# setup-auto-updates.sh A cross-compatible shell script for enabling unattended automatic updates on Debian and Ubuntu systems. Designed for clean, predictable configuration using modern `Origins-Pattern` syntax. Includes dry-run validation and systemd timer setup when supported. --- **Version:** 2025-07-28 **License:** MIT --- ## Features - Detects Debian or Ubuntu and applies best-practice configuration - Configures `unattended-upgrades` to install regular and security updates automatically - Clears legacy `Allowed-Origins` and uses clean `Origins-Pattern` format - Supports both traditional and deb822-style APT sources - Enables systemd timers (`apt-daily.timer` and `apt-daily-upgrade.timer`) when available - Configures daily update checks, weekly autoclean, and auto-reboot at 4:00 AM if needed - Includes a dry-run validation with basic error detection - Prompts to delete the script after successful execution ## Compatibility - **Debian**: Bookworm, Trixie, and newer - **Ubuntu**: Noble (24.04 LTS) and newer - Should be safe on any modern system with `unattended-upgrades` and `apt` ## What It Does - Installs `unattended-upgrades` if missing - Writes a new `/etc/apt/apt.conf.d/50unattended-upgrades` using a robust and portable structure - Enables APT periodic updates via `/etc/apt/apt.conf.d/20auto-upgrades` - Enables systemd timers if `systemctl` is available - Does **not** run any updates itself or reboot your system directly ## Example Output ``` [INFO] Unattended-upgrades configurator (Debian/Ubuntu) [INFO] Detected OS: Debian GNU/Linux 12 (bookworm) [INFO] Updating APT cache… [INFO] Installing unattended-upgrades… [INFO] Validating unattended-upgrades with a dry run… Allowed origins are: origin=Debian,archive=bookworm, origin=Debian,archive=bookworm-updates, ... [INFO] Timers: Mon 2025-07-28 06:40:14 MDT ... apt-daily-upgrade.timer Mon 2025-07-28 10:51:12 MDT ... apt-daily.timer [OK] Unattended updates configured. Regular + security updates will apply automatically; reboot at 04:00 if needed. ``` ## Usage ```bash sudo ./setup-auto-updates.sh ``` - Must be run as root - Prompts to delete itself after successful configuration if run interactively ## Customization To change the default reboot time: ```bash sudo REBOOT_TIME="03:30" ./setup-auto-updates.sh ``` To run without dry-run validation (not recommended), you can comment out or modify the `validate_with_dryrun()` function. ## Notes - If APT is locked by another process, the script waits up to 3 minutes before proceeding - Dry-run validation logs are saved to `/tmp/unattended-upgrades-dryrun.*` - The script confirms presence of `systemctl` before enabling timers - Automatically overwrites existing configuration files with no backup: - `/etc/apt/apt.conf.d/50unattended-upgrades` - `/etc/apt/apt.conf.d/20auto-upgrades` ## Self-Delete Behavior At the end of the script, a prompt asks if you'd like to remove the `.sh` file that was just executed. This helps keep systems tidy after one-time provisioning. ## Limitations - Does not configure granular package exclusions or holds - Will not trigger updates or reboots itself; configuration only - Does not install `powermgmt-base`, so power-check warnings may appear on laptops - Not compatible with non-Debian distributions (e.g., Fedora, Arch) ## License MIT License – use freely, modify as needed, no warranties. --- Created and maintained by a privacy-conscious, security-oriented Linux sysadmin.