auto-update-ubuntu/README.md

# Auto Update for Ubuntu 24.04 Server
[![OS](https://img.shields.io/badge/ubuntu-24.04-E95420)](#)
[![Shell](https://img.shields.io/badge/shell-bash-121011)](#)
[![Feature](https://img.shields.io/badge/feature-controlled_updates-0078D7)](#)
[![Cron](https://img.shields.io/badge/scheduler-cron-lightgrey)](#)
[![License](https://img.shields.io/badge/License-MIT-green)](./LICENSE)

Install unattended security and system updates on Ubuntu 24.04 server.

This is not a demo and not a quick experiment.  
This is a production-ready policy tool designed to enforce predictable update behaviour.

---

## Why this installer exists
Ubuntu includes unattended-upgrades, but configuration is often inconsistent, unclear, or left in default states that do not match operational policy.

This script provides a repeatable way to enforce a defined update policy, ensuring systems are patched regularly and reboot behaviour is predictable.

---

## What this installer does
✔ Configures unattended-upgrades using a clean, deterministic policy  
✔ Allows switching between four update modes  
✔ Ensures updates are enforced on a fixed weekly schedule  
✔ Automatically rebuilds the unattended-upgrades configuration safely  
✔ Leaves Ubuntu’s timers untouched  
✔ Safe to re-run and switch modes at any time  
✔ Logs policy changes for auditing and troubleshooting  
✔ Uses vendor defaults as a base to preserve compatibility  

---

## What this installer does NOT do
It won’t stop you from running the script without reading the documentation like there’s no tomorrow.  
Skip the README, and whatever happens next is your headache, not a bug report.

---

## 1. Download the installer

```
git clone https://git.x-files.dk/server/auto-update-ubuntu.git
```

```
cd auto-update-ubuntu
```

---

## 2. Run the installer

```
sudo ./auto-update <mode>
```

Example:

```
sudo ./auto-update 2
```

---

## Available modes

The modes control two things:
- Which updates are installed
- Whether the system reboots automatically if required

The script is built with re-runs in mind.  
If you need to switch modes, simply run the script again with another mode.  
The current policy will be replaced automatically.

**Mode 1**  
Security + updates (full system updates, not security-only)  
Automatic reboot  
Reboot happens even if users are logged in  

**Mode 2**  
Security + updates (full system updates, not security-only)  
No automatic reboot  
Users are notified on next login if a reboot is required  

**Mode 3**  
Security updates only  
Automatic reboot  
Reboot happens even if users are logged in  

**Mode 4**  
Security updates only  
No automatic reboot  
Users are notified on next login if a reboot is required  

---

## How it works

The script rebuilds the unattended-upgrades configuration from Ubuntu’s vendor template each time a mode is applied.  
This ensures a clean and predictable configuration and avoids problems caused by manually edited or partially modified files.

If you manually edit `/etc/apt/apt.conf.d/50unattended-upgrades`, those changes will be overwritten, but only when you switch modes.

A cron job (`/etc/cron.d/auto-update`) is created to enforce updates every Friday at 03:00.  
This ensures that systems are updated regularly even if users postpone updates during the week.

Ubuntu’s systemd timers are left untouched.  
If both timers and the cron job run, nothing breaks — updates may simply be checked more than once.

---

## Cron behaviour

The cron job is created the first time a mode is applied and is scheduled to run every Friday at 03:00.

The cron file is created as:

```
/etc/cron.d/auto-update
```

You are free to change the schedule to any time you prefer, or even run it daily if required.  
The script does not modify or reset the cron job after it has been created.

Switching modes does not alter the existing cron schedule.

---

## Common questions

**Q:** Why am I still seeing available updates? Is the script not working?**  
**A:** These notifications are generated by Ubuntu’s default update timers, which this script does not disable.  
You may still see update notifications during the week, even though the cron enforcement job runs on Friday.

If you log in on a Tuesday and updates are available, you are encouraged to install them manually.  
This will not conflict with the script.

You may also see updates appear shortly after the scheduled run.  
This simply means new updates were released after the last scheduled update cycle.

---

## Logging

Policy changes are logged to:

```
/var/log/auto-update.log
```

This log records when a mode was applied and which user executed the script.

Package installation and upgrade details are logged by unattended-upgrades in:

```
/var/log/unattended-upgrades/
```

---

### More Information

More guides and documentation can be found on [wiki.x-files.dk](https://wiki.x-files.dk)

---

### License
Licensed under the [MIT License](./LICENSE).