This is a great idea. I didn't see a Linux subway yet, but the process for requesting new lines seems pretty simple.
The "bot" suggested I use RandomSleep. It's not effortless.
I got the idea to use systemd timers from another answer in this thread and thought I'd help you out with an Ansible playbook.
In any case, I learned at least two things while reading the other replies, so it wasn't a total waste. (and you got your answer)
What sucks is the attitude you get when trying to help in many Linux communities. It's a tool, and a very useful one too.
If you knew what you were doing, you could understand the loop just by looking at it, without having to run it, ngl.
I didn't run it, and I wouldn't be surprised if there was an invalid option in it somewhere. Ansible Lightspeed would be a better tool than what I used, but it's sufficient to get the point across.
I use AI for grammar correction or to help put a thought into words sometimes. Needs some more work to sound natural though.
That's a great idea! Learned something new, thanks.
To effectively manage and stagger automated upgrades across multiple groups of Ubuntu servers, scheduling upgrades on specific days for different server groups offers a structured and reliable method. This approach ensures that upgrades are rolled out in a controlled manner, reducing the risk of potential disruptions.
Here's an example Ansible playbook that illustrates how to set this up. It installs unattended-upgrades
and configures systemd timers
to manage upgrades on specific weekdays for three distinct groups of servers.
Playbook
***
- hosts: all
become: yes
vars:
unattended_upgrade_groups:
- name: staging_batch1
schedule: "Mon *-*-* 02:00:00" # Updates on Monday
- name: staging_batch2
schedule: "Wed *-*-* 02:00:00" # Updates on Wednesday
- name: staging_batch3
schedule: "Fri *-*-* 02:00:00" # Updates on Friday
tasks:
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
state: present
- name: Disable automatic updates to control manually
copy:
dest: /etc/apt/apt.conf.d/20auto-upgrades
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "0";
mode: '0644'
- name: Setup systemd service and timer for each group
loop: "{{ unattended_upgrade_groups }}"
block:
- name: Create systemd service for unattended-upgrades for {{ item.name }}
copy:
dest: "/etc/systemd/system/unattended-upgrades-{{ item.name }}.service"
content: |
[Unit]
Description=Run unattended upgrades for {{ item.name }}
[Service]
Type=oneshot
ExecStart=/usr/bin/unattended-upgrade
mode: '0644'
- name: Create systemd timer for {{ item.name }}
copy:
dest: "/etc/systemd/system/unattended-upgrades-{{ item.name }}.timer"
content: |
[Unit]
Description=Timer for unattended upgrades on {{ item.schedule }} for {{ item.name }}
[Timer]
OnCalendar={{ item.schedule }}
Persistent=true
[Install]
WantedBy=timers.target
mode: '0644'
- name: Enable the timer for {{ item.name }}
systemd:
name: "unattended-upgrades-{{ item.name }}.timer"
enabled: yes
- name: Start the timer for {{ item.name }}
systemd:
name: "unattended-upgrades-{{ item.name }}.timer"
state: started
Media server: Jellyfin, qBittorrent, Radarr/Sonarr/Lidarr/Prowlarr, and OpenVPN/Traefik/WireGuard
Misc: PiHole, Vaultwarden, HashiCorp Vault, and FreeIPA
VMware ESXi for the VMs, but I'll be switching to Proxmox soon.
All running in Docker or Podman containers on their own VMs. I'm trying to automate the deployment and configuration of each of these services via pipelines in GitLab CI using Ansible and Terraform right now. I also have a couple of Kubernetes clusters for testing and dev stuff on this server.
Accessed via SSH or an NGINX reverse proxy. I'm using certificates where possible, but a lot of the traffic between VMs is still unencrypted. I'll eventually force everything local to use Traefik, but for now, only a few services are using it.
There are a lot of projects on awesome-selfhosted and selfhosted that I've been meaning to get around to installing. Home Assistant and AdGuard Home are two of them.
OpenStack has a really good Ansible hardening project for securing servers that I try to always use. I also have a Red Hat developer license, so I try to use their OS when possible because of their FIPS and other security profiles. Some services just don't work with any of the newer RHEL versions though, and I usually fall back to CentOS Stream or Ubuntu whenever that happens.