Automate safe system upodates with a single script (for APT + systemd systems)

THE PROBLEM

Keeping a Linux system fully updated usually means doing several things by hand:

  • Update APT package lists

  • Upgrade installed packages

  • Remove unused dependencies and cached files

  • Update Flatpak apps (if you use Flatpak)

  • Update firmware via fwupd (if available)

  • Decide whether to reboot or shut down

None of that is hard, but it is repetitive and easy to skip steps, especially firmware updates.

This script turns that whole workflow into a single, safe command.

REQUIREMENTS

This script assumes:

Package manager

  • Uses APT

  • Example: Debian, Ubuntu, Linux Mint and similar

Init system

  • Uses systemd (for systemctl reboot/poweroff)

Shell

  • bash (script uses “#!/usr/bin/env bash” and “set -euo pipefail”)

  • You can run it with:

    • bash script.sh

Privileges

  • Your user has sudo rights

Optional components

  • Flatpak (optional)

    • If not installed, Flatpak steps are skipped

  • fwupd (fwupdmgr, optional)

    • If not installed, firmware steps are skipped

Other tools

  • mktemp, grep, tee

    • Present on any normal distro

If an optional tool is missing, the script just prints a message and continues.

WHAT THE SCRIPT AUTOMATES

APT updates

  • apt update
    Refresh package lists from repositories.

  • apt upgrade
    Install updated versions of packages.

  • apt autoremove
    Remove packages that are no longer needed as dependencies.

  • apt autoclean
    Remove old cached .deb files.

Flatpak updates (if Flatpak is installed)

Flatpak has its own update mechanism, separate from APT:

  • flatpak update
    Updates Flatpak apps and runtimes.

  • flatpak uninstall --unused
    Removes unused runtimes and extensions.

Firmware updates (if fwupdmgr is installed)

fwupdmgr talks to the Linux Vendor Firmware Service (LVFS) to update device firmware:

  • fwupdmgr refresh --force
    Refresh metadata.

  • fwupdmgr get-updates
    Check for available firmware updates.

  • fwupdmgr update
    Apply or stage those updates for the next reboot.

fwupdmgr uses exit codes such as:

  • 0 = OK

  • 2 = nothing to do / no updates

The script treats 0 and 2 as non-fatal. Other codes are treated as errors.

Safety features

  • set -euo pipefail
    -e: exit on error
    -u: fail on unset variables
    -o pipefail: fail if any command in a pipeline fails

  • sudo -v at the beginning
    Caches sudo auth so the script does not get stuck mid-run asking for a password.

  • command checks
    Uses “command -v flatpak” and “command -v fwupdmgr” so it only runs those sections if the tools exist.

SCRIPT: SAFE SYSTEM AND FIRMWARE UPDATER

Paste this into a file, for example: update-all.sh

Then mark it executable (see “HOW I USE IT” below).

Script:

#!/usr/bin/env bash

============================================================
Debian 13: Safe system & firmware updater
- Ask desired post-update action first.
- Update/clean system packages.
- Refresh & apply firmware updates via fwupd (tolerant to "no updates").
- Update Flatpak apps/runtimes (if Flatpak is installed).
============================================================

set -euo pipefail

echo "=== Debian 13 Safe System and Firmware Updater ==="
echo
read -r -p "After updates, would you like to [r]eboot, [s]hutdown, or [n]either? (r/s/n): " choice
echo

Cache sudo so later steps don't prompt mid-run.

if command -v sudo >/dev/null 2>&1; then
sudo -v || true
fi

echo "=== Starting full system and firmware update ==="
sudo apt update
sudo apt -y upgrade
sudo apt -y autoremove
sudo apt -y autoclean

--- Flatpak updates (if installed) ---

if command -v flatpak >/dev/null 2>&1; then
echo
echo "--- Flatpak (apps & runtimes) ---"

Updates all apps/runtimes and appstream info in user+system installations.

flatpak update -y

Clean unused runtimes/extensions.

flatpak uninstall --unused -y
else
echo
echo "flatpak not installed; skipping Flatpak step."
fi

--- Firmware updates (fwupd) ---

if command -v fwupdmgr >/dev/null 2>&1; then
echo
echo "--- Firmware (fwupd) ---"
sudo fwupdmgr refresh --force || echo "Warning: fwupdmgr refresh failed; continuing."

tmp="$(mktemp)"

Run get-updates and capture both output and exit code without aborting.

set +e
sudo fwupdmgr get-updates | tee "$tmp"
get_rc=$?
set -e

Accept 0 ("OK") and 2 ("nothing to do") as non-fatal.

if [ "$get_rc" -ne 0 ] && [ "$get_rc" -ne 2 ]; then
echo "fwupdmgr get-updates failed with exit code $get_rc."
rm -f "$tmp"
exit "$get_rc"
fi

If output clearly says there are no updates, skip the update step.

if grep -qiE 'No (updatable|available) devices|No updates|No upgrades' "$tmp"; then
echo "No firmware updates to apply."
rm -f "$tmp"
else
rm -f "$tmp"
# Apply updates; accept 0 and 2 as non-fatal.
set +e
sudo fwupdmgr update
upd_rc=$?
set -e
if [ "$upd_rc" -eq 0 ]; then
echo "Firmware updates applied/staged."
elif [ "$upd_rc" -eq 2 ]; then
echo "No firmware updates to apply (fwupdmgr exit 2)."
else
echo "fwupdmgr update failed with exit code $upd_rc."
exit "$upd_rc"
fi
fi
else
echo "fwupdmgr not installed; skipping firmware step."
fi

echo
echo "=== Update process complete ==="
echo "Firmware updates (if any) will apply on the next reboot."
echo

case "$choice" in
[Rr]* ) echo "Rebooting system..."; sudo systemctl reboot ;;
[Ss]* ) echo "Shutting down system..."; sudo systemctl poweroff ;;
[Nn]* ) echo "Skipping shutdown/reboot. You can reboot manually later." ;;

  • ) echo "Invalid input. No action taken." ;;
    esac

echo "=== Done ==="

HOW I USE IT

  1. Save the script as:

    update-all.sh

  2. Make it executable:

    chmod +x update-all.sh

  3. Run it when you want to fully update the system:

    ./update-all.sh

  4. At the prompt, choose:

    • r = reboot after updates

    • s = shut down after updates

    • n = do nothing (you can reboot later)

That’s it: one script to safely update packages, Flatpaks, and firmware in a single run.

Comments

Post a Comment