Use Origins-Pattern syntax for unattended-upgrades

This avoids needing to handle each distro differently, and leads to a more powerful syntax.

README.md

@@ -79,10 +79,9 @@ Whether to install/enable `yum-cron` (RedHat-based systems) or `unattended-upgra
 (Debian/Ubuntu only) A listing of packages that should not be automatically updated.
 
     security_autoupdate_additional_origins: []
-    # - "${distro_id}ESM:${distro_codename}-infra-security"
-    # - "Docker:${distro_codename}"
+    # - "origin=Docker,archive=${distro_codename}"
 
-(Debian/Ubuntu only) A listing of origins to reference. Debian's "Debian-Security" and Ubuntu's "${distro_codename}-security" origins are enabled by default.
+(Debian/Ubuntu only) A listing of additional origins to automatically update.
 
     security_autoupdate_reboot: false
 

templates/50unattended-upgrades.j2

@@ -8,19 +8,26 @@ Unattended-Upgrade::MailOnlyOnError "true";
 {% endif %}
 {% endif %}
 
-Unattended-Upgrade::Allowed-Origins {
-{% if ansible_distribution == 'Debian' %}
-        "${distro_id} stable-security"
-{% else %}
-        "${distro_id} ${distro_codename}-security";
-{% endif %}
+Unattended-Upgrade::Origins-Pattern {
+    // Debian security repositories
+    "origin=Debian,codename=${distro_codename},label=Debian-Security";
+    "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
+
+    // Ubuntu security repository
+    "origin=Ubuntu,archive=${distro_codename}-security"
+
+    // Ubuntu ESM repositories
+    "origin=${distro_id}ESMApps,archive=${distro_codename}-apps-security";
+    "origin=${distro_id}ESM,archive=${distro_codename}-infra-security";
+
+    // Custom repositories
 {% for origin in security_autoupdate_additional_origins %}
-        "{{ origin }}";
+    "{{ origin }}";
 {% endfor %}
-};
+}
 
 Unattended-Upgrade::Package-Blacklist{
 {% for package in security_autoupdate_blacklist %}
-      "{{package}}";
+    "{{package}}";
 {% endfor %}
 }