Unattended OpenBSD Upgrades using Ansible

less than 1 minute read

Is this ideal? No…What could ever go wrong with an unattended upgrade? Run this at your own risk!

What drove me to do this? Security and also the recent speculative execution vulnerabilities.

Update doas.conf

permit nopass bfrancom as root cmd /usr/sbin/pkg_add
permit nopass bfrancom as root cmd /usr/sbin/syspatch

Setup a playbook

- hosts: openbsd_routers
  remote_user: bobbyjoe

    - name: doas /usr/sbin/pkg_add -u
      command: doas /usr/sbin/pkg_add -u
    - name: doas /usr/sbin/syspatch
      command: doas /usr/sbin/syspatch

You may want to add a reboot in there.