
Ansible weareinteractive.apt role

weareinteractive.apt is an Ansible role which:

  • updates apt
  • cleans up apt
  • configures apt
  • ensures packages
  • add repositories
  • add keys
  • apt pinning
  • manages unattended upgrades
  • optionally alters solution cost
  • optionally allows filesystems to be remounted


Since Ansible Galaxy supports organization now, this role has moved from franklinkim.apt to weareinteractive.apt!


Using ansible-galaxy:

$ ansible-galaxy install weareinteractive.apt

Using requirements.yml:

- src: weareinteractive.apt

Using git:

$ git clone https://github.com/weareinteractive/ansible-apt.git weareinteractive.apt


  • Ansible >= 2.4


Here is a list of all the default variables for this role, which are also available in defaults/main.yml.

# apt_unattended_upgrades_blacklist:
#   - vim
#   - libc6
# apt_mails:
#   - root
#   - [email protected]
# apt_keys:
#   - id: 473041FA
#     file: /tmp/apt.gpg
#     data: "{{ lookup('file', 'apt.asc') }}"
#     keyring: /etc/apt/trusted.gpg.d/debian.gpg
#     keyserver: keyserver.ubuntu.com
#     url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
#     validate_certs: yes
#     state: present
# apt_repositories:
#   - codename: trusty
#     filename: google-chrome
#     mode: 0644
#     repo: 'ppa:nginx/stable'
#     state: present
#     update_cache: yes

# depenencies packages
  - aptitude
  - python3-apt
  - python3-pycurl
# sets the amount of time the cache is valid
apt_cache_valid_time: 3600
# upgrade system: safe | full | dist
apt_upgrade: no
# packages to ensure
apt_packages: []
# purge configuration when removing packages
apt_remove_purge: no
# default package state
apt_package_state: 'present'
# remove packages that are no longer needed for dependencies
apt_autoremove: yes
# remove .deb files for packages no longer on your system
apt_autoclean: yes
# .deb packages to install.
apt_deb_packages: []

# https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
apt_policy: 101
# whether or not suggested packages should be installed.
apt_install_suggests: no
# do not install Recommended packages by default
apt_install_recommends: no
# allow 'apt-get autoremove' to remove suggested packages
apt_remove_suggests: no
# allow 'apt-get autoremove' to remove recommended packages
apt_remove_recommends: no
# Enable the update/upgrade script
apt_periodic: yes
# Do “apt-get update” automatically every n-days (0=disable)
apt_update_package_lists: 1
# Do “apt-get upgrade –download-only” every n-days (0=disable)
apt_download_upgradeable_packages: 0
# Do “apt-get autoclean” every n-days (0=disable)
apt_auto_clean_interval: 0

# enable unattended-upgrades
apt_unattended_upgrades: yes
# list of origins patterns to control which packages are upgraded
# replaces allowed-origins, kept for compatibility
apt_unattended_upgrades_origins: []
# List of allowed-origins, default value kept for compatibility
# set to null to use origins-pattern
- ${distro_id}:${distro_codename}-security
# list of packages to not update (regexp are supported)
apt_unattended_upgrades_blacklist: []
# Split the upgrade into the smallest possible chunks so that
# they can be interrupted with SIGUSR1. This makes the upgrade
# a bit slower but it has the benefit that shutdown while a upgrade
# is running is possible (with a small delay)
apt_unattended_upgrades_minimal_steps: no
# Send email to this address for problems or packages upgrades
# If empty or unset then no email is sent, make sure that you
# have a working mail setup on your system. A package that provides
# 'mailx' must be installed. E.g. "[email protected]"
apt_mails: []
# Set this value to "true" to get emails only on errors. Default
# is to always send a mail if Unattended-Upgrade::Mail is set
apt_unattended_upgrades_notify_error_only: yes
# Do automatic removal of new unused dependencies after the upgrade
# (equivalent to apt-get autoremove)
apt_unattended_upgrades_autoremove: yes
# Automatically reboot *WITHOUT CONFIRMATION*
# if the file /var/run/reboot-required is found after the upgrade
apt_unattended_upgrades_automatic_reboot: no
# Automatically reboot even if there are users currently logged in.
apt_unattended_upgrades_automatic_reboot_with_users: no
# If automatic reboot is enabled and needed, reboot at the specific
# time instead of immediately
# Values: now | 02:00 | ...
apt_unattended_upgrades_automatic_reboot_time: now
# Enable logging to syslog.
apt_unattended_upgrades_syslog_enable: no
# Specify syslog facility.
apt_unattended_upgrades_syslog_facility: daemon

# Override download timer ? Default no
apt_unattended_upgrades_download_timer_override: null
# In case of override :
# apt_unattended_upgrades_download_timer_override:
#   on_calendar_replace: (true|false) If true, delete default system schedule. If not, default and new schedules will be merged
#   on_calendar: new schedule, see man systemd.time.7, example : 'Mon..Fri *-*-* 6:00'
#   randomized_delay_sec: random delay in sec
#   persistent: (true|false)
# See systemd.time.5 for random delay and persistent

# Override upgrade timer the same way
apt_unattended_upgrades_upgrade_timer_override: null
# apt_unattended_upgrades_upgrade_timer_override:
#   on_calendar_replace:
#   on_calendar:
#   randomized_delay_sec:
#   persistent:

# remount file system: currently supported options are rootfs and tmpfs
#   tmpfs:  remount tmp before running if mounted noexec
#   rootfs: remount root filesystem r/w before running if mounted r/o
apt_remount_filesystems: []

# repositories to register
apt_repositories: []
# gpg keys for external repositories
apt_keys: []
# HTTP proxy server (optional)
# apt_http_proxy_address:
# HTTP pipeline depth (optional)
# apt_http_pipeline_depth: 5

# Change Aptitudes solution costs, default is not to change anything
# Mirror https://lists.debian.org/[email protected]
# apt_aptitude_solution_cost:
#   - priority
#   - removals
#   - canceled-actions
apt_aptitude_solution_cost: []

# List of preferences options.
# apt_preferences:
#   - file: perl
#     package: perl
#     pin: "version 5.20*"
#     priority: 1001
apt_preferences: []


These are the handlers that are defined in handlers/main.yml.


- name: reload systemd
    daemon_reload: true


This is an example playbook:


- hosts: all
  become: yes
    - weareinteractive.apt
    apt_cache_valid_time: 7200
      - vim
      - tree
      - name: ca-certificates
        state: latest
        hold: true
      - name: zsh
        state: absent
        purge: true
      - "https://releases.hashicorp.com/vagrant/2.1.5/vagrant_2.1.5_x86_64.deb"
      - root
      - file: perl
        package: perl
        pin: "version 5.20*"
        priority: 1001
    apt_unattended_upgrades_notify_error_only: no
    apt_remove_recommends: yes
    apt_remove_suggests: yes
    apt_remove_purge: yes


$ git clone https://github.com/weareinteractive/ansible-apt.git
$ cd ansible-apt
$ make test


In lieu of a formal style guide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality.

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

Note: To update the README.md file please install and run ansible-role:

$ gem install ansible-role
$ ansible-role docgen


Copyright (c) We Are Interactive under the MIT license.


