claude/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add unattended-upgrades to tenant VM cloud-init
Some checks failed
0/1 projects planned successfully.
AI Review / AI Code Review (pull_request) Successful in 1s
Details
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 9s
Details
Security Scan / Security Scan (pull_request) Successful in 9s
Details

Browse Source 
Security patches applied automatically, auto-reboot at 04:00 if needed.
Closes Phase 5.3 TODO.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
root 2026-02-16 12:00:36 +01:00
parent 620c42b47e
commit 8b1e7272e2
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
modules/tenant-vm/cloud-init.yaml.tftpl
View File

@ -21,6 +21,7 @@ package_update: true
packages:
- fail2ban
- ufw
- unattended-upgrades
runcmd:
# Enable root SSH login with password (Ubuntu cloud images block this by default)
@ -36,6 +37,20 @@ runcmd:
- ufw allow from 78.109.17.180 to any port 9100 proto tcp
- ufw --force enable
- systemctl enable --now fail2ban
# Unattended upgrades (security patches only, auto-reboot 04:00 if needed)
- |
cat > /etc/apt/apt.conf.d/20auto-upgrades << 'APT'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
APT
- |
cat > /etc/apt/apt.conf.d/52unattended-upgrades-local << 'APT'
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
APT
- systemctl enable --now unattended-upgrades
# Install node_exporter for monitoring
- useradd --no-create-home --shell /bin/false node_exporter
- curl -fsSL https://github.com/prometheus/node_exporter/releases/download/v1.10.2/node_exporter-1.10.2.linux-amd64.tar.gz -o /tmp/node_exporter.tar.gz