From aa9b57c67eedca65d883b7565c148e9ff4e22278 Mon Sep 17 00:00:00 2001
From: allan <allan@xfiles.dk>
Date: Fri, 13 Feb 2026 11:20:00 +0100
Subject: [PATCH] logic changes

---
 README.md   | 32 ++++++++++++++++++++------------
 auto-update | 23 +++++++++++++++++++++++
 2 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 294f9b3..6ec1f00 100644
--- a/README.md
+++ b/README.md
@@ -23,8 +23,8 @@ This script provides a repeatable way to enforce a defined update policy, ensuri
 ✔ Configures unattended-upgrades using a clean, deterministic policy  
 ✔ Allows switching between four update modes  
 ✔ Ensures updates are enforced on a fixed weekly schedule  
+✔ Disables Ubuntu’s automatic periodic upgrades to prevent unexpected reboots  
 ✔ Automatically rebuilds the unattended-upgrades configuration safely  
-✔ Leaves Ubuntu’s timers untouched  
 ✔ Safe to re-run and switch modes at any time  
 ✔ Logs policy changes for auditing and troubleshooting  
 ✔ Uses vendor defaults as a base to preserve compatibility  
@@ -102,11 +102,19 @@ This ensures a clean and predictable configuration and avoids problems caused by
 
 If you manually edit `/etc/apt/apt.conf.d/50unattended-upgrades`, those changes will be overwritten, but only when you switch modes.
 
-A cron job (`/etc/cron.d/auto-update`) is created to enforce updates every Friday at 03:00.  
-This ensures that systems are updated regularly even if users postpone updates during the week.
+The script also enforces the file:
 
-Ubuntu’s systemd timers are left untouched.  
-If both timers and the cron job run, nothing breaks — updates may simply be checked more than once.
+```
+/etc/apt/apt.conf.d/20auto-upgrades
+```
+
+to disable Ubuntu’s automatic periodic upgrades.  
+This prevents unattended-upgrades from running automatically in the background and ensures that update and reboot behaviour is controlled entirely by the scheduled cron job.
+
+A cron job (`/etc/cron.d/auto-update`) is created to enforce updates every Friday at 03:00.  
+This ensures that systems are updated regularly in a predictable maintenance window.
+
+Ubuntu’s systemd timers are not removed, but because periodic upgrades are disabled, they do not install updates automatically.
 
 ---
 
@@ -129,15 +137,15 @@ Switching modes does not alter the existing cron schedule.
 
 ## Common questions
 
-**Q:** Why am I still seeing available updates? Is the script not working?**  
-**A:** These notifications are generated by Ubuntu’s default update timers, which this script does not disable.  
-You may still see update notifications during the week, even though the cron enforcement job runs on Friday.
+**Q:** Why am I not seeing updates appear automatically during the week?  
+**A:** The script disables Ubuntu’s automatic periodic upgrade mechanism.  
+Updates are installed only during the scheduled cron run unless you run `apt update` or install updates manually.
 
-If you log in on a Tuesday and updates are available, you are encouraged to install them manually.  
-This will not conflict with the script.
+**Q:** Can I still install updates manually?  
+**A:** Yes. Running `apt update` and `apt upgrade` manually will not conflict with the script.
 
-You may also see updates appear shortly after the scheduled run.  
-This simply means new updates were released after the last scheduled update cycle.
+**Q:** What happens if new security updates are released during the week?  
+**A:** They will be installed at the next scheduled cron run unless you choose to install them manually earlier.
 
 ---
 
diff --git a/auto-update b/auto-update
index 5cd4d44..ea62829 100755
--- a/auto-update
+++ b/auto-update
@@ -15,6 +15,7 @@ if [[ $(id -u) -ne 0 ]]; then echo "" && echo "Must be root or use sudo" && echo
 #
 config="/etc/apt/apt.conf.d/50unattended-upgrades"
 template="/usr/share/unattended-upgrades/50unattended-upgrades"
+autoupgrades="/etc/apt/apt.conf.d/20auto-upgrades"
 cronfile="/etc/cron.d/auto-update"
 logfile="/var/log/auto-update.log"
 
@@ -41,6 +42,23 @@ chkcfg () {
     fi
 }
 
+#
+# Function: Enforce 20auto-upgrades policy
+#
+ensure_auto_upgrades_policy() {
+
+    printf "Enforcing auto-upgrades policy...\n"
+
+cat <<EOF > "$autoupgrades"
+# Managed by auto-update script — do not edit manually
+APT::Periodic::Update-Package-Lists "0";
+APT::Periodic::Unattended-Upgrade "0";
+EOF
+
+    chmod 644 "$autoupgrades"
+    chown root:root "$autoupgrades"
+}
+
 #
 # Function: Detect current mode
 #
@@ -214,6 +232,11 @@ apt-get install -y unattended-upgrades update-notifier-common >/dev/null
 #
 chkcfg "$config" "$template"
 
+#
+# Enforce APT periodic policy
+#
+ensure_auto_upgrades_policy
+
 #
 # Argument handling
 #