Skip to content

Instantly share code, notes, and snippets.

@daemonhorn

daemonhorn/Debian_Unattended-Upgrades.md

Last active November 15, 2024 00:42
Show Gist options
  • Save daemonhorn/29b3ffe1935a3ee308387a3547faea61 to your computer and use it in GitHub Desktop.
Save daemonhorn/29b3ffe1935a3ee308387a3547faea61 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Debian_Unattended-Upgrades.md

Auto-Update for Ubuntu/Debian using Unattended-Upgrades package

Install

Unattended-upgrades is installed by:

sudo apt install unattended-upgrades
sudo systemctl enable --now unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Configure

The default config is reasonable, but should be inspected. The config file is located at /etc/apt/apt.conf.d/50unattended-upgrades

50unattended-upgrades example

The following configuration assumes "stable" has been defined in the /etc/apt/sources.list rather than a codename-specific config, adjust as desired. Includes and example for an external repo (updates.signal.org).

Unattended-Upgrade::Origins-Pattern {
      "origin=Debian,codename=${distro_codename}-updates";
      "origin=Debian,codename=${distro_codename}-proposed-updates";
      "origin=Debian,codename=${distro_codename},label=Debian";
      "origin=Debian,codename=${distro_codename},label=Debian-Security";
      "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";

      "site=updates.signal.org";
      "o=Debian,a=stable";
      "o=Debian,a=stable-updates";
      "o=Debian,a=proposed-updates";
      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};

Unattended-Upgrade::Package-Blacklist {
};
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Laptop knobs (optional)

Unattended-Upgrade::OnlyOnACPower "true";
Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";

Report failures (optional)

Note that this requires a local mail relay such as postfix set up. This configuration will send a email report when an update has an error:

Unattended-Upgrade::Mail "root@localhost";
Unattended-Upgrade::MailReport "only-on-error";

Testing / Debug

sudo unattended-upgrade --dry-run --verbose

This will give you details of what it will do without actually installing/changing anything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment