Configure Automatic Security Updates

[josecelano]

Implement automatic security updates configuration in the ConfigureCommand. This task adds a new step that configures unattended-upgrades on provisioned instances to ensure they automatically receive and install security patches with scheduled reboots.

This is the first phase of completing the system security configuration, chosen because it has lower implementation risk and provides immediate security value.

Goals

• Automatic Security Updates: Configure unattended-upgrades for automatic security patching
• Scheduled Reboots: Enable automatic reboots at 2:00 AM for security updates that require restart
• New Domain Step: Add ConfigureSecurityUpdates to the ConfigureStep enum
• Ansible Integration: Create new Ansible playbook for security updates configuration
• Error Handling: Implement proper error handling with actionable messages
• Testing: Ensure E2E tests validate the security updates configuration

Specifications

Domain Integration

Update ConfigureStep enum in src/domain/environment/state/configure_failed.rs:

/// Steps in the configure workflow
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum ConfigureStep {
    /// Installing Docker
    InstallDocker,
    /// Installing Docker Compose
    InstallDockerCompose,
    /// Configuring automatic security updates
    ConfigureSecurityUpdates,  // <- NEW
}

New Application Step

Create src/application/steps/system/configure_security_updates.rs:

• Implements the ConfigureSecurityUpdatesStep
• Uses AnsibleClient to execute security updates playbook
• Handles ansible errors and maps them to domain errors
• Follows the same pattern as existing Docker installation steps

New Ansible Playbook

Create templates/ansible/configure-security-updates.yml (static template):

• Installs unattended-upgrades package
• Configures automatic updates for security packages
• Sets up automatic reboot schedule (2:00 AM)
• Configures logging and notifications

Integration

Update src/application/commands/configure.rs:

• Add new ConfigureSecurityUpdates case to step matching
• Execute ConfigureSecurityUpdatesStep in the workflow

Implementation Approach

This is a lower risk implementation that:

• Uses a static Ansible playbook (no Tera template variables needed)
• Has no networking/firewall concerns
• Follows established patterns from Docker installation steps
• Can be implemented and tested independently

Acceptance Criteria

• Security Updates Active: Instances automatically check for and install security updates
• Scheduled Reboots: Automatic reboots occur at 2:00 AM when needed for security updates
• Domain Integration: ConfigureSecurityUpdates step properly integrated
• Error Handling: Clear, actionable error messages for configuration failures
• Tests Pass: All existing tests continue to pass
• E2E Validation: E2E tests confirm security updates are properly configured
• Ansible Integration: Security updates playbook executes successfully

Related

Parent Epic: #16 - Finish ConfigureCommand - System Security Configuration
Estimated Effort: 1-2 days

Full specification: Security Updates Documentation