debian, linux, nextcloud, raspberrypi, security

Automatic security updates on a Debian system

Computer security is an issue of paramount importance. More even so whenever we are running services exposed to the internet. Much more even so when those services can compromise sensitive data.

The first piece of advice you will always get is “keep your system up to date with the latest security patches”, and my favourite way of keeping my Debian systems safe is through the unattended-upgrades package.

Automatic security updates are handy when we are managing a considerable number of servers but we want to be careful as things can break for users or our coworkers, so choosing the right configuration and having a predefined procedure can save us some headaches.

This is included in the latest release of NextCloudPi.


Generic Installer

You can easily install it and configure it in your running server through the generic installer

Raspbian offline

Alternatively, you can install it offline into a Raspbian SD card using QEMU.

Extract the SD card and copy the image to your computer (adjust sdx).


Once done, you can copy it back (adjust sdx).


If you want to do it step by step, install with

Easy configuration

If you are using the generic installer or issue nextcloudpi-config  in NextCloudPi it will only come down to two simple settings

  • ACTIVE: type yes to enable automatic updates
  • AUTOREBOOT: type yes to allow automatic reboots when needed.

In this setup, automatic reboots will only be run when needed, and will be run at 4:00 am.

Also, some settings will be configured for you:  .deb packages will be cached for 2 weeks, and a periodic apt-get autoclean will be run every week to prevent the autoupdate setup to take up too much storage.

See the code below for details. If you have different needs, continue reading.

Detailed Configuration

If you want to go in more detail, issue

This will create /etc/apt/apt.conf.d/20auto-upgrades with the following simple configuration

, which will update package lists and perform security updates daily ( see parameter “1” ).

You can check all options on /etc/apt/apt.conf.d/50unattended-upgrades

Your updates will be run from /etc/cron.daily/apt. That file is also worth a reading if you like tweaking things, like for instance scheduled apt-get autoremove.

More on usage

You can run it yourself with

If you have mailing setup, use this option

The operations are written to


[update] Raspbian does not support the Raspbian-Security label. For Raspbian, it is either update nothing or everything, security or not. See this forum thread.




Author: nachoparker

Humbly sharing things that I find useful [ github dockerhub ]

9 Comments on “Automatic security updates on a Debian system

  1. I activated unattended-upgrades through nextcloudpi-config and noticed that the configuration file “/etc/apt/apt.conf.d/50unattended-upgrades” has no Origins-Pattern defined. The daily logs in “/var/log/unattended-upgrades/unattended-upgrades.log” showed “Allowed origins are: []”.

    My first question: Why is there no pattern like “o=Raspbian,a=stable,l=Raspbian-Security”; so that the logs show “Allowed origins are: [‘o=Raspbian,a=stable,l=Raspbian-Security’]” and one knows what is being upgraded?

    My second question: Should I avoid including a pattern like “o=Raspbian,a=stable,l=Raspbian” for non-security updates? I suspect that could conflict with the update policy of the NextCloudPi project.

    My third question: Does a NextCloudPi update overwrite my changes to e.g. “/etc/apt/apt.conf.d/50unattended-upgrades”?

    1. Hi, I reviewed this and fixed it in v0.17.2

      I was very surprised to learn that Raspbian-Security is not a thing for Raspbian. I wrote a post asking for it. It would be great if more people helped deliver pressure on the Raspbian developers to implement this.

      For now, unattended upgrades will upgrade the whole system, there is no way to apply only security updates. I will now update the post with this information

      Thanks again for your feedback

      edit: Regarding your last question… NextCloudPi only works with /etc/apt/apt.conf.d/20nextcloudpi-upgrades, so any changes to /etc/apt/apt.conf.d/50unattended-upgrades will not be overwritten by NCP.

      1. Hi, thank you for the quick fix and sorry for not pasting the question to github right away.

        I had a dry run with unattended upgrades which now gave me
        “Allowed origins are: [‘o=Raspbian,n=jessie,l=Raspbian’, ‘o=Raspbian,n=stretch,l=Raspbian’]”
        and (dummy) upgraded all the updated packages . I think it works fine now.

        Also, I like

        – that NextCloudPi works with /etc/apt/apt.conf.d/20nextcloudpi-upgrades and leaves /etc/apt/apt.conf.d/50unattended-upgrades untouched,
        – and that you use the codenames (n=jessie and n=stretch) in your patterns to follow the migration of those releases.

        This leaves users with the option to define additional patterns in /etc/apt/apt.conf.d/50unattended-upgrades if one prefers to be a bit more progressive and include a pattern like “o=Raspbian,a=stable,l=Raspbian” to match a different release after migration. I had another dry run with this additional pattern included in /etc/apt/apt.conf.d/50unattended-upgrades and it gave me
        “Allowed origins are: [‘o=Raspbian,n=jessie,l=Raspbian’, ‘o=Raspbian,n=stretch,l=Raspbian’, ‘o=Raspbian,a=stable,l=Raspbian’]”

        I think I will stick to the default NextCloudPi patterns.

        I also read your post about the Raspbian-Security Label and felt pretty suprised too.

        By the way, great project.

Leave a Reply

Your email address will not be published. Required fields are marked *