diff --git a/group_vars/all/unattended.yml b/group_vars/all/unattended.yml
new file mode 100644
index 00000000..cc3c81a4
--- /dev/null
+++ b/group_vars/all/unattended.yml
@@ -0,0 +1,3 @@
+---
+glob_unattended:
+  package_blacklist: []
diff --git a/host_vars/voyager.adm.crans.org.yml b/host_vars/voyager.adm.crans.org.yml
index 577c5097..830c6f26 100644
--- a/host_vars/voyager.adm.crans.org.yml
+++ b/host_vars/voyager.adm.crans.org.yml
@@ -5,3 +5,9 @@ interfaces:
 
 loc_framadate:
   path: /var/www/framadate
+
+loc_unattended:
+  automatic_reboot: true
+
+loc_needrestart:
+  override: []
diff --git a/roles/needrestart/tasks/main.yml b/roles/needrestart/tasks/main.yml
new file mode 100644
index 00000000..b7068b9a
--- /dev/null
+++ b/roles/needrestart/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+- name: apt install needrestart
+  apt:
+    name: needrestart
+
+- name: deploy needrestart configuration files
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ ('/etc', item) | path_join }}"
+  loop:
+    - needrestart/conf.d/automatic.conf
+    - needrestart/conf.d/override.conf
diff --git a/roles/needrestart/templates/needrestart/conf.d/automatic.conf.j2 b/roles/needrestart/templates/needrestart/conf.d/automatic.conf.j2
new file mode 100644
index 00000000..badda810
--- /dev/null
+++ b/roles/needrestart/templates/needrestart/conf.d/automatic.conf.j2
@@ -0,0 +1,6 @@
+# Restart mode: (l)ist only, (i)nteractive or (a)utomatically.
+#
+# ATTENTION: If needrestart is configured to run in interactive mode but is run
+# non-interactive (i.e. unattended-upgrades) it will fallback to list only mode.
+#
+$nrconf{restart} = '{{ needrestart.override is defined | ternary('a', 'i') }}';
diff --git a/roles/needrestart/templates/needrestart/conf.d/override.conf.j2 b/roles/needrestart/templates/needrestart/conf.d/override.conf.j2
new file mode 100644
index 00000000..256d1fd3
--- /dev/null
+++ b/roles/needrestart/templates/needrestart/conf.d/override.conf.j2
@@ -0,0 +1,6 @@
+# Override service default selection (hash of regex).
+$nrconf{override_rc} = {
+{% for item in needrestart.override | default([]) %}
+  qr(^{{ item.regex }}) => {{ item.mode }},
+{% endfor %}
+}
diff --git a/roles/unattended-upgrades/handlers/main.yml b/roles/unattended-upgrades/handlers/main.yml
new file mode 100644
index 00000000..fee15ccb
--- /dev/null
+++ b/roles/unattended-upgrades/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: systemctl restart unattended-upgrades.service
+  systemd:
+    name: unattended-upgrades
+    state: restarted
diff --git a/roles/unattended-upgrades/tasks/main.yml b/roles/unattended-upgrades/tasks/main.yml
new file mode 100644
index 00000000..26dc89ef
--- /dev/null
+++ b/roles/unattended-upgrades/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: apt install unattended-upgrades
+  apt:
+    name: unattended-upgrades
+
+- name: deploy configuration files
+  template:
+    src: "{{ item  }}.j2"
+    dest: "{{ ('/etc', item) | path_join }}"
+  loop:
+    - apt/apt.conf.d/20auto-upgrades
+    - apt/apt.conf.d/50unattended-upgrades
+  notify: systemctl restart unattended-upgrades.service
+
+- name: systemctl enable --now apt-daily.timer apt-daily-upgrade.timer unattended-upgrades.service
+  systemd:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  loop:
+    - apt-daily.timer
+    - apt-daily-upgrade.timer
+    - unattended-upgrades.service
diff --git a/roles/unattended-upgrades/templates/apt/apt.conf.d/20auto-upgrades.j2 b/roles/unattended-upgrades/templates/apt/apt.conf.d/20auto-upgrades.j2
new file mode 100644
index 00000000..8d6d7c82
--- /dev/null
+++ b/roles/unattended-upgrades/templates/apt/apt.conf.d/20auto-upgrades.j2
@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
diff --git a/roles/unattended-upgrades/templates/apt/apt.conf.d/50unattended-upgrades.j2 b/roles/unattended-upgrades/templates/apt/apt.conf.d/50unattended-upgrades.j2
new file mode 100644
index 00000000..fe589a0f
--- /dev/null
+++ b/roles/unattended-upgrades/templates/apt/apt.conf.d/50unattended-upgrades.j2
@@ -0,0 +1,139 @@
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+//
+// Lines below have the format "keyword=value,...".  A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line.  (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted.  The accepted keywords are:
+//   a,archive,suite (eg, "stable")
+//   c,component     (eg, "main", "contrib", "non-free")
+//   l,label         (eg, "Debian", "Debian-Security")
+//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+//   n,codename      (eg, "jessie", "jessie-updates")
+//     site          (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+//   ${distro_id}            Installed origin.
+//   ${distro_codename}      Installed codename (eg, "buster")
+Unattended-Upgrade::Origins-Pattern {
+        // Codename based matching:
+        // This will follow the migration of a release through different
+        // archives (e.g. from testing to stable and later oldstable).
+        // Software will be the latest available for the named release,
+        // but the Debian release itself will not be automatically upgraded.
+        "origin=Debian,codename=${distro_codename}";
+        "origin=Debian,codename=${distro_codename}-updates";
+        "origin=Debian,codename=${distro_codename}-proposed-updates";
+        "origin=Debian,codename=${distro_codename}-security";
+};
+
+// Python regular expressions, matching packages to exclude from upgrading
+Unattended-Upgrade::Package-Blacklist {
+{% for item in unattended.package_blacklist %}
+    {{ item | quote  }};
+{% endfor %}
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGTERM. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+Unattended-Upgrade::MinimalSteps "true";
+
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "root@crans.org";
+
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+Unattended-Upgrade::MailReport "on-change";
+
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+// Do automatic removal of unused packages after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "{{ unattended.automatic_reboot | default(false) | ternary("true", "false") }}";
+
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+Unattended-Upgrade::Automatic-Reboot-Time "04:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+Unattended-Upgrade::SyslogEnable "true";
+
+// Specify syslog facility. Default is daemon
+Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";