What is the recommended way to keep a Trellis/Ansible provisioned server up to date with the latest packages and in particular security updates?
Can I simply add:
tasks:
- apt: update_cache=yes
- apt: upgrade=yes
to the server.yml file? And regularly run ansible-playbook -i hosts/<environment> server.yml
Or does this conflict with the intended Trellis workflow?
Yes that would work but you should also test this on development/staging first. Package updates could obviously change their behaviour but they could also break things in Trellis. For example if a newer version changes the location of a path/file that Trellis references.
This happened to me, actually–nginx changed some configuration and reprovisioning resulted in a white screen, so definitely test locally first.
I’ve installed the unattended upgrades package for security upgrades on the staging and live servers sudo apt-get install unattended-upgrades. I believe you can configure it to perform automatic security updates, but I just manually run sudo unattended-upgrades -d.
Occassionally I manually update the non-security packages. First on local and staging, then on the live server.