Setup Unattended Upgrades on Debian All-In-One bash script.

setup_unattended_upgrades.sh

#!/bin/bash

# setup_unattended_upgrades.sh
# This script configures Debian's Unattended Upgrades to:
# 1. Automatically update all packages.
# 2. Automatically restart services after upgrades.
# 3. Automatically respond "no" to configuration file replacement prompts.
# 4. Limit system reboots to once every two weeks if strictly required.

set -e  # Exit immediately if a command exits with a non-zero status.

# Ensure the script is run as root.
if [ "$(id -u)" -ne 0 ]; then
    echo "This script must be run as root. Use sudo or switch to the root user."
    exit 1
fi

echo "Starting Unattended Upgrades setup..."

# ----------------------------
# 1. Install Necessary Packages
# ----------------------------
echo "Installing required packages: unattended-upgrades..."

apt update
apt install -y unattended-upgrades

# ----------------------------
# 2. Enable Unattended Upgrades
# ----------------------------
echo "Enabling Unattended Upgrades..."

# Enable the unattended-upgrades service.
# This modifies /etc/apt/apt.conf.d/20auto-upgrades
AUTO_UPGRADES_CONFIG="/etc/apt/apt.conf.d/20auto-upgrades"

cat > "$AUTO_UPGRADES_CONFIG" <<EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
EOF

# ----------------------------
# 3. Configure Unattended Upgrades
# ----------------------------
echo "Configuring Unattended Upgrades settings..."

# Backup existing configuration files if they exist.
BACKUP_DIR="/etc/apt/apt.conf.d/backup_unattended_upgrades_$(date +%F_%T)"
mkdir -p "$BACKUP_DIR"

CONFIG_50="/etc/apt/apt.conf.d/50unattended-upgrades"
CONFIG_10="/etc/apt/apt.conf.d/10periodic"

if [ -f "$CONFIG_50" ]; then
    cp "$CONFIG_50" "$BACKUP_DIR/"
    echo "Backup of $CONFIG_50 created at $BACKUP_DIR/"
fi

if [ -f "$CONFIG_10" ]; then
    cp "$CONFIG_10" "$BACKUP_DIR/"
    echo "Backup of $CONFIG_10 created at $BACKUP_DIR/"
fi

# Configure /etc/apt/apt.conf.d/50unattended-upgrades
cat > "$CONFIG_50" <<EOF
// 50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
    "\${distro_id}:\${distro_codename}";
    "\${distro_id}:\${distro_codename}-updates";
    "\${distro_id}:\${distro_codename}-proposed";
    "\${distro_id}:\${distro_codename}-backports";
    "\${distro_id}:\${distro_codename}-security";
};

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Unattended-Upgrade::Automatic-Reboot-WithUsers "false";

Unattended-Upgrade::Mail "";
Unattended-Upgrade::MailOnlyOnError "false";

Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::InstallOnShutdown "false";

Unattended-Upgrade::Automatic-Reboot-Successful "true";

Unattended-Upgrade::DPkg::Options {
   "--force-confdef";
   "--force-confold";
};

Unattended-Upgrade::Enable-Restore-Terminal "false";
EOF

# Configure /etc/apt/apt.conf.d/10periodic
cat > "$CONFIG_10" <<EOF
// 10periodic

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Automatic-Reboot "1";
APT::Periodic::Automatic-Reboot-Time "02:00";
EOF

# ----------------------------
# 4. Enable and Start Unattended Upgrades Service
# ----------------------------
echo "Enabling and starting Unattended Upgrades service..."

systemctl enable unattended-upgrades
systemctl start unattended-upgrades

# ----------------------------
# 5. Create Reboot Management Script
# ----------------------------
echo "Creating reboot management script..."

REBOOT_SCRIPT="/usr/local/bin/unattended-upgrades-reboot.sh"

cat > "$REBOOT_SCRIPT" <<'EOF'
#!/bin/bash

# /usr/local/bin/unattended-upgrades-reboot.sh

# Variables
REBOOT_TIMESTAMP_FILE="/var/log/last_unattended_reboot"
REBOOT_INTERVAL_SECONDS=1209600  # 2 weeks in seconds

# Check if a reboot is required
if [ -f /var/run/reboot-required ]; then
    CURRENT_TIMESTAMP=$(date +%s)

    if [ -f "$REBOOT_TIMESTAMP_FILE" ]; then
        LAST_REBOOT_TIMESTAMP=$(cat "$REBOOT_TIMESTAMP_FILE")
        DIFF=$((CURRENT_TIMESTAMP - LAST_REBOOT_TIMESTAMP))
        if [ "$DIFF" -ge "$REBOOT_INTERVAL_SECONDS" ]; then
            echo "Reboot required and interval elapsed. Rebooting now..."
            echo "$CURRENT_TIMESTAMP" > "$REBOOT_TIMESTAMP_FILE"
            /sbin/shutdown -r now
        else
            echo "Reboot required but within interval. Skipping reboot."
        fi
    else
        # Timestamp file doesn't exist; create it and reboot
        echo "$CURRENT_TIMESTAMP" > "$REBOOT_TIMESTAMP_FILE"
        echo "Reboot required. Rebooting now..."
        /sbin/shutdown -r now
    fi
else
    echo "No reboot required."
fi
EOF

# Make the script executable
chmod +x "$REBOOT_SCRIPT"

# ----------------------------
# 6. Ensure Reboot Timestamp File Exists
# ----------------------------
echo "Ensuring reboot timestamp file exists..."

REBOOT_TIMESTAMP_FILE="/var/log/last_unattended_reboot"
touch "$REBOOT_TIMESTAMP_FILE"
chmod 644 "$REBOOT_TIMESTAMP_FILE"

# ----------------------------
# 7. Create Cron Job for Reboot Management Script
# ----------------------------
echo "Creating cron job for reboot management script..."

CRON_JOB="0 3 * * * $REBOOT_SCRIPT >> /var/log/unattended-upgrades-reboot.log 2>&1"

# Check if the cron job already exists
(crontab -l 2>/dev/null | grep -F "$REBOOT_SCRIPT") || \
    (echo "$CRON_JOB" | crontab -u root -)

echo "Cron job added: $CRON_JOB"

# ----------------------------
# 8. Verify Configuration
# ----------------------------
echo "Verifying Unattended Upgrades configuration..."

# Dry run to check configuration
unattended-upgrade --dry-run --debug

echo "Unattended Upgrades setup completed successfully."

# ----------------------------
# 9. Optional: Display Summary
# ----------------------------
echo "----------------------------------------"
echo "Summary of Unattended Upgrades Setup:"
echo "----------------------------------------"
echo "1. Packages installed: unattended-upgrades, update-notifier-common"
echo "2. Configuration files:"
echo "   - /etc/apt/apt.conf.d/50unattended-upgrades"
echo "   - /etc/apt/apt.conf.d/10periodic"
echo "3. Reboot management script: $REBOOT_SCRIPT"
echo "4. Reboot timestamp file: $REBOOT_TIMESTAMP_FILE"
echo "5. Cron job scheduled at 3:00 AM daily to manage reboots."
echo "6. Unattended Upgrades service enabled and started."
echo "7. Configuration verified with a dry run."
echo "----------------------------------------"