{"id":49898588,"url":"https://github.com/ruhanirabin/unattended-setup-script-debian","last_synced_at":"2026-05-16T01:37:35.403Z","repository":{"id":257207307,"uuid":"857619606","full_name":"ruhanirabin/unattended-setup-script-debian","owner":"ruhanirabin","description":"A production-ready shell script that automates the setup of unattended security updates on Ubuntu and Debian servers. Keeps your systems patched against known vulnerabilities with zero manual intervention.","archived":false,"fork":false,"pushed_at":"2026-04-29T08:25:24.000Z","size":77,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-29T08:34:57.480Z","etag":null,"topics":["debian","shell-script","ubuntu","unattended-upgrades"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ruhanirabin.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2024-09-15T06:24:20.000Z","updated_at":"2026-04-29T08:26:58.000Z","dependencies_parsed_at":null,"dependency_job_id":"d67e2843-a752-4d9a-8913-5564a03d30b0","html_url":"https://github.com/ruhanirabin/unattended-setup-script-debian","commit_stats":null,"previous_names":["ruhanirabin/unattended-setup-script-debian"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/ruhanirabin/unattended-setup-script-debian","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ruhanirabin%2Funattended-setup-script-debian","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ruhanirabin%2Funattended-setup-script-debian/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ruhanirabin%2Funattended-setup-script-debian/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ruhanirabin%2Funattended-setup-script-debian/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ruhanirabin","download_url":"https://codeload.github.com/ruhanirabin/unattended-setup-script-debian/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ruhanirabin%2Funattended-setup-script-debian/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33087028,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-15T20:25:35.270Z","status":"ssl_error","status_checked_at":"2026-05-15T20:25:34.732Z","response_time":103,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debian","shell-script","ubuntu","unattended-upgrades"],"created_at":"2026-05-16T01:37:35.110Z","updated_at":"2026-05-16T01:37:35.388Z","avatar_url":"https://github.com/ruhanirabin.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Automatic Security Updates Setup Script\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)\n[![Version](https://img.shields.io/badge/version-3.2.0-blue.svg)](CHANGELOG.md)\n[![Ubuntu](https://img.shields.io/badge/Ubuntu-24.04%20%7C%2024.10%20%7C%2025.04%20%7C%2025.10%20%7C%2026.04%20%7C%2026.10-E95420)](#)\n[![Debian](https://img.shields.io/badge/Debian-13%20%7C%2014%20%7C%20Sid-A81D33)](#)\n\nA production-ready shell script that automates the setup of unattended security updates on Ubuntu and Debian servers. Keeps your systems patched against known vulnerabilities with zero manual intervention.\n\n---\n\n## Quick Install\n\nRun as **root**:\n\n```bash\nsudo bash -c \"$(curl -fsSL https://github.com/ruhanirabin/unattended-setup-script-debian/raw/main/setup_auto_updates.sh)\"\n```\n\nFor **non-interactive** (automation/Ansible/Packer):\n\n```bash\nsudo bash setup_auto_updates.sh --yes\n```\n\n---\n\n## Requirements\n\n- **Root access** (sudo or root user)\n- **Internet connectivity** for package installation\n- Minimum **50 MB** free disk space\n\n\u003e **Container note:** The script detects the absence of systemd and skips service enablement, but still writes configuration files. You can use cron or a container-native scheduler instead.\n\n---\n\n## Supported Distributions\n\n| Distribution | Versions | Codenames |\n|---|---|---|\n| Ubuntu | 24.04 LTS | noble |\n| Ubuntu | 24.10 | oracular |\n| Ubuntu | 25.04 | plucky |\n| Ubuntu | 25.10 | questing |\n| Ubuntu | 26.04 LTS | resolute |\n| Ubuntu | 26.10 | — |\n| Debian | 13 | trixie |\n| Debian | 14 | forky |\n| Debian | Sid (unstable) | sid |\n\n\u003e **Note:** Unsupported versions will be detected and rejected with a clear error message listing supported releases.\n\n---\n\n## What This Script Does\n\n1. **Root verification** — ensures the script runs with elevated privileges\n2. **Distribution detection** — identifies OS type, version, and codename via `/etc/os-release`\n3. **Existing config check** — detects running unattended-upgrades and warns about reconfiguration\n4. **Package installation** — installs `unattended-upgrades` via apt\n5. **Config backup** — backs up existing APT configuration files before modification\n6. **Unattended-upgrades configuration** — writes distribution-specific config (`50unattended-upgrades`)\n7. **Schedule configuration** — sets daily update/check cycles (`20auto-upgrades`)\n8. **Dry-run validation** — tests the configuration without applying changes\n9. **Service enable/start** — enables and starts the `unattended-upgrades` systemd service\n10. **Status verification** — reports service state and provides verification commands\n\n---\n\n## Usage\n\n### Interactive Mode (default)\n\n```bash\nsudo bash setup_auto_updates.sh\n```\n\nPrompts for confirmation before making changes.\n\n### Non-Interactive Mode\n\n```bash\nsudo bash setup_auto_updates.sh --yes\n```\n\nSkips all prompts. Ideal for automation, Ansible, Packer, or cloud-init.\n\n### Dry-Run Mode\n\n```bash\nsudo bash setup_auto_updates.sh --dry-run\n```\n\nValidates the environment and shows what would be done without making any changes.\n\n### Verbose Mode\n\n```bash\nsudo bash setup_auto_updates.sh --yes --verbose\n```\n\nEnables detailed debug output on stdout and in the log file.\n\n### Quiet Mode (CI/CD / Ansible)\n\n```bash\nsudo bash setup_auto_updates.sh --yes --quiet\n```\n\nMinimal output: only errors and the final `STATUS: CHANGED` or `STATUS: UNCHANGED` marker.\n\n### Custom Log File\n\n```bash\nsudo bash setup_auto_updates.sh --log-file /var/log/my-setup.log\n```\n\n### All Options\n\n| Flag | Description |\n|---|---|\n| `-y`, `--yes` | Skip all confirmation prompts |\n| `-n`, `--dry-run` | Validate only, no changes |\n| `-q`, `--quiet` | Minimal output (errors + status only) |\n| `-v`, `--verbose` | Enable debug output |\n| `-l`, `--log-file \u003cpath\u003e` | Set custom log file path |\n| `-h`, `--help` | Show help and exit |\n\n---\n\n## Automation \u0026 Idempotency\n\nThe script is designed to be **idempotent** — running it multiple times is safe and will not duplicate work:\n\n- Package installation skips if already present\n- Config files are compared before writing; unchanged files are left alone\n- Service enablement only reports a change if it was not previously enabled\n- **Final output** includes a status marker for automation tools:\n  - `STATUS: CHANGED` — something was modified\n  - `STATUS: UNCHANGED` — everything was already up to date\n\nUse `--quiet` with `--yes` for Ansible, Packer, cloud-init, or CI/CD pipelines.\n\n---\n\n## Ansible Integration\n\nA ready-to-use Ansible role, sample inventory, and playbook are included in the `ansible/` directory. The layout follows standard Ansible conventions so it can be run manually, via cron, or imported into tools like Ansible Semaphore / AWX.\n\n### Directory Layout\n\n```\nansible/\n├── ansible.cfg                 # Ansible settings (become, inventory path, forks)\n├── inventory/\n│   └── hosts.yml               # Sample YAML inventory\n├── playbooks/\n│   └── site.yml                # Main entry-point playbook\n└── roles/\n    └── unattended_updates/\n        ├── defaults/main.yml   # Default variables (safe to override)\n        ├── handlers/main.yml   # Service restart handler\n        ├── tasks/main.yml      # Role tasks\n        └── templates/\n            ├── 20auto-upgrades.j2\n            └── 50unattended-upgrades.j2\n```\n\n### Prerequisites\n\n- **Ansible 2.15+** on the control node.\n- **SSH key-based access** (or password with `ansible_ssh_pass`) to target hosts.\n- **Sudo / root** privileges on targets (`become: true` is set in `ansible.cfg`).\n- Targets must run **Ubuntu 24.04+** or **Debian 13+**.\n\n### Inventory Setup\n\nThe included `inventory/hosts.yml` is a minimal example. Adapt it to your environment:\n\n```yaml\nall:\n  children:\n    homelab:\n      vars:\n        ansible_user: root\n      hosts:\n        node-02-web:\n          ansible_host: 192.168.68.10\n        node-02-db:\n          ansible_host: 192.168.68.11\n    vps:\n      vars:\n        ansible_user: root\n      hosts:\n        vps-hermes:\n          ansible_host: 203.0.113.5\n```\n\nYou can also use a static INI file if you prefer:\n\n```ini\n[homelab]\nnode-02-web ansible_host=192.168.68.10 ansible_user=root\nnode-02-db  ansible_host=192.168.68.11 ansible_user=root\n\n[vps]\nvps-hermes ansible_host=203.0.113.5 ansible_user=root\n```\n\n#### Group / Host Variables\n\nPlace overrides under `inventory/group_vars/` or `inventory/host_vars/` so they are automatically loaded:\n\n```yaml\n# inventory/group_vars/homelab.yml\n---\nunattended_updates_auto_reboot: true\nunattended_updates_auto_reboot_time: \"00:30\"\n```\n\n```yaml\n# inventory/host_vars/vps-hermes.yml\n---\nunattended_updates_auto_reboot: false\n```\n\n### Running the Playbook\n\n#### Basic Deploy (All Hosts)\n\n```bash\ncd ansible\nansible-playbook playbooks/site.yml\n```\n\n#### Check Mode (Dry Run)\n\n```bash\nansible-playbook playbooks/site.yml --check --diff\n```\n\n#### Limit to a Group or Single Host\n\n```bash\nansible-playbook playbooks/site.yml --limit homelab\nansible-playbook playbooks/site.yml --limit node-02-web\n```\n\n#### Verbose Output\n\n```bash\nansible-playbook playbooks/site.yml -v\nansible-playbook playbooks/site.yml -vvv   # Debug-level\n```\n\n#### Custom Inventory File\n\n```bash\nansible-playbook playbooks/site.yml -i /path/to/your/inventory.yml\n```\n\n### Role Variables\n\nAll variables are defined in `ansible/roles/unattended_updates/defaults/main.yml`. Override them at the playbook, inventory, group_vars, or command-line level.\n\n| Variable | Default | Description |\n|---|---|---|\n| `unattended_updates_auto_reboot` | `false` | Reboot automatically if a kernel or critical update requires it |\n| `unattended_updates_auto_reboot_time` | `\"02:00\"` | Reboot schedule in 24-hour format |\n| `unattended_updates_auto_reboot_with_users` | `false` | Reboot even when users are logged in |\n| `unattended_updates_dev_release` | `\"false\"` | Allow development release upgrades (keep `false`) |\n| `unattended_updates_periodic_update_package_lists` | `\"1\"` | Days between `apt update` runs (`1` = daily) |\n| `unattended_updates_periodic_unattended_upgrade` | `\"1\"` | Days between unattended upgrade runs |\n| `unattended_updates_periodic_autoclean_interval` | `\"7\"` | Days between `apt autoremove` / `autoclean` runs |\n| `unattended_updates_log_file` | `\"/var/log/ansible-unattended-setup.log\"` | Path for the role’s internal log |\n\n#### Override Examples\n\n**Inside the playbook:**\n\n```yaml\n---\n- name: Configure automatic security updates\n  hosts: all\n  become: true\n  roles:\n    - role: unattended_updates\n      vars:\n        unattended_updates_auto_reboot: true\n        unattended_updates_auto_reboot_time: \"00:30\"\n```\n\n**On the command line:**\n\n```bash\nansible-playbook playbooks/site.yml \\\n  -e \"unattended_updates_auto_reboot=true\" \\\n  -e \"unattended_updates_auto_reboot_time=04:00\"\n```\n\n### Idempotency\n\nThe role is fully idempotent:\n- APT cache is only updated if older than 1 hour.\n- Configuration files are backed up before changes.\n- The systemd service is restarted only when configs change (handler).\n- The dry-run step reports `changed_when: false` and is allowed to fail gracefully on systems with no pending updates.\n\n### Ansible Semaphore / AWX\n\nThis repository is compatible with [Ansible Semaphore](https://www.semui.co/) and Red Hat Ansible Automation Platform:\n\n1. Add this repository as a **Project** / **Task Template** source.\n2. Set the playbook path to `ansible/playbooks/site.yml`.\n3. Point the inventory to your own inventory file or use the sample at `ansible/inventory/hosts.yml`.\n4. The role automatically detects Ubuntu vs Debian and applies the correct origin patterns.\n\n### Cron Automation (Control Node)\n\nRun the playbook automatically from your control node at midnight:\n\n```cron\n0 0 * * * cd /opt/unattended-setup-script-debian/ansible \u0026\u0026 \\\n  git pull origin main \u003e/dev/null 2\u003e\u00261 \u0026\u0026 \\\n  ansible-playbook playbooks/site.yml \u003e\u003e /var/log/ansible-nightly.log 2\u003e\u00261\n```\n\n### Using the Shell Script Directly in Ansible\n\nIf you prefer invoking the shell script instead of the role:\n\n```yaml\n- name: Set up unattended security updates\n  ansible.builtin.script: ../setup_auto_updates.sh\n  args:\n    creates: /etc/apt/apt.conf.d/50unattended-upgrades\n  register: unattended_setup\n  changed_when: \"'STATUS: CHANGED' in unattended_setup.stdout\"\n```\n\nFor non-interactive execution, pass `--yes`:\n\n```yaml\n- name: Set up unattended security updates (non-interactive)\n  ansible.builtin.command: \"bash {{ playbook_dir }}/../setup_auto_updates.sh --yes --quiet\"\n  args:\n    creates: /etc/apt/apt.conf.d/50unattended-upgrades\n  register: unattended_setup\n  changed_when: \"'STATUS: CHANGED' in unattended_setup.stdout\"\n```\n\n---\n\n## Configuration Details\n\n### `/etc/apt/apt.conf.d/50unattended-upgrades`\n\nThe main unattended-upgrades configuration. This script generates a distro-specific file:\n\n- **Ubuntu**: Uses `Allowed-Origins` with `${distro_id}:${distro_codename}-security` patterns\n- **Debian**: Uses `Origins-Pattern` with `origin=Debian,codename=\u003ccodename\u003e` patterns\n\n**Included settings:**\n- Security updates only (updates, proposed, backports commented out)\n- `AutoFixInterruptedDpkg \"true\"` — recovers from interrupted package operations\n- `MinimalSteps \"true\"` — safer upgrades resilient to interruptions\n- `Remove-Unused-Kernel-Packages \"true\"` — cleans old kernels\n- `Remove-Unused-Dependencies \"true\"` — removes orphaned packages\n- `Automatic-Reboot \"false\"` — disabled by default for safety\n\n**Enabling automatic reboot:**\n\nEdit `/etc/apt/apt.conf.d/50unattended-upgrades` and change:\n\n```\nUnattended-Upgrade::Automatic-Reboot \"true\";\nUnattended-Upgrade::Automatic-Reboot-Time \"02:00\";\n```\n\n### `/etc/apt/apt.conf.d/20auto-upgrades`\n\nControls the periodic execution schedule:\n\n```\nAPT::Periodic::Update-Package-Lists \"1\";       # Daily\nAPT::Periodic::Unattended-Upgrade \"1\";          # Daily\nAPT::Periodic::AutocleanInterval \"7\";           # Weekly\n```\n\n---\n\n## Post-Installation Verification\n\nAfter running the script, verify the setup:\n\n```bash\n# Check service status\nsystemctl status unattended-upgrades\n\n# View service journal\njournalctl -u unattended-upgrades --no-pager -n 50\n\n# Run a dry-run test\nsudo unattended-upgrades --dry-run -v\n\n# Check the unattended-upgrades log\nsudo cat /var/log/unattended-upgrades/unattended-upgrades.log\n\n# View the script's own log\nsudo cat /var/log/unattended-setup.log\n```\n\n---\n\n## Logging\n\nThe script writes structured logs to:\n\n- **Default path:** `/var/log/unattended-setup.log`\n- **Custom path:** Use `--log-file /path/to/log`\n\n**Log format:**\n\n```\n[YYYY-MM-DD HH:MM:SS] [LEVEL] message\n```\n\n**Levels:** INFO, WARN, ERROR, DEBUG\n\n**Unattended-upgrades logs** (managed by the package itself):\n\n- `/var/log/unattended-upgrades/unattended-upgrades.log`\n- `/var/log/unattended-upgrades/unattended-upgrades-dpkg.log`\n\n---\n\n## Troubleshooting\n\n### Service not starting\n\n```bash\n# Check journal for errors\njournalctl -u unattended-upgrades -e --no-pager\n\n# Check APT configuration syntax\nsudo apt-config dump | grep -i unattended\n```\n\n### Dry-run test fails\n\nThis is normal on freshly installed systems with no pending updates. Verify with:\n\n```bash\nsudo unattended-upgrades --dry-run -v --apt-debug\n```\n\n### \"Unsupported distribution\" error\n\nThe script validates the OS version against a supported list. Update the script or file an issue if your version should be supported.\n\n### Configuration not applying\n\nEnsure no conflicting files exist in `/etc/apt/apt.conf.d/`:\n\n```bash\nls -la /etc/apt/apt.conf.d/ | grep -E '(10periodic|20auto|50unattended)'\n```\n\nThe script backs up existing files with a `.bak.\u003ctimestamp\u003e` suffix.\n\n### \"Another instance is already running\" error\n\nThe script uses a lock file (`/var/run/setup_auto_updates.sh.lock`) to prevent concurrent runs. If a previous run crashed without cleaning up:\n\n```bash\nsudo rm -f /var/run/setup_auto_updates.sh.lock\n```\n\n### Running in Docker / containers\n\nThe script detects the absence of systemd and skips service management. Configuration files are still written. To run unattended-upgrades in a container, use cron instead:\n\n```bash\napt-get install -y cron\n(crontab -l 2\u003e/dev/null; echo \"0 6 * * * /usr/bin/unattended-upgrade --dry-run\") | crontab -\n```\n\n### Reverting changes\n\nSee the [Uninstallation](#uninstallation) section below.\n\n---\n\n## Security Considerations\n\n- **Automatic updates** can introduce regressions. Test on non-production systems first\n- The script installs **security updates only** by default — it does not apply feature updates or backports\n- **Kernel updates** that require a reboot will not automatically reboot the system (configurable)\n- Always **review** scripts from the internet before piping them to `bash`\n- Configuration files are **backed up** before modification\n- The `AutoFixInterruptedDpkg` option helps recover from interrupted upgrades but may mask underlying package issues\n\n---\n\n## Uninstallation\n\nTo reverse all changes made by this script:\n\n```bash\n# 1. Stop and disable the service\nsudo systemctl stop unattended-upgrades\nsudo systemctl disable unattended-upgrades\n\n# 2. Remove configuration files\nsudo rm -f /etc/apt/apt.conf.d/20auto-upgrades\nsudo rm -f /etc/apt/apt.conf.d/50unattended-upgrades\n\n# 3. Restore backups (if available)\nsudo mv /etc/apt/apt.conf.d/*.bak.* /etc/apt/apt.conf.d/ 2\u003e/dev/null || true\n\n# 4. Remove the package (optional)\nsudo apt-get remove --purge -y unattended-upgrades\nsudo apt-get autoremove -y\n\n# 5. Remove the setup log\nsudo rm -f /var/log/unattended-setup.log\n```\n\n---\n\n## Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md) for the full release history.\n\n---\n\n## License\n\nThis project is licensed under the MIT License. See [LICENSE](LICENSE) for details.\n\n---\n\n## Author\n\n**Ruhani Rabin**\n\n---\n\n## Contributing\n\nIssues and pull requests are welcome. Please test any changes on both Ubuntu and Debian before submitting.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fruhanirabin%2Funattended-setup-script-debian","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fruhanirabin%2Funattended-setup-script-debian","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fruhanirabin%2Funattended-setup-script-debian/lists"}