auto-updates: Install and configure dnf-automatic

*dnf-automatic* is an add-on for `dnf` that performs scheduled,
automatic updates.  It works pretty much how I would want it to:
triggered by a systemd timer, sends email reports upon completion, and
only reboots for kernel et al. updates.

In its default configuration, `dnf-automatic.timer` fires every day.  I
want machines to update weekly, but I want them to update on different
days (so as to avoid issues if all the machines reboot at once).  Thus,
the _dnf-automatic_ role uses a systemd unit extension to change the
schedule.  The day-of-the-week is chosen pseudo-randomly based on the
host name of the managed system.

auto-updates.yml

@@ -0,0 +1,7 @@
+- import_playbook: dyngroups.yml
+- hosts: Fedora
+  roles:
+  - role: dnf-automatic
+    tags:
+    - auto-update
+    - dnf-automatic

group_vars/all.yml

@@ -100,3 +100,13 @@ promtail_ca: |
   0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
   DaY+6wQ=
   -----END CERTIFICATE-----
+
+dnf_automatic_email_from: dnf@pyrocufflink.net
+dnf_automatic_email_to: gyrfalcon@ebonfire.com
+dnf_automatic_email_host: mail.pyrocufflink.blue
+
+dnf_automatic_schedule: >-
+  {{ ['Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat', 'Sun']
+     | random(seed=inventory_hostname)
+     | string
+  }} *-*-* 04:00:00 America/Chicago

host_vars/git0.pyrocufflink.blue.yml

@@ -1,2 +1,3 @@
 gitea_ssh_domain: git.pyrocufflink.blue
 gitea_root_url: 'https://{{ gitea_ssh_domain }}/'
+dnf_automatic_reboot: never

roles/dnf-automatic/defaults/main.yml

@@ -0,0 +1,4 @@
+dnf_automatic_reboot: when-needed
+dnf_automatic_email_from: root@example.com
+dnf_automatic_email_to: root
+dnf_automatic_email_host: localhost

roles/dnf-automatic/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+- name: restart dnf-automatic.timer
+  systemd:
+    name: dnf-automatic.timer
+    state: restarted

roles/dnf-automatic/tasks/main.yml

@@ -0,0 +1,54 @@
+- name: ensure dnf-automatic is installed
+  dnf:
+    name: dnf-automatic
+    state: present
+  tags:
+  - install
+
+- name: ensure dnf-automatic is configured
+  template:
+    src: dnf-automatic.conf.j2
+    dest: /etc/dnf/automatic.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+
+- name: ensure dnf-automatic.timer systemd drop-in directory exists
+  file:
+    path: /etc/systemd/system/dnf-automatic.timer.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - config
+- name: ensure dnf-automatic.timer schedule is set
+  template:
+    src: dnf-automatic.schedule.conf.j2
+    dest: /etc/systemd/system/dnf-automatic.timer.d/schedule.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart dnf-automatic.timer
+  tags:
+  - config
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure dnf-automatic.timer unit is enabled
+  systemd:
+    name: dnf-automatic.timer
+    enabled: true
+  tags:
+  - service
+- name: ensure dnf-automatic.timer unit is started
+  systemd:
+    name: dnf-automatic.timer
+    state: started
+  tags:
+  - service

roles/dnf-automatic/templates/dnf-automatic.conf.j2

@@ -0,0 +1,101 @@
+[commands]
+#  What kind of upgrade to perform:
+# default                            = all available upgrades
+# security                           = only the security upgrades
+upgrade_type = default
+random_sleep = 0
+
+# Maximum time in seconds to wait until the system is on-line and able to
+# connect to remote repositories.
+network_online_timeout = 60
+
+# To just receive updates use dnf-automatic-notifyonly.timer
+
+# Whether updates should be downloaded when they are available, by
+# dnf-automatic.timer. notifyonly.timer, download.timer and
+# install.timer override this setting.
+download_updates = yes
+
+# Whether updates should be applied when they are available, by
+# dnf-automatic.timer. notifyonly.timer, download.timer and
+# install.timer override this setting.
+apply_updates = yes
+
+# When the system should reboot following upgrades:
+# never                              = don't reboot after upgrades
+# when-changed                       = reboot after any changes
+# when-needed                        = reboot when necessary to apply changes
+reboot = {{ dnf_automatic_reboot }}
+
+# The command that is run to trigger a system reboot.
+reboot_command = "shutdown -r +5 'Rebooting after applying package updates'"
+
+
+[emitters]
+# Name to use for this system in messages that are emitted.  Default is the
+# hostname.
+# system_name = my-host
+
+# How to send messages.  Valid options are stdio, email and motd.  If
+# emit_via includes stdio, messages will be sent to stdout; this is useful
+# to have cron send the messages.  If emit_via includes email, this
+# program will send email itself according to the configured options.
+# If emit_via includes motd, /etc/motd file will have the messages. if
+# emit_via includes command_email, then messages will be send via a shell
+# command compatible with sendmail.
+# Default is email,stdio.
+# If emit_via is None or left blank, no messages will be sent.
+emit_via = stdio email
+
+
+[email]
+# The address to send email messages from.
+email_from = {{ dnf_automatic_email_from }}
+
+# List of addresses to send messages to.
+email_to = {{ dnf_automatic_email_to }}
+
+# Name of the host to connect to to send email messages.
+email_host = {{ dnf_automatic_email_host }}
+
+# Port number to connect to at the email host.
+email_port = 25
+
+# Use TLS or STARTTLS to connect to the email host.
+email_tls = no
+
+
+[command]
+# The shell command to execute. This is a Python format string, as used in
+# str.format(). The format function will pass a shell-quoted argument called
+# `body`.
+# command_format = "cat"
+
+# The contents of stdin to pass to the command. It is a format string with the
+# same arguments as `command_format`.
+# stdin_format = "{body}"
+
+
+[command_email]
+# The shell command to use to send email. This is a Python format string,
+# as used in str.format(). The format function will pass shell-quoted arguments
+# called body, subject, email_from, email_to.
+# command_format = "mail -Ssendwait -s {subject} -r {email_from} {email_to}"
+
+# The contents of stdin to pass to the command. It is a format string with the
+# same arguments as `command_format`.
+# stdin_format = "{body}"
+
+# The address to send email messages from.
+email_from = root@example.com
+
+# List of addresses to send messages to.
+email_to = root
+
+
+[base]
+# This section overrides dnf.conf
+
+# Use this to filter DNF core messages
+debuglevel = 1
+installonly_limit = 2

roles/dnf-automatic/templates/dnf-automatic.schedule.conf.j2

@@ -0,0 +1,3 @@
+[Timer]
+OnCalendar=
+OnCalendar={{ dnf_automatic_schedule }}