Automated updates on Debian using Tor and official hidden services

I like to automate some boring and easy tasks we all have to do often, so I would like to share with you an easy but not too widely known trick in Debian/Ubuntu for automated upgrades, that can be performed without any manual actions.

This post describes the following configurations for a server:

  1. Installation and configuration of unattended upgrades on Debian
  2. Setup of Tor service that will be used for Debian upgrades
  3. Removal of unused dependencies

Unattended upgrades are well described on Debian wiki, but to keep those steps in one place, I’ll copy some parts of it here.

First, you have to install the following packages:

apt-get install unattended-upgrades apt-listchanges

Installation process should create new file /etc/apt/apt.conf.d/50unattended-upgrades where we configure how automated upgrades work and what can be upgraded.

Depending on your server configuration and trust in Debian package maintainers, you can enable the following categories in section:

Unattended-Upgrade::Origins-Pattern {
"o=Debian,n=jessie";
"o=Debian,n=jessie-updates";
"o=Debian,n=jessie-proposed-updates";
"o=Debian,n=jessie,l=Debian-Security";
}

Those correspond to categories of package upgrades. If you want to learn more about this configuration, I would suggest going to official wiki which is linked above.

Since you’re editing 50unattended-upgrades file I would recommend to uncomment one more line in this file:

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "false";

Second required configuration is enabling automated upgrades, which you can do easily with:

dpkg-reconfigure -plow unattended-upgrades

and selecting Yes from menu:
dpkg-reconfigure -plow unattended-upgrades

Done. Let’s go to step 2 which is setup and configuration of Tor service.

Start from installing Tor if you don’t have it already.
First, add and install Tor repo to your apt-get sources with

echo "deb http://deb.torproject.org/torproject.org jessie main" >> /etc/apt/sources.list
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
apt-get update
apt-get install tor apt-transport-tor

Start Tor and add it to system startup with:

systemctl start tor.service
systemctl enable tor.service

Last step is to change your apt sources in /etc/apt/sources.list. Content of the file on my servers is as follows:

deb  tor+http://vwakviie2ienjx6t.onion/debian          jessie            main
deb  tor+http://vwakviie2ienjx6t.onion/debian          jessie-updates    main
deb  tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates    main
deb  tor+http://vwakviie2ienjx6t.onion/debian          jessie-backports  main
deb  tor+http://sdscoq7snqtznauu.onion/torproject.org   jessie            main

deb http://nginx.org/packages/debian/ jessie nginx
# Just in case, clearnet tor
#deb http://deb.torproject.org/torproject.org jessie main

Looks like you’re done.

[Total: 0    Average: 0/5]