Add configuration options to unattended_upgrades

system/base/unattended_upgrades/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+system_base_unattended_upgrades_n_days: 1
+system_base_unattended_upgrades_blacklist: []

system/base/unattended_upgrades/files/20auto-upgrades

@@ -1,2 +0,0 @@
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Unattended-Upgrade "1";

system/base/unattended_upgrades/meta/argument_specs.yml

@@ -0,0 +1,11 @@
+---
+argument_specs:
+  main:
+    options:
+      system_base_unattended_upgrades_n_days:
+        type: "int"
+        required: true
+      system_base_unattended_upgrades_blacklist:
+        type: "list"
+        elements: "str"
+        required: true

system/base/unattended_upgrades/tasks/main.yml

@@ -4,13 +4,13 @@
     name: "unattended-upgrades"
 
 - name: "configure unattended-upgrades"
-  ansible.builtin.copy:
+  ansible.builtin.template:
-    src: "./50unattended-upgrades"
+    src: "./50unattended-upgrades.j2"
     dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
     mode: 0644
 
 - name: "enable unattended-upgrades"
-  ansible.builtin.copy:
+  ansible.builtin.template:
-    src: "./20auto-upgrades"
+    src: "./20auto-upgrades.j2"
     dest: "/etc/apt/apt.conf.d/20auto-upgrades"
     mode: 0644

system/base/unattended_upgrades/templates/20auto-upgrades.j2

@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "{{ system_base_unattended_upgrades_n_days }}";
+APT::Periodic::Unattended-Upgrade "{{ system_base_unattended_upgrades_n_days }}";

system/base/unattended_upgrades/templates/50unattended-upgrades.j2

@@ -44,6 +44,9 @@ Unattended-Upgrade::Origins-Pattern {
 
 // Python regular expressions, matching packages to exclude from upgrading
 Unattended-Upgrade::Package-Blacklist {
+{% for package_regex in system_base_unattended_upgrades_blacklist %}
+    "{{ package_regex }}";
+{% endfor %}
     // The following matches all packages starting with linux-
 //  "linux-";