Merge pull request 'feat: add unattended-upgrades to tenant VMs' (#73) from feat/unattended-upgrades into main

2026-02-16 12:03:03 +01:00 · 2026-02-16 12:03:03 +01:00 · 45806bc13f
commit 45806bc13f
parent 620c42b47e 8b1e7272e2
1 changed files with 15 additions and 0 deletions
--- a/modules/tenant-vm/cloud-init.yaml.tftpl
+++ b/modules/tenant-vm/cloud-init.yaml.tftpl
@ -21,6 +21,7 @@ package_update: true
 packages:
  - fail2ban
  - ufw
+  - unattended-upgrades

 runcmd:
  # Enable root SSH login with password (Ubuntu cloud images block this by default)
@ -36,6 +37,20 @@ runcmd:
  - ufw allow from 78.109.17.180 to any port 9100 proto tcp
  - ufw --force enable
  - systemctl enable --now fail2ban
+  # Unattended upgrades (security patches only, auto-reboot 04:00 if needed)
+  - |
+    cat > /etc/apt/apt.conf.d/20auto-upgrades << 'APT'
+    APT::Periodic::Update-Package-Lists "1";
+    APT::Periodic::Unattended-Upgrade "1";
+    APT::Periodic::AutocleanInterval "7";
+    APT
+  - |
+    cat > /etc/apt/apt.conf.d/52unattended-upgrades-local << 'APT'
+    Unattended-Upgrade::Automatic-Reboot "true";
+    Unattended-Upgrade::Automatic-Reboot-Time "04:00";
+    Unattended-Upgrade::Remove-Unused-Dependencies "true";
+    APT
+  - systemctl enable --now unattended-upgrades
  # Install node_exporter for monitoring
  - useradd --no-create-home --shell /bin/false node_exporter
  - curl -fsSL https://github.com/prometheus/node_exporter/releases/download/v1.10.2/node_exporter-1.10.2.linux-amd64.tar.gz -o /tmp/node_exporter.tar.gz