Auto update Archlinux and user repository
In this post I’m going to describe on how to setup automatic package upgrades / system updates. In the first part, a systemd service script and timer triggers the package manager pacman to automatically sync the repositories and upgrade the packages every hour:
[Unit]
Description=Automatic Update
After=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/pacman -Syuq --noconfirm --needed --noprogressbar
TimeoutStopSec=180
KillMode=process
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target
[Unit]
Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes
[Timer]
OnBootSec=5min
OnUnitActiveSec=60min
Unit=autoupdate.service
[Install]
WantedBy=multi-user.target
systemctl enable --now autoupdate.timer
The last command enables (on boot) and starts the timer. The second part describes on how to setup an extra user, which will automatically fetch and build AUR packages using the helper script aurutils:
cd /tmp
wget "https://aur.archlinux.org/cgit/aur.git/snapshot/aurutils.tar.gz"
tar xvf aurutils.tar.gz
cd aurutils
gpg --recv-keys 6BC26A17B9B7018A
makepkg -i
The following files define the special pacman-repository in which the compiled AUR packages will be placed:
[options]
CacheDir = /var/cache/pacman/pkg
CacheDir = /var/cache/pacman/aur
CleanMethod = KeepCurrent
[aur]
SigLevel = Optional TrustAll Server = file:///var/cache/pacman/aur
SigLevel = Optional TrustAll Server = file:///var/cache/pacman/aur
[...]
Include = /etc/pacman.d/aur
The new aur user will have extra permissions to build packages in chroot:
[...]
aur ALL = NOPASSWD: SETENV: /usr/bin/makechrootpkg
aur ALL = NOPASSWD: /usr/bin/arch-nspawn
[...]
Create the user and the repository:
sudo useradd -m aur
sudo install -d /var/cache/pacman/aur -o aur
sudo repo-add /var/cache/pacman/aur/aur.db.tar
sudo chown -R aur:aur /var/cache/pacman/aur
sudo -u aur gpg --recv-keys 6BC26A17B9B7018A
[Unit]
Description=Automatic update AUR repository.
After=network-online.target
[Service]
Type=simple
User=aur
ExecStart=/usr/bin/aur sync --no-view -cu
TimeoutStopSec=180
KillMode=process
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target
[Unit]
Description=Automatic update AUR repository when booted up after 5 minutes then check for updates every 60 minutes.
[Timer]
OnBootSec=5min
OnUnitActiveSec=60min
Unit=aurupdate.service
[Install]
WantedBy=multi-user.target
systemctl enable --now aurupdate.timer
The last command will enable (on boot) and start the AUR auto update service. Please note that this approach on system upgrading is considered bad practice, poses a security risk and could damage your system. It is recommended to test this on experimental development environments.
Running AUR updates unattended (with –noview) is a bad idea. AUR packages may be orphaned at any time, and taken over by someone with less than good intentions. (see for example, acroread.)
If you want to update AUR packages on a timer, at the very least implement a trust system that checks maintainers. An example: https://github.com/alexheretic/aurto
Furthermore, pacman -Syu on a timer is equally problematic (despite being not warned against in this article). Upgrades from the Arch Linux repositories always assume they are done interactively, so that the user can see post-install messages, merge .pacnew files and do other necessary changes.
Not to mention an unattended upgrade will make debugging (in particular, pinpointing which packages cause undesired behavior) significantly harder.
You should consider breaking this process into two parts. The first one automated on timer, the second requiring user intervention to proceed.
Download official packages, build AUR packages, then when the user is present, install them.
See: https://github.com/Cody-Learner/prep4ud