Add automatic security updates configuration to ConfigureCommand

[Copilot]

Implements unattended-upgrades configuration as a new step in the ConfigureCommand workflow, enabling automatic security patching with scheduled 2:00 AM reboots.

Changes

Domain Layer

• Added ConfigureSecurityUpdates variant to ConfigureStep enum for failure tracking

Application Layer

• Created ConfigureSecurityUpdatesStep that executes Ansible playbook via AnsibleClient
• Integrated step into ConfigureCommandHandler workflow after Docker Compose installation
• Follows existing step pattern with proper error mapping and tracing

Infrastructure Layer

• Created templates/ansible/configure-security-updates.yml playbook:
  • Installs and configures unattended-upgrades package
  • Enables automatic security updates via APT configuration
  • Sets automatic reboot schedule (02:00)
  • Includes Debian family conditionals for cross-platform safety
  • Verifies configuration with dry-run

Usage

The step runs automatically in the configure workflow:

let current_step = ConfigureStep::ConfigureSecurityUpdates;
ConfigureSecurityUpdatesStep::new(Arc::clone(&self.ansible_client))
    .execute()
    .map_err(|e| (e.into(), current_step))?;

Configuration details in /etc/apt/apt.conf.d/ files are backed up before modification.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Configure Automatic Security Updates</issue_title>
<issue_description>Implement automatic security updates configuration in the ConfigureCommand. This task adds a new step that configures unattended-upgrades on provisioned instances to ensure they automatically receive and install security patches with scheduled reboots.

This is the first phase of completing the system security configuration, chosen because it has lower implementation risk and provides immediate security value.

Goals

• Automatic Security Updates: Configure unattended-upgrades for automatic security patching
• Scheduled Reboots: Enable automatic reboots at 2:00 AM for security updates that require restart
• New Domain Step: Add ConfigureSecurityUpdates to the ConfigureStep enum
• Ansible Integration: Create new Ansible playbook for security updates configuration
• Error Handling: Implement proper error handling with actionable messages
• Testing: Ensure E2E tests validate the security updates configuration

Specifications

Domain Integration

Update ConfigureStep enum in src/domain/environment/state/configure_failed.rs:

/// Steps in the configure workflow
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum ConfigureStep {
    /// Installing Docker
    InstallDocker,
    /// Installing Docker Compose
    InstallDockerCompose,
    /// Configuring automatic security updates
    ConfigureSecurityUpdates,  // <- NEW
}

New Application Step

Create src/application/steps/system/configure_security_updates.rs:

• Implements the ConfigureSecurityUpdatesStep
• Uses AnsibleClient to execute security updates playbook
• Handles ansible errors and maps them to domain errors
• Follows the same pattern as existing Docker installation steps

New Ansible Playbook

Create templates/ansible/configure-security-updates.yml (static template):

• Installs unattended-upgrades package
• Configures automatic updates for security packages
• Sets up automatic reboot schedule (2:00 AM)
• Configures logging and notifications

Integration

Update src/application/commands/configure.rs:

• Add new ConfigureSecurityUpdates case to step matching
• Execute ConfigureSecurityUpdatesStep in the workflow

Implementation Approach

This is a lower risk implementation that:

• Uses a static Ansible playbook (no Tera template variables needed)
• Has no networking/firewall concerns
• Follows established patterns from Docker installation steps
• Can be implemented and tested independently

Acceptance Criteria

• Security Updates Active: Instances automatically check for and install security updates
• Scheduled Reboots: Automatic reboots occur at 2:00 AM when needed for security updates
• Domain Integration: ConfigureSecurityUpdates step properly integrated
• Error Handling: Clear, actionable error messages for configuration failures
• Tests Pass: All existing tests continue to pass
• E2E Validation: E2E tests confirm security updates are properly configured
• Ansible Integration: Security updates playbook executes successfully

Related

Parent Epic: #16 - Finish ConfigureCommand - System Security Configuration
Estimated Effort: 1-2 days

Full specification: Security Updates Documentation</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Configure Automatic Security Updates #17

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[josecelano]

ACK 3d8b153

[josecelano]

✅ Issue Fixed: Missing Playbook Registration

The initial E2E config test failure has been resolved. The problem was that the new Ansible playbook configure-security-updates.yml was created but not registered in the template copy mechanism.

🔧 Root Cause

The codebase uses a two-phase template system:

1. Phase 1: Static file copying (requires explicit registration)
2. Phase 2: Dynamic rendering (automatic for .tera files)

The new playbook needed to be added to the copy_static_templates array in src/infrastructure/external_tools/ansible/template/renderer/mod.rs.

✅ Fixes Applied

Commit 1 - b5d4e59: Fixed the playbook registration

• Added "configure-security-updates.yml" to the static templates array
• Updated file count from 5 to 6 playbooks

Commit 2 - 3d8b153: Enhanced documentation to prevent future occurrences

• Added comprehensive guide in docs/contributing/templates.md for adding static Ansible playbooks
• Enhanced docs/technical/template-system-architecture.md with two-phase processing explanation
• Added Rule Remove ANSI Color Codes from File Logging #5 in .github/copilot-instructions.md with CRITICAL warning about playbook registration

🧪 Verification

All validation completed successfully:

• ✅ E2E config tests: PASSED (41.3s)
• ✅ Unit tests: PASSED (1,046 tests)
• ✅ E2E full tests: PASSED (63.3s)
• ✅ Infrastructure validation: Security updates properly configured
  • unattended-upgrades package installed
  • Automatic updates enabled
  • Automatic reboot scheduled (02:00)
  • Service enabled

The PR is now ready for review. GitHub Actions should pass on the next run.