# setup-auto-updates.sh A cross-compatible shell script for enabling unattended automatic updates on Debian and Ubuntu systems. Designed for clean, predictable configuration using modern `Origins-Pattern` syntax. Includes dry-run validation and systemd timer setup when supported. --- **Version:** 2025-07-28 **License:** MIT --- ## Features - Detects Debian or Ubuntu and applies best-practice configuration - Configures `unattended-upgrades` to install regular and security updates automatically - Clears legacy `Allowed-Origins` and uses clean `Origins-Pattern` format - Supports both traditional and deb822-style APT sources - Enables systemd timers (`apt-daily.timer` and `apt-daily-upgrade.timer`) when available - Configures daily update checks, weekly autoclean, and auto-reboot at 4:00 AM if needed - Includes a dry-run validation with basic error detection - Prompts to delete the script after successful execution ## Compatibility - **Debian**: Bookworm, Trixie, and newer - **Ubuntu**: Noble (24.04 LTS) and newer - Should be safe on any modern system with `unattended-upgrades` and `apt` ## What It Does - Installs `unattended-upgrades` if missing - Writes a new `/etc/apt/apt.conf.d/50unattended-upgrades` using a robust and portable structure - Enables APT periodic updates via `/etc/apt/apt.conf.d/20auto-upgrades` - Enables systemd timers if `systemctl` is available - Does **not** run any updates itself or reboot your system directly ## Kernel Update Policy By default, this script **permits installation of updated kernels** if they match the configured origins (e.g., `-updates`, `-security`). If you prefer to exclude kernel packages from automatic updates, add the following to `/etc/apt/apt.conf.d/50unattended-upgrades`: ```conf Unattended-Upgrade::Package-Blacklist { "linux-image"; "linux-headers"; }; ``` ## Example Output ```sh [INFO] Unattended-upgrades configurator (Debian/Ubuntu) [INFO] Detected OS: Debian GNU/Linux 12 (bookworm) [INFO] Updating APT cache… [INFO] Installing unattended-upgrades… [INFO] Validating unattended-upgrades with a dry run… Allowed origins are: origin=Debian,archive=bookworm, origin=Debian,archive=bookworm-updates, ... [INFO] Timers: Mon 2025-07-28 06:40:14 MDT ... apt-daily-upgrade.timer Mon 2025-07-28 10:51:12 MDT ... apt-daily.timer [OK] Unattended updates configured. Regular + security updates will apply automatically; reboot at 04:00 if needed. ``` ## Usage ```bash sudo ./setup-auto-updates.sh ``` - Must be run as root - Prompts to delete itself after successful configuration if run interactively ## Customization - **Reboot Time:** ```bash sudo REBOOT_TIME="03:30" ./setup-auto-updates.sh ``` - **Exclude Third-Party Updates:** Use `/etc/apt/apt.conf.d/60unattended-thirdparty` to add `site=...` patterns. ## Systemd Timers Enabled - `apt-daily.timer` – Regular APT metadata refresh - `apt-daily-upgrade.timer` – Executes `unattended-upgrades` daily ## Self-Delete Behavior At the end of the script, you’ll be asked: > Script successful. Do you wish to delete this script? This helps keep your directory tidy after one-time provisioning. ## Limitations - Does not configure granular package pinning or holds - Does not auto-install non-origin packages (e.g., third-party repos) unless explicitly configured - Power-check skipped (optional `powermgmt-base` not installed) - Not compatible with non-Debian-based distributions (e.g., Fedora, Arch) ## License MIT License – use freely, modify as needed, no warranties. --- Created and maintained by a privacy-conscious, security-oriented Linux sysadmin.