Add support for custom apt-daily and apt-daily-upgrade timers

* add-possibility-to-custom-timers--85

* Edit-README--85

* Set default debian value

* ensure direcotry exist

* ensure direcotry exist

* lint & quoted values

* Update README.md

Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>

* Update README.md

Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>

* Update tasks/systemd_timers.yml

Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>

* Update tasks/systemd_timers.yml

Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>

* Update README.md

Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>

* Update README.md

Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>

* Update tasks/systemd_timers.yml

Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>

* Update tasks/systemd_timers.yml

Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>

* Update tasks/systemd_timers.yml

Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>

* Update tasks/systemd_timers.yml

Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>

* optional override, improvements, docs

based on feedback on !86

* fix systemd unit, style and whitespace cleanup

* update README timer explanation and example

* Update README.md

* Update .github/workflows/ci.yml

* Specify file owner and group

---------

Co-authored-by: Mathieu BEDOS <mathieu.bedos@smile.fr>
Co-authored-by: Mathieu BEDOS <mathieu.bedos@bedos.me>
Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com>
Co-authored-by: Norman Ziegner <normo157@gmail.com>

.gitignore

@@ -3,3 +3,4 @@
 *.log
 .idea/
 .pipenv/
+.vscode/

README.md

@@ -12,7 +12,7 @@ Install and setup [unattended-upgrades](https://launchpad.net/unattended-upgrade
 
 1. If you have used version `0.0.1` of the role, you can delete the file `/etc/apt/apt.conf.d/10periodic` as it is not needed anymore. You can use the following one-shot command:
     * `ansible -m file -a "state=absent path=/etc/apt/apt.conf.d/10periodic" <host-pattern>`
-1. If you have used this role before version `2.0.0`, the files `20auto-upgrades` and `50unattended-upgrades` will differ from the system defaults (instead of configuration being placed in a separate file, as we do now).  These can be left as-is as they will be overridden.  During OS upgrades, when asked if these files should be overwritten by the maintainer's package, say yes.  They will then be reset to their default states, and you won't be asked these questions again.
+2. If you have used this role before version `2.0.0`, the files `20auto-upgrades` and `50unattended-upgrades` will differ from the system defaults (instead of configuration being placed in a separate file, as we do now). These can be left as-is as they will be overridden. During OS upgrades, when asked if these files should be overwritten by the maintainer's package, say yes. They will then be reset to their default states, and you won't be asked these questions again.
 
 ## Requirements
 
@@ -125,6 +125,21 @@ On some hosts you may find that the unattended-upgrade's cron file `/etc/cron.da
 * `unattended_only_on_ac_power`:
   * Default: `false`
   * Description: Download and install upgrades only on AC power. It will also install the debian package `powermgmt-base`.
+* `unattended_systemd_timer_override`
+  * Default: `false`
+  * Description: Deploy/Remove timer overrides.
+* `unattended_apt_daily_oncalendar`
+  * Default: `"*-*-* 6,18:00"`
+  * Description: Apt daily schedule (download updates).
+* `unattended_apt_daily_randomizeddelaysec`
+  * Default: `"12h"`
+  * Description: Apt daily randomized delay.
+* `unattended_apt_daily_upgrade_oncalendar`
+  * Default: `"*-*-* 6:00"`
+  * Description: Apt daily upgrade schedule (install updates).
+* `unattended_apt_daily_upgrade_randomizeddelaysec`
+  * Default: `"60m"`
+  * Description: Apt daily upgrade randomized delay.
 
 ## Origins Patterns
 
@@ -148,6 +163,41 @@ Additionally, unattended-upgrades support two macros (variables), derived from `
 
 Using `${distro_codename}` should be preferred over using `stable` or `oldstable` as a selected, as once `stable` moves to `oldstable`, no security updates will be installed at all, or worse, package from a newer distro release will be installed by accident. The same goes for upgrading your installation from `oldstable` to `stable`, if you forget to change this in your origin patterns, you may not receive the security updates for your newer distro release. With `${distro_codename}`, both cases can never happen.
 
+## Systemd timers
+
+Documentation for systemd/Timers: <https://wiki.archlinux.org/title/systemd/Timers>
+
+### Debian Default Configuration
+
+* Download daily at random times during the entire day.
+* Install daily between 6am - 7am
+
+```yaml
+unattended_systemd_timer_override: false # (default)
+# apt-daily timer
+unattended_apt_daily_oncalendar: "*-*-* 6,18:00" # (default)
+unattended_apt_daily_randomizeddelaysec: "12h" # (default)
+# apt-daily-upgrade timer
+unattended_apt_daily_upgrade_oncalendar: "*-*-* 6:00" # (default)
+unattended_apt_daily_upgrade_randomizeddelaysec: "60m" # (default)
+```
+
+### Customized download and update timers
+
+* Download starts between 00:30am - 01:30am
+* Installation starts between 04:00am - 05:30am
+
+```yaml
+unattended_systemd_timer_override: true
+# apt-daily timer
+unattended_apt_daily_oncalendar: "*-*-* 00:30"
+unattended_apt_daily_randomizeddelaysec: "60m"
+
+# apt-daily-upgrade timer
+unattended_apt_daily_upgrade_oncalendar: "*-*-* 4:00"
+unattended_apt_daily_upgrade_randomizeddelaysec: "90m"
+```
+
 ## Role Usage Examples
 
 Example for Ubuntu, with custom [origins patterns](#patterns-examples), blacklisted packages and e-mail notification:
@@ -215,7 +265,8 @@ unattended_origins_patterns:
 ```
 
 To not install any updates on a raspbian host, just set `unattended_origins_patterns` to an empty list:
-```
+
+```yaml
 unattended_origins_patterns: []
 ```
 
@@ -239,3 +290,5 @@ project:
 * [lukashass](https://github.com/lukashass)
 * [nono-lqdn](https://github.com/nono-lqdn)
 * [turikhay](https://github.com/turikhay)
+* [mabed](https://github.com/mabed-fr)
+* [pgassmann](https://github.com/pgassmann)

defaults/main.yml

@@ -119,10 +119,10 @@ unattended_autoclean_interval: 7
 
 #APT::Periodic::Verbose "0";
 # - Send report mail to root
-#     0:  no report             (or null string)
-#     1:  progress report       (actually any string)
-#     2:  + command outputs     (remove -qq, remove 2>/dev/null, add -d)
-#     3:  + trace on
+#     0: no report             (or null string)
+#     1: progress report       (actually any string)
+#     2: + command outputs     (remove -qq, remove 2>/dev/null, add -d)
+#     3: + trace on
 #unattended_verbose: 0
 
 ## Cron systems only
@@ -156,3 +156,16 @@ unattended_dpkg_options: []
 # Download and install upgrades only on AC power
 # (i.e. skip or gracefully stop updates on battery)
 unattended_only_on_ac_power: false
+
+# Customize systemd timers for apt-daily and apt-daily-upgrade
+unattended_systemd_timer_override: false
+
+# apt-daily timer
+# Documentation at https://wiki.archlinux.org/title/systemd/Timers
+unattended_apt_daily_oncalendar: "*-*-* 6,18:00"
+unattended_apt_daily_randomizeddelaysec: "12h"
+
+# apt-daily-upgrade timer
+# Documentation at https://wiki.archlinux.org/title/systemd/Timers
+unattended_apt_daily_upgrade_oncalendar: "*-*-* 6:00"
+unattended_apt_daily_upgrade_randomizeddelaysec: "60m"

handlers/main.yml

@@ -1,2 +1,17 @@
 ---
 # handlers file for unattended-upgrades
+
+- name: 'Restart apt-daily timer'
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: 'apt-daily.timer'
+    state: 'restarted'
+    enabled: yes
+
+- name: 'Restart apt-daily-upgrade timer'
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: 'apt-daily-upgrade.timer'
+    state: 'restarted'
+    enabled: yes
+...

tasks/main.yml

@@ -2,3 +2,13 @@
 - name: "Import tasks from the unattended-upgrades playbook"
   ansible.builtin.import_tasks: "unattended-upgrades.yml"
   tags: "unattended"
+
+- name: "Import tasks to install systemd timer schedule overrides"
+  ansible.builtin.import_tasks: "systemd_timers.yml"
+  tags: "unattended_systemd_timers"
+  when: 'unattended_systemd_timer_override'
+
+- name: "Import tasks to remove systemd timer schedule overrides"
+  ansible.builtin.import_tasks: "systemd_timers_remove.yml"
+  tags: "unattended_systemd_timers"
+  when: 'not unattended_systemd_timer_override'

tasks/systemd_timers.yml

@@ -0,0 +1,60 @@
+---
+
+- name: 'Test apt-daily timer expression'
+  ansible.builtin.command:
+    cmd: 'systemd-analyze calendar "{{ unattended_apt_daily_oncalendar }}"'
+  register: '_apt_daily'
+  changed_when: '_apt_daily.rc != 0'
+  check_mode: false
+
+- name: 'Test apt-daily-upgrade timer expression'
+  ansible.builtin.command:
+    cmd: 'systemd-analyze calendar "{{ unattended_apt_daily_upgrade_oncalendar }}"'
+  register: '_apt_daily_upgrade'
+  changed_when: '_apt_daily_upgrade.rc != 0'
+  check_mode: false
+
+- name: 'Ensure directory apt-daily.timer.d exists'
+  ansible.builtin.file:
+    path: '/etc/systemd/system/apt-daily.timer.d'
+    mode: '0755'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+  register: '_apt_daily_timer_d'
+
+- name: 'Ensure directory apt-daily-upgrade.timer.d exists'
+  ansible.builtin.file:
+    path: '/etc/systemd/system/apt-daily-upgrade.timer.d'
+    mode: '0755'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+  register: '_apt_daily_upgrade_timer_d'
+
+- name: 'Deploy apt-daily timer'
+  ansible.builtin.template:
+    src: 'apt_daily_override.conf.j2'
+    dest: '/etc/systemd/system/apt-daily.timer.d/schedule_override.conf'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  when:
+    - '_apt_daily.rc == 0'
+    - '_apt_daily_timer_d' # skip if run for the first time in check mode
+  notify:
+    - 'Restart apt-daily timer'
+
+- name: 'Deploy apt-daily-upgrade timer'
+  ansible.builtin.template:
+    src: 'apt_daily_upgrade_override.conf.j2'
+    dest: '/etc/systemd/system/apt-daily-upgrade.timer.d/schedule_override.conf'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  when:
+    - '_apt_daily_upgrade.rc == 0'
+    - '_apt_daily_upgrade_timer_d' # skip if run for the first time in check mode
+  notify:
+    - 'Restart apt-daily-upgrade timer'
+...

tasks/systemd_timers_remove.yml

@@ -0,0 +1,16 @@
+---
+
+- name: 'Remove apt-daily timer override'
+  ansible.builtin.file:
+    path: '/etc/systemd/system/apt-daily.timer.d/schedule_override.conf'
+    state: 'absent'
+  notify:
+    - 'Restart apt-daily timer'
+
+- name: 'Remove apt-daily-upgrade timer override'
+  ansible.builtin.file:
+    path: '/etc/systemd/system/apt-daily-upgrade.timer.d/schedule_override.conf'
+    state: 'absent'
+  notify:
+    - 'Restart apt-daily-upgrade timer'
+...

templates/apt_daily_override.conf.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Daily apt download activities
+
+[Timer]
+OnCalendar=
+OnCalendar={{ unattended_apt_daily_oncalendar }}
+RandomizedDelaySec={{ unattended_apt_daily_randomizeddelaysec }}
+Persistent=true
+
+[Install]
+WantedBy=timers.target

templates/apt_daily_upgrade_override.conf.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=Daily apt upgrade and clean activities
+After=apt-daily.timer
+
+[Timer]
+OnCalendar=
+OnCalendar={{ unattended_apt_daily_upgrade_oncalendar }}
+RandomizedDelaySec={{ unattended_apt_daily_upgrade_randomizeddelaysec }}
+Persistent=true
+
+[Install]
+WantedBy=timers.target