--- /dev/null
+# unattended-upgrades.pp
+
+# This class manages the unattended-upgrades package and related configuration
+# files for ubuntu
+
+# origins are the repositories to automatically upgrade included packages
+# blacklist is a list of packages to not automatically upgrade
+# update is how often to run "apt-get update" in days
+# download is how often to run "apt-get upgrade --download-only" in days
+# upgrade is how often to upgrade packages included in the origins list in days
+# autoclean is how often to run "apt-get autoclean" in days
+
+# information on the other options can be found in the 50unattended-upgrades
+# file and in /etc/cron.daily/apt
+
+class apt::unattended-upgrades (
+ $origins = ['${distro_id}:${distro_codename}-security'],
+ $blacklist = [],
+ $update = "1",
+ $download = "1",
+ $upgrade = "1",
+ $autoclean = "7",
+ $auto_fix = "true",
+ $minimal_steps = "false",
+ $install_on_shutdown = "false",
+ $mail_to = "NONE",
+ $mail_only_on_error = "false",
+ $remove_unused = "true",
+ $auto_reboot = "false",
+ $dl_limit = "NONE",
+ $enable = "1",
+ $backup_interval = "0",
+ $backup_level = "3",
+ $max_age = "0",
+ $min_age = "0",
+ $max_size = "0",
+ $download_delta = "0",
+ $verbose = "0",
+) {
+
+ package { 'unattended-upgrades':
+ ensure => present,
+ }
+
+ File {
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+
+ file {
+ '/etc/apt/apt.conf.d/50unattended-upgrades':
+ content => template('apt/50unattended-upgrades.erb');
+ '/etc/apt/apt.conf.d/10periodic':
+ content => template('apt/10periodic.erb');
+ }
+}
--- /dev/null
+APT::Periodic::Enable "<%= @enable %>";
+APT::Periodic::BackUpArchiveInterval "<%= @backup_interval %>";
+APT::Periodic::BackUpLevel "<%= @backup_level %>";
+APT::Periodic::MaxAge "<%= @max_age %>";
+APT::Periodic::MinAge "<%= @min_age %>";
+APT::Periodic::MaxSize "<%= @max_size %>";
+APT::Periodic::Update-Package-Lists "<%= @update %>";
+APT::Periodic::Download-Upgradeable-Packages "<%= @download %>";
+APT::Periodic::Download-Upgradeable-Packages-Debdelta "<%= @download_delta %>";
+APT::Periodic::Unattended-Upgrade "<%= @upgrade %>";
+APT::Periodic::AutocleanInterval "<%= @autoclean %>";
+APT::Periodic::Verbose "<%= @verbose %>";
--- /dev/null
+// Automatically upgrade packages from these (origin:archive) pairs
+Unattended-Upgrade::Allowed-Origins {
+<% @origins.each do |origin| -%>
+ "<%= origin %>";
+<% end -%>
+};
+
+// List of packages to not update
+Unattended-Upgrade::Package-Blacklist {
+<% @blacklist.each do |package| -%>
+ "<%= package %>";
+<% end -%>
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+// dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+Unattended-Upgrade::AutoFixInterruptedDpkg "<%= @auto_fix %>";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+Unattended-Upgrade::MinimalSteps "<%= @minimal_steps %>";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+Unattended-Upgrade::InstallOnShutdown "<%= @install_on_shutdown %>";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed.
+<% if @mail_to != "NONE" %> Unattended-Upgrade::Mail "<%= @mail_to %>"; <% end %>
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+<% if @mail_to != "NONE" %> Unattended-Upgrade::MailOnlyOnError "<%= @mail_only_on_error %>"; <% end %>
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "<%= @remove_unused %>";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if a
+// the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "<%= @auto_reboot %>";
+
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+<% if @dl_limit != "NONE" %> Acquire::http::Dl-Limit "<%= @dl_limit %>"; <% end %>