unattended upgrades with caddy
unattended upgrades with caddy
Edit: credit to exu@feditown.com
Assuming you installed caddy via Debian, Ubuntu, Raspbian method
https://caddyserver.com/docs/install#debian-ubuntu-raspbian
add "cloudsmith/caddy/stable:any-version"; to /etc/apt/apt.conf.d/50unattended-upgrades
Example:
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
"${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
"cloudsmith/caddy/stable:any-version";
};
Link to comment chain (not sure how to add links in a federated way)
https://feditown.com/comment/1221458
https://bookwormstory.social/post/2100056/4136035
Origional post:
Hi guys anyone know how to use un attended upgrades with caddy.
I have ubuntu server 22.0.4.
The part that stumps me is caddy uses a external repository cloud Smith making ot difficult to setup.
I installed caddy via Debian, Ubuntu, Raspbian
https://caddyserver.com/docs/install#debian-ubuntu-raspbian
The closest example I could find to unattended upgrades with a external repo was this example using docker.
/etc/apt/apt.conf.d/50unattended-upgrades
"Docker:${distro_codename}";
https://blog.coffeebeans.at/archives/1299
I'm not sure if it's as simple as
/etc/apt/apt.conf.d/50unattended-upgrades
"Caddy:${distro_codename}";
Edit:
One more question affect would adding
APT::Unattended-Upgrade::Package-Blacklist "";
/etc/apt/apt.conf.d/20auto-upgrades
have?
Edit2:
I just removed this I only found this from google gemini (which probably isn't the best source of info)
APT::Unattended-Upgrade::Package-Blacklist "";
Unattended Upgrades only checks and updates programs in repos it knows about. As you found out, you'll need to add the custom repository to the Origins pattern in 50unattended-upgrades.
You can find a list of all repositories and their data using
apt policyHere are the custom repositories I have on one of my servers:
500 https://repo.zabbix.com/zabbix/7.0/debian bookworm/main all Packages release v=12,o=Zabbix,a=zabbix,n=bookworm,l=zabbix,c=main,b=all origin repo.zabbix.com 500 https://repo.zabbix.com/zabbix/7.0/debian bookworm/main amd64 Packages release v=12,o=Zabbix,a=zabbix,n=bookworm,l=zabbix,c=main,b=amd64 origin repo.zabbix.com 500 https://pkgs.tailscale.com/stable/debian bookworm/main all Packages release o=Tailscale,n=bookworm,l=Tailscale,c=main,b=all origin pkgs.tailscale.com 500 https://pkgs.tailscale.com/stable/debian bookworm/main amd64 Packages release o=Tailscale,n=bookworm,l=Tailscale,c=main,b=amd64 origin pkgs.tailscale.com 500 https://deb.nodesource.com/node_20.x nodistro/main amd64 Packages release o=. nodistro,a=nodistro,n=nodistro,l=. nodistro,c=main,b=amd64 origin deb.nodesource.comLook at the line starting with
releaseand search for a combination that uniquely identifies the Caddy repository.
The output above is using the short form keywords, while the examples in 50unattended-upgrades use the long form. It's fine to use either.
One special case is thesitekeyword. This is the URL coming afteroriginin the output above and might be confusing.Keywords
// a,archive,suite (eg, "stable") // c,component (eg, "main", "contrib", "non-free") // l,label (eg, "Debian", "Debian-Security") // o,origin (eg, "Debian", "Unofficial Multimedia Packages") // n,codename (eg, "jessie", "jessie-updates") // site (eg, "http.debian.net")Based on the
apt policyoutput above, here's what I use to enable automatic updates for these repositories.
Usingoriginandcodenamefollows the standard Debian repos and I'd recommend using that if possible.
Node doesn't provide a reasonable repo file, so I had to setsitebased on the URL behindorigininapt policy"site=deb.nodesource.com"; //Nodesource repository "origin=Zabbix,codename=${distro_codename}"; //Zabbix Agent repository "origin=Tailscale,codename=${distro_codename}"; //Tailscale repositoryFirstly thank you so much for explaing this for me.
"origin=Zabbix,codename=${distro_codename}"; //Zabbix Agent repository
I tried using this as a template for caddy
500 https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version/main arm64 Packages release o=cloudsmith/caddy/stable,a=any-version,n=any-version,l=source=none,c=main,b=arm64 origin dl.cloudsmith.ioI assume origin is:
o=cloudsmith/caddy/stableWhen adding this rule
"origin=cloudsmith/caddy/stable,codename=${distro_codename}"; //Caddy repositoryI get this error
Unable to parse Unattended-Upgrade::Allowed-Origins. An error occurred: not enough values to unpack (expected 2, got 1) Traceback (most recent call last):https://pastebin.com/raw/7gtkRw7c
When changing the syntax to:
"cloudsmith/caddy/stable:${distro_codename}"; // CaddyThe error goes away.
Any ideas?
You're right with the origin.
codenameornin short form isany-version.${distro_codename}won't match that, as it contains the codename for your distro release, likebookwormfor Debian 12.
Withany-versionthe repo owner's basically saying you can install this regardless of your distro version or they handle it on their end somehow.Try just using the origin instead, like this.
"origin=cloudsmith/caddy/stable";
Not exactly what you're asking for, but I'll share what I do. I'm using SaltStack to do config management and one of my salt states brings all packages up to date. This is done every 24 hours. I'm not suggesting you install SaltStack just for that but rather pointing out for people who use config management tools that those might be able to handle unattended upgrades.