diff --git a/readme.md b/readme.md index 48b9a32..2aabace 100644 --- a/readme.md +++ b/readme.md @@ -1,110 +1,73 @@ # setup-auto-updates.sh -A cross-compatible shell script for enabling unattended automatic updates on Debian and Ubuntu systems. -Designed for clean, predictable configuration using modern `Origins-Pattern` syntax. -Includes dry-run validation and systemd timer setup when supported. +**Universal unattended-upgrades configurator for Debian and Ubuntu systems** ---- - -**Version:** 2025-07-28 -**License:** MIT - ---- +This script configures automatic system updates using `unattended-upgrades`, offering full control over update scope, reboot behavior, and compatibility with both classic and deb822-style APT sources. ## Features -- Detects Debian or Ubuntu and applies best-practice configuration -- Configures `unattended-upgrades` to install regular and security updates automatically -- Clears legacy `Allowed-Origins` and uses clean `Origins-Pattern` format -- Supports both traditional and deb822-style APT sources -- Enables systemd timers (`apt-daily.timer` and `apt-daily-upgrade.timer`) when available -- Configures daily update checks, weekly autoclean, and auto-reboot at 4:00 AM if needed -- Includes a dry-run validation with basic error detection -- Prompts to delete the script after successful execution - -## Compatibility - -- **Debian**: Bookworm, Trixie, and newer -- **Ubuntu**: Noble (24.04 LTS) and newer -- Should be safe on any modern system with `unattended-upgrades` and `apt` - -## What It Does - -- Installs `unattended-upgrades` if missing -- Writes a new `/etc/apt/apt.conf.d/50unattended-upgrades` using a robust and portable structure -- Enables APT periodic updates via `/etc/apt/apt.conf.d/20auto-upgrades` -- Enables systemd timers if `systemctl` is available -- Does **not** run any updates itself or reboot your system directly - -## Kernel Update Policy - -By default, this script **permits installation of updated kernels** if they match the configured origins (e.g., `-updates`, `-security`). -If you prefer to exclude kernel packages from automatic updates, add the following to `/etc/apt/apt.conf.d/50unattended-upgrades`: - -```conf -Unattended-Upgrade::Package-Blacklist { - "linux-image"; - "linux-headers"; -}; -``` - -## Example Output - -```sh -[INFO] Unattended-upgrades configurator (Debian/Ubuntu) -[INFO] Detected OS: Debian GNU/Linux 12 (bookworm) -[INFO] Updating APT cache… -[INFO] Installing unattended-upgrades… -[INFO] Validating unattended-upgrades with a dry run… -Allowed origins are: origin=Debian,archive=bookworm, origin=Debian,archive=bookworm-updates, ... -[INFO] Timers: -Mon 2025-07-28 06:40:14 MDT ... apt-daily-upgrade.timer -Mon 2025-07-28 10:51:12 MDT ... apt-daily.timer -[OK] Unattended updates configured. Regular + security updates will apply automatically; reboot at 04:00 if needed. -``` +- ✅ **Supports Debian (Bookworm/Trixie+) and Ubuntu (Noble+)** +- ✅ **Interactive prompt to choose:** + - Full updates (standard + security + updates) + - Security-only updates +- ✅ **Safe for systems using deb822 sources** +- ✅ **Smart reboot behavior** (`04:00` by default) +- ✅ **Clears fragile legacy config entries** +- ✅ **Systemd timer activation** +- ✅ **Dry-run validation to verify settings** +- ✅ **Re-run safe** — overwrites 50unattended-upgrades and 20auto-upgrades ## Usage +Download and run: + ```bash +wget https://example.com/setup-auto-updates.sh +chmod +x setup-auto-updates.sh sudo ./setup-auto-updates.sh ``` -- Must be run as root -- Prompts to delete itself after successful configuration if run interactively +You will be prompted: -## Customization +``` +Configure automatic updates for: + [1] Full updates (recommended) + [2] Security updates only +Select [1/2]: +``` -- **Reboot Time:** - ```bash - sudo REBOOT_TIME="03:30" ./setup-auto-updates.sh - ``` -- **Exclude Third-Party Updates:** - Use `/etc/apt/apt.conf.d/60unattended-thirdparty` to add `site=...` patterns. +### Non-interactive usage -## Systemd Timers Enabled +Set the `UPDATE_SCOPE` environment variable before running: -- `apt-daily.timer` – Regular APT metadata refresh -- `apt-daily-upgrade.timer` – Executes `unattended-upgrades` daily +```bash +sudo UPDATE_SCOPE=security ./setup-auto-updates.sh +``` -## Self-Delete Behavior +Valid values: `full` (default) or `security`. -At the end of the script, you’ll be asked: +### Reboot time -> Script successful. Do you wish to delete this script? +You may override the default automatic reboot time by setting: -This helps keep your directory tidy after one-time provisioning. +```bash +REBOOT_TIME=02:30 ./setup-auto-updates.sh +``` + +## What it Does + +- Installs and configures `unattended-upgrades` +- Sets `APT::Periodic` options +- Writes `/etc/apt/apt.conf.d/50unattended-upgrades` with `Origins-Pattern` +- Enables systemd timers (if available) +- Runs a dry-run check to validate behavior +- Prompts to delete the script after successful configuration ## Limitations -- Does not configure granular package pinning or holds -- Does not auto-install non-origin packages (e.g., third-party repos) unless explicitly configured -- Power-check skipped (optional `powermgmt-base` not installed) -- Not compatible with non-Debian-based distributions (e.g., Fedora, Arch) +- This script **does not configure third-party repositories** for auto updates. +- Kernel packages will be updated if they are included in the chosen update scope (e.g. under `-updates` or `-security`). ## License -MIT License – use freely, modify as needed, no warranties. - ---- - -Created and maintained by a privacy-conscious, security-oriented Linux sysadmin. \ No newline at end of file +MIT License \ No newline at end of file