Sane apt upgrades

Signed-off-by: Tommy <contact@tommytran.io>

GCP-Debian-11.sh

@@ -22,9 +22,17 @@ unpriv(){
   sudo -u nobody "$@"
 }
 
-# Compliance
+# Compliance and updates
 sudo systemctl mask debug-shell.service
 
+## Avoid phased updates
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
+sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
+
+sudo apt update
+sudo apt full-upgrade -y
+sudo apt autoremove -y
+
 # Make home directory private
 sudo chmod 700 /home/*
 
@@ -36,10 +44,6 @@ sudo systemctl restart chronyd
 # Setup repositories
 sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {} \;
 
-# Update and install packages
-sudo apt update
-sudo apt upgrade -y
-
 # Setup ufw
 sudo apt install ufw -y
 sudo ufw enable

Proxmox-8.sh

@@ -20,9 +20,17 @@ output(){
     echo -e '\e[36m'"$1"'\e[0m';
 }
 
-# Compliance
+# Compliance and updates
 systemctl mask debug-shell.service
 
+## Avoid phased updates
+curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
+chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
+
+apt update
+apt full-upgrade -y
+apt autoremove -y
+
 # Setup NTS
 rm -rf /etc/chrony/chrony.conf
 curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | tee /etc/chrony/chrony.conf
@@ -56,10 +64,8 @@ deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /
 
 echo 'deb http://download.proxmox.com/debian/ceph-quincy bookworm no-subscription' | tee /etc/apt/sources.list.d/ceph.list
 
-# Update and install packages
-apt update
-apt upgrade -y
-apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs
+# Install packages
+apt install -y intel-microcode tuned fwupd dropbear-initramfs
 
 ### This part assumes that you are using systemd-boot
 echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline

Ubuntu-22.04-Server.sh

@@ -29,9 +29,14 @@ sudo systemctl mask debug-shell.service
 echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue
 echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue.net
 
+## Avoid phased updates
+sudo apt install -y curl
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
+sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
+
 sudo apt update -y
 sudo apt full-upgrade -y
-sudo apt install -y curl
+sudo apt autoremove -y
 
 # Default to gcc-12 instead of gcc-11
 sudo rm /usr/bin/gcc

Ubuntu-23.10-Desktop.sh

@@ -27,6 +27,11 @@ unpriv(){
 # Compliance and updates
 sudo systemctl mask debug-shell.service
 
+## Avoid phased updates
+sudo apt install curl -y
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
+sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
+
 sudo apt update -y
 sudo apt full-upgrade -y
 sudo apt autoremove -y
@@ -43,7 +48,7 @@ echo 'umask 077' | sudo tee --append /etc/profile
 
 # Setup NTS
 sudo systemctl disable systemd-timesyncd
-sudo apt install -y curl chrony
+sudo apt install -y chrony
 unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
 sudo systemctl restart chronyd
 

etc/apt/apt.conf.d/99sane-upgrades

@@ -0,0 +1,5 @@
+Update-Manager::Always-Include-Phased-Updates;
+APT::Get::Always-Include-Phased-Updates;
+APT::Get::Upgrade-Allow-New;
+APT::Get::Install-Recommends "false";
+APT::Get::Install-Suggests "false";