This is the machine via which you control the update process of all your apt-dater hosts (ex: targets).
apt-get install --no-install-recommends apt-dater
To create a set of default configuration, launch apt-dater once and then edit the various files under ~/.config/apt-dater/. You need to list all the target hosts in the hosts.xml file.
apt-dater-host is a script (also available as package) that needs to be installed on the machine to be remotely managed by apt-dater. While the apt-dater-host package works well, it pulls too many dependencies to my taste and I wanted to only expose a wrapper for better security. That is why I am using a trimmed down version along with a custom wrapper script.
# Package dependency apt-get install --no-install-recommends libapt-pkg-perl # Dedicated user creation adduser --quiet --system --home /var/lib/aptdater --group --shell /bin/sh aptdater # SSH mkdir -m 0700 ~aptdater/.ssh cat << EOF >> ~aptdater/.ssh/authorized_keys command="exec /usr/local/bin/apt-dater-host-wrapper",no-user-rc,no-X11-forwarding,from="172.16.0.0/12,2001:470:b1c3:7900::/56" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCtFqZUAeQbyoloR55jKagWafEdt12UruVdY3j98W6jAr2wVKtPV3sjhaGsDFV8lvG1NB4BE9ovjSP710fb3mnXIL9zj0NxkFzWWmvIMewdSMLeZRANsiap/5mZuO3kd31ZTO17JRIy4/MUgRP+iQXl1a1sX+UaKLoIYOxqEQ6bSCtdBH4HIwqcI6tWZZw+B2Tszlu/HQ59M9p7EfAui5fmC275wLMPtnW/BAwxRD4XZr4M0w9dE9/gcr29XSDTF9+uvHFmpIh5GWDuH9go5orBeJGUmIoedqL9Eng/JlISjo/424JUCou26j3Nj6qE3c4jnOcKi4Gfg3Tif2RmxtGAXMkD+WFCeV4jz7VTSB0cP2u6+e1MNlHfNu7+N9CxJgI55NPKr/0hdv2tUJeH4HoF5DW+e9vB+0AY2hvovw9/NNGEnmqsVLInzDrOmjiElHGqvBk1N8UAjrnZngNlNi+Wmx0e54zQS2jZHmFh6Edqvpiwyc8q8QaE5bqiv4FdXj8YuZxf9uOyqGndlbVtCKE+/Jb1ToaNjk3JNpNCWVyV45LEo+x1xtoVL5mjm7t4xTiCekh1iPXsGSFuYjjRHE2/Ey3ZSk/Yfl7vDe09SV/1HrxMp02GZuVv/KGGh2KEZU++SLq6RwIc4DBFCIU+lZ24mB0xewxHJvltceGcqQow== aptdater@sdeziel.info EOF chown aptdater: -R ~aptdater/.ssh # Sudo cat << "EOF" > /etc/sudoers.d/apt-dater-host # package installation is denied aptdater ALL = (root) NOPASSWD: /usr/bin/apt-get update aptdater ALL = (root) NOPASSWD: /usr/bin/apt-get clean aptdater ALL = (root) NOPASSWD: /usr/bin/apt-get dist-upgrade aptdater ALL = (root) NOPASSWD: /usr/bin/apt-get --assume-yes dist-upgrade EOF chmod 0440 /etc/sudoers.d/apt-dater-host # Limits printf "aptdater\t-\tpriority\t10\n" > /etc/security/limits.d/aptdater.conf # apt-dater-host and its wrapper for f in apt-dater-host apt-dater-host-wrapper; do wget -O "/usr/local/bin/$f" "https://sdeziel.info/apt-dater/$f" chmod 0755 "/usr/local/bin/$f" done