A cross-compatible shell script for enabling unattended automatic updates on Debian and Ubuntu systems.
Designed for clean, predictable configuration using modern Origins-Pattern syntax.
Includes dry-run validation and systemd timer setup when supported.

Version: 2025-07-28
License: MIT

Features

Detects Debian or Ubuntu and applies best-practice configuration
Configures unattended-upgrades to install regular and security updates automatically
Clears legacy Allowed-Origins and uses clean Origins-Pattern format
Supports both traditional and deb822-style APT sources
Enables systemd timers (apt-daily.timer and apt-daily-upgrade.timer) when available
Configures daily update checks, weekly autoclean, and auto-reboot at 4:00 AM if needed
Includes a dry-run validation with basic error detection
Prompts to delete the script after successful execution

Compatibility

Debian: Bookworm, Trixie, and newer
Ubuntu: Noble (24.04 LTS) and newer
Should be safe on any modern system with unattended-upgrades and apt

What It Does

Installs unattended-upgrades if missing
Writes a new /etc/apt/apt.conf.d/50unattended-upgrades using a robust and portable structure
Enables APT periodic updates via /etc/apt/apt.conf.d/20auto-upgrades
Enables systemd timers if systemctl is available
Does not run any updates itself or reboot your system directly

Kernel Update Policy

By default, this script permits installation of updated kernels if they match the configured origins (e.g., -updates, -security).
If you prefer to exclude kernel packages from automatic updates, add the following to /etc/apt/apt.conf.d/50unattended-upgrades:

Unattended-Upgrade::Package-Blacklist {
    "linux-image";
    "linux-headers";
};

Example Output

[INFO] Unattended-upgrades configurator (Debian/Ubuntu)
[INFO] Detected OS: Debian GNU/Linux 12 (bookworm)
[INFO] Updating APT cache…
[INFO] Installing unattended-upgrades…
[INFO] Validating unattended-upgrades with a dry run…
Allowed origins are: origin=Debian,archive=bookworm, origin=Debian,archive=bookworm-updates, ...
[INFO] Timers:
Mon 2025-07-28 06:40:14 MDT ... apt-daily-upgrade.timer
Mon 2025-07-28 10:51:12 MDT ... apt-daily.timer
[OK] Unattended updates configured. Regular + security updates will apply automatically; reboot at 04:00 if needed.

Usage

sudo ./setup-auto-updates.sh

Must be run as root
Prompts to delete itself after successful configuration if run interactively

Customization

Reboot Time:

sudo REBOOT_TIME="03:30" ./setup-auto-updates.sh

Exclude Third-Party Updates:
Use /etc/apt/apt.conf.d/60unattended-thirdparty to add site=... patterns.

Systemd Timers Enabled

apt-daily.timer – Regular APT metadata refresh
apt-daily-upgrade.timer – Executes unattended-upgrades daily

Self-Delete Behavior

At the end of the script, you’ll be asked:

Script successful. Do you wish to delete this script?

This helps keep your directory tidy after one-time provisioning.

Limitations

Does not configure granular package pinning or holds
Does not auto-install non-origin packages (e.g., third-party repos) unless explicitly configured
Power-check skipped (optional powermgmt-base not installed)
Not compatible with non-Debian-based distributions (e.g., Fedora, Arch)

License

MIT License – use freely, modify as needed, no warranties.

Created and maintained by a privacy-conscious, security-oriented Linux sysadmin.

Description

Universal Unattended-Updates Configuration for Debian & Ubuntu This repository contains scripts to configure automatic system updates on Debian and Ubuntu using unattended-upgrades. The script offers the flexibility to choose between enabling full updates or restricting updates to security-only updates. It also includes locale fixes, smart reboot configurations, and automatic cleanup of unused dependencies. This script ensures safe operation on Debian Bookworm/Trixie and Ubuntu (Noble+), while avoiding conflicts with legacy configurations. It does not configure updates for third-party repositories.

Readme MIT 95 KiB

readme.md Unescape Escape

setup-auto-updates.sh