1 files changed, 49 insertions, 25 deletions

diff --git a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades
index 5a58095..c9adc5f 100644
--- a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades
+++ b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades
@@ -1,33 +1,53 @@
-// Automatically upgrade packages from these origin patterns
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+//
+// Lines below have the format format is "keyword=value,...".  A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line.  (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted.  The accepted keywords are:
+//   a,archive,suite (eg, "stable")
+//   c,component     (eg, "main", "crontrib", "non-free")
+//   l,label         (eg, "Debian", "Debian-Security")
+//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+//   n,codename      (eg, "jessie", "jessie-updates")
+//     site          (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+//   ${distro_id}            Installed origin.
+//   ${distro_codename}      Installed codename (eg, "jessie")
 Unattended-Upgrade::Origins-Pattern {
+        // Codename based matching:
+        // This will follow the migration of a release through different
+        // archives (e.g. from testing to stable and later oldstable).
+//      "o=Debian,n=jessie";
+//      "o=Debian,n=jessie-updates";
+//      "o=Debian,n=jessie-proposed-updates";
+//      "o=Debian,n=jessie,l=Debian-Security";
+
         // Archive or Suite based matching:
         // Note that this will silently match a different release after
         // migration to the specified archive (e.g. testing becomes the
         // new stable).
-        // XXX: Sadly as of Wheezy, unattended-upgrades doesn't match
-        // $distro_codename against (old)stable.  Hence since packages
-        // that are candidates for upgrade show up with a=(old)stable,
-        // it is not enough to specifiy a=$distro_codename here.
-        // Instead, we list both oldstable and stable; the useless one
-        // is harmless and is being ignored anyway, as it is not in a
-        // proper sources.list.
-        "o=${distro_id},a=oldstable";
-        "o=${distro_id},a=stable";
-//      "o=${distro_id},a=stable-updates";
-//      "o=${distro_id},a=proposed-updates";
-        "o=${distro_id},a=oldstable,l=Debian-Security";
-        "o=${distro_id},a=stable,l=Debian-Security";
+//      "o=Debian,a=stable";
+//      "o=Debian,a=stable-updates";
+//      "o=Debian,a=proposed-updates";
+        "origin=Debian,codename=${distro_codename}";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
 };
 
-// List of packages to not update
+// List of packages to not update (regexp are supported)
 Unattended-Upgrade::Package-Blacklist {
-//      "vim";
-//      "libc6";
-//      "libc6-dev";
-//      "libc6-i686";
+//	"vim";
+//	"libc6";
+//	"libc6-dev";
+//	"libc6-i686";
 };
 
-
 // This option allows you to control if on a unclean dpkg exit
 // unattended-upgrades will automatically run 
 //   dpkg --force-confold --configure -a
@@ -59,11 +79,15 @@ Unattended-Upgrade::Mail "admin@fripost.org";
 // (equivalent to apt-get autoremove)
 //Unattended-Upgrade::Remove-Unused-Dependencies "false";
 
-// Automatically reboot *WITHOUT CONFIRMATION* if a 
-// the file /var/run/reboot-required is found after the upgrade 
-Unattended-Upgrade::Automatic-Reboot "false";
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade 
+//Unattended-Upgrade::Automatic-Reboot "false";
 
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
 
 // Use apt bandwidth limit feature, this example limits the download
-// speed to 128kb/sec
-Acquire::http::Dl-Limit "128";
+// speed to 256kb/sec
+Acquire::http::Dl-Limit "256";