feat(os_agent_auto_update): Configure automatic updating for OS Agent

Fixes #25

README.md

@@ -22,6 +22,7 @@ These roles provide additional functionality to secure and enhance the minimal i
 1. [harden_os](https://github.com/jhampson-dbre/home_assistant/blob/main/roles/harden_os/README.md) - Enable automated Debian security updates and restrict SSH access
 1. [fail2ban](https://github.com/jhampson-dbre/home_assistant/blob/main/roles/fail2ban/README.md) - Install fail2ban, configure it to blacklist IPs with excessive failed login attempts to Home Assistant, and add the fail2ban integration to Home Assistant
 1. [install_hacs](https://github.com/jhampson-dbre/home_assistant/blob/main/roles/install_hacs/README.md) - Install the [Home Assistant Comunity Store](https://hacs.xyz/), a marketplace of community-contributed custom components for Home Assistant
+1. [os_agent_auto_update](https://github.com/jhampson-dbre/home_assistant/blob/main/roles/os_agent_auto_update/README.md) - Configures automatic updates to OS Agent component using `ansible-playbook` scheduled with cron
 
 ### Example Playbook
 
@@ -67,4 +68,5 @@ These roles provide additional functionality to secure and enhance the minimal i
     - name: jhampson_dbre.home_assistant.harden_os
     - name: jhampson_dbre.home_assistant.fail2ban
     - name: jhampson_dbre.home_assistant.install_hacs
+    - name: jhampson_dbre.home_assistant.os_agent_auto_update
 ```

roles/os_agent_auto_update/README.md

@@ -0,0 +1,47 @@
+os_agent_auto_update
+=========
+
+Schedule ansible-playbook to check for and install OS Agent updates with cron
+
+Requirements
+------------
+
+- Ansible must be installed on the remote host to run the auto update playbook from cron. The role will complete successfully without Ansible being installed, but the cron job will not run successfully. By default, the role will automatically do a user install of ansible with pip.
+- A playbook is copied to the remote host that is scheduled in cron to check for and install OS Agent updates. This playbook has a task with `become: true`, so the user runs the schedule should have passwordless sudo configured to run non-interactively.
+
+Role Variables
+--------------
+
+The following varaibles are defined in `defaults/main.yml`
+
+```yaml
+# The path that the automatic update playbook will be copied to for scheduling
+os_agent_auto_update_playbook_dir: /home/homeassistant/playbooks
+
+# Install ansible on the remote host so that the update playbook can run in cron. Set to false to you already have ansible installed, or need a specific Ansible version.
+os_agent_auto_update_install_ansible: true
+```
+
+Dependencies
+------------
+
+none
+
+Example Playbook
+----------------
+
+```yaml
+- hosts: pi
+  roles:
+    - name: jhampson_dbre.home_assistant.os_agent_auto_update
+```
+
+License
+-------
+
+MIT
+
+Author Information
+------------------
+
+@jhampson-dbre

roles/os_agent_auto_update/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# defaults file for os_agent_auto_update
+os_agent_auto_update_playbook_dir: /home/homeassistant/playbooks
+os_agent_auto_update_install_ansible: true

roles/os_agent_auto_update/files/update_os_agent.yml

@@ -0,0 +1,30 @@
+- hosts: localhost
+  connection: local
+  vars:
+    update_os_agent_arch:
+      "i386": "i386"
+      "i686": "none"
+      "x86_64": "x86_64"
+      "arm": "armv5"
+      "armv6l": "none"
+      "armv7l": "armv7"
+      "aarch64": "aarch64"
+
+  tasks:
+    - name: Get download url for latest os-agent .deb release
+      shell: |
+        curl -s https://api.github.com/repos/home-assistant/os-agent/releases/latest \
+        | grep "browser_download_url.*{{ update_os_agent_arch[ansible_architecture] }}.deb" \
+        | cut -d : -f 2,3 \
+        | tr -d \"
+      register: os_agent_latest_url
+      failed_when: os_agent_latest_url.stdout is not search('os-agent_.*_linux_.*.deb')
+      changed_when: false
+      check_mode: no
+      args:
+        warn: false
+
+    - name: Install os-agent
+      apt:
+        deb: "{{ os_agent_latest_url.stdout|trim }}"
+      become: true

roles/os_agent_auto_update/meta/main.yml

@@ -0,0 +1,37 @@
+galaxy_info:
+  author: Jared Hampson
+  description: Automatic update for Home Assistant OS Agent
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  license: MIT
+
+  min_ansible_version: 2.9
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: Debian
+      versions:
+        - buster
+
+  galaxy_tags:
+    - home
+    - assistant
+    - supervised
+    - raspberry
+    - pi
+    - hassio
+    - hacs
+
+dependencies: []

roles/os_agent_auto_update/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+# tasks file for os_agent_auto_update
+- name: create directory for auto update playbook
+  file:
+    path: "{{ os_agent_auto_update_playbook_dir }}"
+    state: directory
+    mode: 0700
+
+- name: copy OS Agent update playbook
+  copy:
+    src: update_os_agent.yml
+    dest: "{{ os_agent_auto_update_playbook_dir }}/update_os_agent.yml"
+    mode: 0700
+
+- name: ensure ansible is installed
+  pip:
+    name: ansible<=2.10
+    extra_args: --user
+    executable: pip3
+  when: os_agent_auto_update_install_ansible|bool
+
+- name: schedule periodic update of OS Agent
+  cron:
+    name: "update OS Agent"
+    minute: "0"
+    hour: "5"
+    job: "ansible-playbook {{ os_agent_auto_update_playbook_dir }}/update_os_agent.yml"

roles/os_agent_auto_update/tests/inventory

@@ -0,0 +1 @@
+localhost

roles/os_agent_auto_update/tests/test.yml

@@ -0,0 +1,4 @@
+---
+- hosts: localhost
+  roles:
+    - name: os_agent_auto_update

roles/os_agent_auto_update/vars/main.yml

@@ -0,0 +1,17 @@
+---
+# vars file for os_agent_auto_update
+os_agent_auto_update_arch:
+  "i386":
+    os_agent: "i386"
+  "i686":
+    os_agent: "none"
+  "x86_64":
+    os_agent: "x86_64"
+  "arm":
+    os_agent: "armv5"
+  "armv6l":
+    os_agent: "none"
+  "armv7l":
+    os_agent: "armv7"
+  "aarch64":
+    os_agent: "aarch64"

tests/sanity.yml

@@ -1,7 +1,6 @@
 - name: Import all roles for sanity tests
   hosts: all
   tasks:
-
     - name: import harden_os
       import_role:
         name: ../roles/harden_os
@@ -20,4 +19,8 @@
 
     - name: import supervised_install
       import_role:
-        name: ../roles/supervised_install
+        name: ../roles/supervised_install
+
+    - name: import os_agent_auto_update
+      import_role:
+        name: ../roles/os_agent_auto_update