Author: HomeSec Explorer
License: MIT
Tags: autoupdate, unattendedupgrades, dnfautomatic, selfhosted, homelab, security
This role installs, configures, and manages automatic package updates on Debian, Ubuntu, and Rocky Linux.
It provides a single interface for unattended-upgrades on Debian and Ubuntu, and dnf-automatic on Rocky Linux.
The role handles installation, configuration, scheduling, and reboot behavior with sensible defaults that can be overridden via variables.
- Ansible
>= 2.13 - root or sudo privileges on managed hosts
- Debian 12 (Bookworm), 13 (Trixie)
- Ubuntu 22.04 (Jammy), 24.04 (Noble)
- Rocky Linux 9 (Blue Onyx), 10 (Red Quartz)
Note: the OS compatibility check variable (
hseau_os_check) validates platforms supported by this role. It does not reflect upstream distro or tool support.
Legend: ✅ manual test passed - 🔁 covered in CI - ⚪ not tested
| Distro | Version | Manually verified | CI | Notes |
|---|---|---|---|---|
| Debian | 13 | ✅ | 🔁 | |
| Debian | 12 | ✅ | 🔁 | |
| Ubuntu | 24.04 | ✅ | 🔁 | |
| Ubuntu | 22.04 | ⚪ | 🔁 | |
| Rocky | 10 | ✅ | 🔁 | |
| Rocky | 9 | ✅ | 🔁 |
See defaults/main.yml for the full list.
# General control
hseau_autoupdate_enabled: true # enable auto updates (false removes components)
# Debian/Ubuntu: apt periodic configuration
hseau_update_package_lists: "1" # apt update every n days (0 disables)
hseau_download_upgradeable_packages: "1" # download upgrades daily (0 disables)
hseau_unattended_clean_interval: "7" # apt autoclean every n days (0 disables)
hseau_unattended_upgrade: "1" # run unattended-upgrades every n days
hseau_unattended_verbose: "0" # 0 no mail, 1 status, 2+ details
hseau_unattended_random_sleep: "1800" # max random delay in seconds
# unattended-upgrades main options
hseau_unattended_reboot: false # reboot automatically if required
hseau_unattended_reboot_time: "06:00" # time for auto reboot when enabled
hseau_unattended_mail_to: "" # e.g. root@example.com
hseau_unattended_mail_on_error: true # only send mail on errors
hseau_unattended_additional: [] # extra Origins-Pattern entries
hseau_unattended_blacklist: [] # packages to exclude
# Rocky Linux: dnf-automatic
hseau_dnf_auto_apply_updates: "yes" # apply updates
hseau_dnf_auto_download_updates: "yes" # download automatically
hseau_dnf_auto_random_sleep: "1800" # random delay (seconds)
hseau_dnf_auto_upgrade_type: "security" # default | security
hseau_dnf_auto_reboot: "never" # never | when-changed | when-needed
hseau_dnf_auto_emit_via: "" # e.g. email, motd, dbus
hseau_dnf_auto_email_from: "" # sender address
hseau_dnf_auto_email_to: "" # recipient address
hseau_dnf_auto_email_host: "" # smtp server
hseau_dnf_auto_additional: [] # list of { regexp, line }
# - { regexp: 'setting_abc', line: 'setting_abc = yes' }From Ansible Galaxy (recommended):
ansible-galaxy install HomeSecExplorer.autoupdateOr manually (via Git):
git clone https://github.com/HomeSecExplorer/ansible-role-autoupdate.git roles/HomeSecExplorer.autoupdate- name: Enable unattended upgrades on all hosts
hosts: all
become: true
vars:
hseau_autoupdate_enabled: true
roles:
- role: HomeSecExplorer.autoupdate- Test on a lab host before enabling automatic reboots.
- If you need to stagger updates, increase the random delay.
- For servers that must not auto reboot, keep
hseau_unattended_reboot: falseand rely on maintenance windows.
Inspired by concepts from:
MIT
HomeSec Explorer
🔗 YouTube Channel
If this role was helpful, drop a ⭐ on GitHub, subscribe on YouTube or Sponsor me!