From 7a2d1f1c8e224ab9439c8f349fa3ace612355671 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C4=83rcziem=20=E2=84=A2?=
 <118485377+spalencsar@users.noreply.github.com>
Date: Fri, 3 Oct 2025 12:11:57 +0200
Subject: [PATCH] chore(unattended): make automatic updates optional and opt-in
 via config

---
 config/defaults.sh |  3 ++-
 setup.sh           | 16 ++++++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/config/defaults.sh b/config/defaults.sh
index 8b19d5e..8507005 100644
--- a/config/defaults.sh
+++ b/config/defaults.sh
@@ -43,7 +43,8 @@ RECOMMENDED_RAM_MB=4096
 # Security settings
 ENABLE_FAIL2BAN=true
 ENABLE_UFW=true
-ENABLE_AUTO_UPDATES=true
+# Automatic security updates are optional. Default is OFF to keep setup non-interactive.
+ENABLE_AUTO_UPDATES=false
 SECURE_SSH=true
 
 # Debug and logging
diff --git a/setup.sh b/setup.sh
index 952d0eb..efacb8b 100644
--- a/setup.sh
+++ b/setup.sh
@@ -339,6 +339,9 @@ create_interactive_config() {
         save_config "INSTALL_PORTAINER" "false"
     fi
     
+    # Automatic updates (optional)
+    save_config "ENABLE_AUTO_UPDATES" "$(ask_yes_no "Enable automatic security updates (unattended-upgrades)?" "n" && echo "true" || echo "false")"
+
     save_config "INSTALL_WEBMIN" "$(ask_yes_no "Install Webmin web interface?" "n" && echo "true" || echo "false")"
     
     log_success "Configuration created and saved to ${CONFIG_FILE}"
@@ -400,7 +403,12 @@ run_installation() {
     current_step=$((current_step + 1)); log_debug "run_installation: about to implement security measures (step $current_step/$total_steps)"; show_progress $current_step $total_steps "Implementing security measures"
     secure_shared_memory
     install_fail2ban
-    configure_automatic_updates
+    # Configure automatic updates only if user opted in
+    if [[ "${ENABLE_AUTO_UPDATES:-false}" == "true" ]]; then
+        configure_automatic_updates
+    else
+        log_info "Automatic security updates are disabled by configuration"
+    fi
     
     # Optional services
     if [[ "${INSTALL_DOCKER:-false}" == "true" ]]; then
@@ -466,7 +474,11 @@ show_installation_summary() {
     echo "  ✓ Samba file sharing configured"
     echo "  ✓ Firewall configured and enabled"
     echo "  ✓ Fail2ban installed and configured"
-    echo "  ✓ Automatic updates enabled"
+    if [[ "${ENABLE_AUTO_UPDATES:-false}" == "true" ]]; then
+        echo "  ✓ Automatic updates enabled"
+    else
+        echo "  - Automatic updates not enabled (optional)"
+    fi
     
     # Service summary
     if [[ "${INSTALL_DOCKER:-false}" == "true" ]]; then