Configuring Unattended Upgrades on Ubuntu/Debian

Ubuntu and Debian systems provide the unattended-upgrades package for automated security updates:

# Install unattended-upgrades
sudo apt update
sudo apt install unattended-upgrades apt-listchanges

# Enable unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Configure /etc/apt/apt.conf.d/50unattended-upgrades for optimal security:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
    // Optionally include updates (not just security)
    // "${distro_id}:${distro_codename}-updates";
};

// Package blacklist - prevent automatic updates for critical services
Unattended-Upgrade::Package-Blacklist {
    // "apache2";
    // "nginx";
    // "mysql-server";
    // "postgresql";
};

// Auto-remove unused dependencies
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Email notifications
Unattended-Upgrade::Mail "[email protected]";
Unattended-Upgrade::MailReport "on-change";

// Automatic reboot settings
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Download and install upgrades when available
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";

// Bandwidth limit (KB/sec)
// Acquire::http::Dl-Limit "70";

Configure update timing in /etc/apt/apt.conf.d/20auto-upgrades:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";