This Ansible role configures APT on Debian servers, installs a curated base package set, and tunes unattended upgrades plus systemd timers for regular updates—exactly as we use it in production.
The Ansible Role is written and actively maintained by Blunix GmbH. It is used in the Blunix Linux Managed Hosting Stack. Its usage is documented at our Linux Managed Hosting Documentation.
- Installs a configurable base set of useful packages for Debian servers (editors, networking tools, Python tooling, etc.).
- Enables unattended upgrades via
debconfand splits updates into dedicated systemd timers for security updates (15-minute cadence) and versions (SLA Wartungsfenster). - Disables the default
apt-daily-upgradetimer, keepsapt-dailyhourly for fresh indexes, and ships dedicated services/timers for security upgrades, version upgrades, and kernel reboots. - Tunes
havegedwhen installed via this role. - Runs
apt-get autoremoveto clean up unused packages.
- Ansible: >= 2.20.0
- Managed operating systems:
- Debian trixie
Production playbooks apply the role without overrides; if you want to customize base packages, use the inventory example below. The full example lives under example/:
example/inventory/group_vars/all/apt.yml— optionalapt_default_packagesoverride plus SLA-driven timers for security/version updates and kernel reboots.example/play.yml— minimal play applying the role to all hosts.
The defaults cover the base package set, unattended upgrades via debconf, SLA-aligned timers for security and version updates, and a dedicated kernel reboot timer.
/etc/apt/apt.conf.d/50unattended-upgrades— base config for unattended-upgrades (Automatic-Reboot handled separately); kept becauseunattended-upgradealways reads this file even when invoked via custom timers./etc/systemd/system/apt-daily.timer.d/override.conf(runs hourly)./etc/systemd/system/apt-security-upgrade.serviceand.timer(15-minute cadence, security updates only)./etc/systemd/system/apt-version-upgrade.serviceand.timer(SLA Wartungsfenster cadence, version updates)./etc/systemd/system/apt-kernel-reboot.serviceand.timer(reboots when/var/run/reboot-requiredexists, Wartungsfenster)./etc/default/haveged(only whenhavegedis inapt_default_packages).
- Provision: use
dev-tools/main.tfwith the apt role enabled to create a test host. - Playbook:
example/play.ymlapplies the role, seeds the timer overrides, and configures unattended-upgrades. - Tests in
example/tests/:cus-dev-prod-web-1/test_systemd_timers.py: verifies apt-daily plus the custom security/version/reboot timers are installed and enabled while apt-daily-upgrade is disabled.cus-dev-prod-web-1/test_timer_overrides.py: validates timer schedules for the security, version, and reboot timers.
Blunix GmbH Berlin
root@Linux:~# Support | Consulting | Hosting | Training
Blunix GmbH provides 24/7/365 Linux emergency support and consulting, Service Level Agreements for Debian Linux managed hosting using Ansible Configuration Management as well as Linux trainings and workshops.
Learn more at https://www.blunix.com.
Click here to see our Contact Information.
For bug reports and feature requests, please open an issue in this repository’s GitHub issue tracker.
Apache-2.0
Please refer to the LICENSE file in the root of this repository.