diff --git a/playbooks/bootstrap/roles/unattended-upgrades/defaults/main.yaml b/playbooks/bootstrap/roles/unattended-upgrades/defaults/main.yaml
new file mode 100644
index 0000000..5ac1394
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/defaults/main.yaml
@@ -0,0 +1,17 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+---
+# tasks/main.yaml
+unattended_upgrades_task_manager:
+  - config
diff --git a/playbooks/bootstrap/roles/unattended-upgrades/tasks/config.yaml b/playbooks/bootstrap/roles/unattended-upgrades/tasks/config.yaml
new file mode 100644
index 0000000..ccf0945
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/tasks/config.yaml
@@ -0,0 +1,22 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+---
+- name: Install unattended-upgrades configuration
+  become: true
+  template:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    group: root
+    mode: 0644
+    owner: root
+    src: etc/apt/apt.conf.d/50unattended-upgrades.j2
diff --git a/playbooks/bootstrap/roles/unattended-upgrades/tasks/main.yaml b/playbooks/bootstrap/roles/unattended-upgrades/tasks/main.yaml
new file mode 100644
index 0000000..a82e16b
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/tasks/main.yaml
@@ -0,0 +1,21 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+---
+- name: Include OS-specific variables
+  include_vars: "{{ ansible_os_family | lower }}.yaml"
+
+- include: "{{ unattended_upgrades_task }}.yaml"
+  with_items: "{{ unattended_upgrades_task_manager }}"
+  loop_control:
+    loop_var: unattended_upgrades_task
diff --git a/playbooks/bootstrap/roles/unattended-upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 b/playbooks/bootstrap/roles/unattended-upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2
new file mode 100644
index 0000000..f32ba65
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2
@@ -0,0 +1,15 @@
+//This file is generated by Ansible
+// DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+//
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	"${distro_id}:${distro_codename}-updates";
+};
+
+Unattended-Upgrade::Package-Blacklist {
+};
+
+Unattended-Upgrade::DevRelease "false";
+Unattended-Upgrade::Mail "root";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
diff --git a/playbooks/bootstrap/roles/unattended-upgrades/vars/debian.yaml b/playbooks/bootstrap/roles/unattended-upgrades/vars/debian.yaml
new file mode 100644
index 0000000..009f762
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/vars/debian.yaml
@@ -0,0 +1,14 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+---
diff --git a/playbooks/bootstrap/roles/unattended-upgrades/vars/redhat.yaml b/playbooks/bootstrap/roles/unattended-upgrades/vars/redhat.yaml
new file mode 100644
index 0000000..009f762
--- /dev/null
+++ b/playbooks/bootstrap/roles/unattended-upgrades/vars/redhat.yaml
@@ -0,0 +1,14 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+---
diff --git a/playbooks/bootstrap/site.yaml b/playbooks/bootstrap/site.yaml
index 040d87b..3cca907 100644
--- a/playbooks/bootstrap/site.yaml
+++ b/playbooks/bootstrap/site.yaml
@@ -55,6 +55,13 @@
         name: iptables
       when: ansible_os_family == 'Debian'
 
+    # NOTE(pabelanger): We currently only support debuntu, this needs to be
+    # fixed!
+    - name: Setup unattended-upgrades role
+      include_role:
+        name: unattended-upgrades
+      when: ansible_os_family == 'Debian'
+
 - name: Bootstrap bastion hosts
   hosts: bastion:!disabled
   tasks: