs': ['unattended-upgrades']
+         },
         'selinux': 'permissive',
         'ca_certs_dir': '/usr/local/share/ca-certificates',
         'doc_validity_pkgs': ['python-yaml'],
@@ -40,6 +48,10 @@
         'motd': {},
         'repo': {},
         'package': {},
+        'autoupdates': {
+             'enabled': False,
+             'pkgs': []
+         },
         'selinux': 'permissive',
         'ca_certs_dir': '/usr/local/share/ca-certificates',
         'doc_validity_pkgs': ['PyYAML'],

linux/system/autoupdates.sls

@@ -0,0 +1,24 @@
+{%- from "linux/map.jinja" import system with context %}
+{%- if system.enabled %}
+
+{%- if system.autoupdates is defined %}
+
+{%- if system.autoupdates.pkgs %}
+linux_autoupdates_packages:
+  pkg.installed:
+  - pkgs: {{ system.autoupdates.pkgs }}
+{%- endif %}
+
+{%- if grains.os_family == 'Debian' %}
+/etc/apt/apt.conf.d/90autoupdates:
+  file.managed:
+  - source: salt://linux/files/90autoupdates
+  - template: jinja
+  - user: root
+  - group: root
+  - mode: 644
+{%- endif %}
+
+{%- endif %}
+
+{%- endif %}

linux/system/init.sls

@@ -6,6 +6,9 @@ include:
 {%- if system.pkgs|length > 0 %}
 - linux.system.package
 {%- endif %}
+{%- if system.autoupdates is defined %}
+- linux.system.autoupdates
+{%- endif %}
 {%- if system.timezone is defined %}
 - linux.system.timezone
 {%- endif %}
@@ -71,4 +74,4 @@ include:
 {%- endif %}
 {%- if system.config is defined %}
 - linux.system.config
-{%- endif %}
+{%- endif %}