Created
October 8, 2024 23:31
-
-
Save spezifisch/9fe7a98076182e28df4a83cf0671b7c7 to your computer and use it in GitHub Desktop.
Automated Setup for Security-Only Unattended Upgrades on Debian Systems
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # SPDX-License-Identifier: GPL-3.0-only | |
| # | |
| # Author: spezifisch <spezifisch+gpl@gmail.com> | |
| # Date: 2024-10-09 | |
| # Function to prompt for overwrite | |
| prompt_overwrite() { | |
| local file=$1 | |
| if [[ -f "$file" ]]; then | |
| read -p "REALLY WANT TO OVERWRITE (Y/N) FILE ${file}? " choice | |
| case "$choice" in | |
| y|Y ) | |
| echo "Overwriting ${file}..." | |
| return 0 | |
| ;; | |
| * ) | |
| echo "Skipping ${file}..." | |
| return 1 | |
| ;; | |
| esac | |
| fi | |
| return 0 | |
| } | |
| # Check if unattended-upgrades is installed, install if not | |
| if ! dpkg -s unattended-upgrades &>/dev/null; then | |
| echo "Installing unattended-upgrades..." | |
| sudo apt-get update && sudo apt-get install -y unattended-upgrades | |
| fi | |
| # Define the configuration files | |
| config_file_50unattended="/etc/apt/apt.conf.d/50unattended-upgrades" | |
| config_file_20auto="/etc/apt/apt.conf.d/20auto-upgrades" | |
| # Enable unattended-upgrades and configure for security updates only | |
| if prompt_overwrite "$config_file_50unattended"; then | |
| echo "Configuring unattended-upgrades for security updates only..." | |
| sudo tee "$config_file_50unattended" >/dev/null <<EOF | |
| Unattended-Upgrade::Allowed-Origins { | |
| "Debian:${distro_codename}-security"; | |
| "Debian:${distro_codename}-updates"; | |
| }; | |
| Unattended-Upgrade::Automatic-Reboot "true"; | |
| EOF | |
| fi | |
| # Configure auto-update settings | |
| if prompt_overwrite "$config_file_20auto"; then | |
| echo "Configuring auto-update settings..." | |
| sudo tee "$config_file_20auto" >/dev/null <<EOF | |
| APT::Periodic::Update-Package-Lists "1"; | |
| APT::Periodic::Unattended-Upgrade "1"; | |
| EOF | |
| fi | |
| # Enable the unattended-upgrades service | |
| echo "Enabling unattended-upgrades service..." | |
| sudo systemctl enable --now unattended-upgrades | |
| # Verify that unattended-upgrades is active | |
| if systemctl is-active --quiet unattended-upgrades; then | |
| echo "Unattended-upgrades is active and running." | |
| else | |
| echo "Failed to start unattended-upgrades service." | |
| exit 1 | |
| fi | |
| # Show current unattended-upgrades status | |
| echo "Unattended-upgrades status:" | |
| systemctl status unattended-upgrades --no-pager |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment