From dffc7745fd23b5aa0cd3ee0a28d6ba7a9f41539c Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Fri, 14 Jan 2022 21:34:48 +0100 Subject: [PATCH] Upgrade to debian 11 bullseye --- .../apt/apt.conf.d/50unattended-upgrades.j2 | 26 ++++++++++++++++--- ansible/etc/ssh/sshd_config.j2 | 6 ++--- ansible/loki.yml | 2 +- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/ansible/etc/apt/apt.conf.d/50unattended-upgrades.j2 b/ansible/etc/apt/apt.conf.d/50unattended-upgrades.j2 index 6b527be..69ad7b6 100644 --- a/ansible/etc/apt/apt.conf.d/50unattended-upgrades.j2 +++ b/ansible/etc/apt/apt.conf.d/50unattended-upgrades.j2 @@ -1,7 +1,7 @@ // Unattended-Upgrade::Origins-Pattern controls which packages are // upgraded. // -// Lines below have the format format is "keyword=value,...". A +// Lines below have the format "keyword=value,...". A // package will be upgraded only if the values in its metadata match // all the supplied keywords in a line. (In other words, omitted // keywords are wild cards.) The keywords originate from the Release @@ -30,6 +30,7 @@ Unattended-Upgrade::Origins-Pattern { // "origin=Debian,codename=${distro_codename}-proposed-updates"; "origin=Debian,codename=${distro_codename},label=Debian"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; + "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; // Archive or Suite based matching: // Note that this will silently match a different release after @@ -92,9 +93,11 @@ Unattended-Upgrade::Package-Blacklist { // 'mailx' must be installed. E.g. "user@example.com" Unattended-Upgrade::Mail "root"; -// Set this value to "true" to get emails only on errors. Default -// is to always send a mail if Unattended-Upgrade::Mail is set -//Unattended-Upgrade::MailOnlyOnError "false"; +// Set this value to one of: +// "always", "only-on-error" or "on-change" +// If this is not set, then any legacy MailOnlyOnError (boolean) value +// is used to chose between "only-on-error" and "on-change" +//Unattended-Upgrade::MailReport "on-change"; // Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). @@ -144,3 +147,18 @@ Unattended-Upgrade::Mail "root"; // Print debugging information both in unattended-upgrades and // in unattended-upgrade-shutdown // Unattended-Upgrade::Debug "false"; + +// Allow package downgrade if Pin-Priority exceeds 1000 +// Unattended-Upgrade::Allow-downgrade "false"; + +// When APT fails to mark a package to be upgraded or installed try adjusting +// candidates of related packages to help APT's resolver in finding a solution +// where the package can be upgraded or installed. +// This is a workaround until APT's resolver is fixed to always find a +// solution if it exists. (See Debian bug #711128.) +// The fallback is enabled by default, except on Debian's sid release because +// uninstallable packages are frequent there. +// Disabling the fallback speeds up unattended-upgrades when there are +// uninstallable packages at the expense of rarely keeping back packages which +// could be upgraded or installed. +// Unattended-Upgrade::Allow-APT-Mark-Fallback "true"; diff --git a/ansible/etc/ssh/sshd_config.j2 b/ansible/etc/ssh/sshd_config.j2 index 872061b..ca1c1f2 100644 --- a/ansible/etc/ssh/sshd_config.j2 +++ b/ansible/etc/ssh/sshd_config.j2 @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -10,6 +10,8 @@ # possible, but leave them commented. Uncommented options override the # default value. +Include /etc/ssh/sshd_config.d/*.conf + Port {{ ssh_port }} Protocol 2 #AddressFamily any @@ -95,8 +97,6 @@ X11Forwarding no PrintMotd no #PrintLastLog yes #TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 diff --git a/ansible/loki.yml b/ansible/loki.yml index 68f3df4..77f70eb 100644 --- a/ansible/loki.yml +++ b/ansible/loki.yml @@ -5,7 +5,7 @@ - secrets.yml vars: - - debian_release: buster + - debian_release: bullseye tasks: