20
unattended upgrades with caddy (bookwormstory.social)
submitted 4 months ago* (last edited 4 months ago) by Deemo@bookwormstory.social to c/selfhosted@lemmy.world

Edit: credit to exu@feditown.com

Assuming you installed caddy via Debian, Ubuntu, Raspbian method

https://caddyserver.com/docs/install#debian-ubuntu-raspbian

add "cloudsmith/caddy/stable:any-version"; to /etc/apt/apt.conf.d/50unattended-upgrades

Example:

// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
        "cloudsmith/caddy/stable:any-version";
};

Link to comment chain (not sure how to add links in a federated way)

https://feditown.com/comment/1221458

https://bookwormstory.social/post/2100056/4136035

Origional post:

Hi guys anyone know how to use un attended upgrades with caddy.

I have ubuntu server 22.0.4.

The part that stumps me is caddy uses a external repository cloud Smith making ot difficult to setup.

I installed caddy via Debian, Ubuntu, Raspbian

https://caddyserver.com/docs/install#debian-ubuntu-raspbian

The closest example I could find to unattended upgrades with a external repo was this example using docker.

/etc/apt/apt.conf.d/50unattended-upgrades

"Docker:${distro_codename}";

https://blog.coffeebeans.at/archives/1299

I'm not sure if it's as simple as

/etc/apt/apt.conf.d/50unattended-upgrades

"Caddy:${distro_codename}";

Edit:

One more question affect would adding

APT::Unattended-Upgrade::Package-Blacklist "";

/etc/apt/apt.conf.d/20auto-upgrades

have?

Edit2:

I just removed this I only found this from google gemini (which probably isn't the best source of info)

APT::Unattended-Upgrade::Package-Blacklist "";
top 8 comments
sorted by: hot top controversial new old
[-] exu@feditown.com 2 points 4 months ago* (last edited 4 months ago)

Unattended Upgrades only checks and updates programs in repos it knows about. As you found out, you'll need to add the custom repository to the Origins pattern in 50unattended-upgrades.

You can find a list of all repositories and their data using apt policy

Here are the custom repositories I have on one of my servers:

 500 https://repo.zabbix.com/zabbix/7.0/debian bookworm/main all Packages
     release v=12,o=Zabbix,a=zabbix,n=bookworm,l=zabbix,c=main,b=all
     origin repo.zabbix.com
 500 https://repo.zabbix.com/zabbix/7.0/debian bookworm/main amd64 Packages
     release v=12,o=Zabbix,a=zabbix,n=bookworm,l=zabbix,c=main,b=amd64
     origin repo.zabbix.com
 500 https://pkgs.tailscale.com/stable/debian bookworm/main all Packages
     release o=Tailscale,n=bookworm,l=Tailscale,c=main,b=all
     origin pkgs.tailscale.com
 500 https://pkgs.tailscale.com/stable/debian bookworm/main amd64 Packages
     release o=Tailscale,n=bookworm,l=Tailscale,c=main,b=amd64
     origin pkgs.tailscale.com
 500 https://deb.nodesource.com/node_20.x nodistro/main amd64 Packages
     release o=. nodistro,a=nodistro,n=nodistro,l=. nodistro,c=main,b=amd64
     origin deb.nodesource.com

Look at the line starting with release and search for a combination that uniquely identifies the Caddy repository.
The output above is using the short form keywords, while the examples in 50unattended-upgrades use the long form. It's fine to use either.
One special case is the site keyword. This is the URL coming after origin in the output above and might be confusing.

Keywords

//   a,archive,suite (eg, "stable")
//   c,component     (eg, "main", "contrib", "non-free")
//   l,label         (eg, "Debian", "Debian-Security")
//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
//   n,codename      (eg, "jessie", "jessie-updates")
//     site          (eg, "http.debian.net")

Based on the apt policy output above, here's what I use to enable automatic updates for these repositories.
Using origin and codename follows the standard Debian repos and I'd recommend using that if possible.
Node doesn't provide a reasonable repo file, so I had to set site based on the URL behind origin in apt policy

"site=deb.nodesource.com"; //Nodesource repository
"origin=Zabbix,codename=${distro_codename}"; //Zabbix Agent repository
"origin=Tailscale,codename=${distro_codename}"; //Tailscale repository
[-] Deemo@bookwormstory.social 1 points 4 months ago

Firstly thank you so much for explaing this for me.

"origin=Zabbix,codename=${distro_codename}"; //Zabbix Agent repository

I tried using this as a template for caddy

 500 https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version/main arm64 Packages
     release o=cloudsmith/caddy/stable,a=any-version,n=any-version,l=source=none,c=main,b=arm64
     origin dl.cloudsmith.io

I assume origin is:

o=cloudsmith/caddy/stable

When adding this rule

"origin=cloudsmith/caddy/stable,codename=${distro_codename}"; //Caddy repository

I get this error

Unable to parse Unattended-Upgrade::Allowed-Origins.
An error occurred: not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):

https://pastebin.com/raw/7gtkRw7c

When changing the syntax to:

"cloudsmith/caddy/stable:${distro_codename}"; // Caddy

The error goes away.

Any ideas?

[-] exu@feditown.com 1 points 4 months ago

You're right with the origin. codename or n in short form is any-version. ${distro_codename} won't match that, as it contains the codename for your distro release, like bookworm for Debian 12.
With any-version the repo owner's basically saying you can install this regardless of your distro version or they handle it on their end somehow.

Try just using the origin instead, like this.

"origin=cloudsmith/caddy/stable";
[-] Deemo@bookwormstory.social 1 points 4 months ago* (last edited 4 months ago)

"origin=cloudsmith/caddy/stable";

Unable to parse Unattended-Upgrade::Allowed-Origins. An error occurred: not enough values to unpack (expected 2, got 1)


// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
        "origin=cloudsmith/caddy/stable";
};
[-] exu@feditown.com 1 points 4 months ago

Huh, I guess Ubuntu patched Unattended Upgrades to change the config format.
Try "cloudsmith/caddy/stable:any-version";

[-] Deemo@bookwormstory.social 1 points 4 months ago

Again thanks for taking the time to help and explain this to me

[-] Deemo@bookwormstory.social 1 points 4 months ago

Yep this works

[-] avidamoeba@lemmy.ca 0 points 4 months ago

Not exactly what you're asking for, but I'll share what I do. I'm using SaltStack to do config management and one of my salt states brings all packages up to date. This is done every 24 hours. I'm not suggesting you install SaltStack just for that but rather pointing out for people who use config management tools that those might be able to handle unattended upgrades.

this post was submitted on 05 Jul 2024
20 points (91.7% liked)

Selfhosted

39905 readers
319 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS