diff --git a/files/apt-daily-upgrade.timer b/files/apt-daily-upgrade.timer
new file mode 100644
index 0000000000000000000000000000000000000000..a8b361efce6b39ddd0108d1ec119ff072b0ff598
--- /dev/null
+++ b/files/apt-daily-upgrade.timer
@@ -0,0 +1,4 @@
+[Timer]
+OnCalendar=
+OnCalendar=Tuesday 5:00
+RandomizedDelaySec=10m
diff --git a/files/apt-daily.timer b/files/apt-daily.timer
new file mode 100644
index 0000000000000000000000000000000000000000..2dd84b0934278174d167d0e635ce763b196dc637
--- /dev/null
+++ b/files/apt-daily.timer
@@ -0,0 +1,4 @@
+[Timer]
+OnCalendar=
+OnCalendar=Tuesday 4:30
+RandomizedDelaySec=10m
diff --git a/files/apt-unattended-upgrades b/files/apt-unattended-upgrades
new file mode 100644
index 0000000000000000000000000000000000000000..a5cc28f3acc83c772263baa2edf31cf9d8a31041
--- /dev/null
+++ b/files/apt-unattended-upgrades
@@ -0,0 +1,60 @@
+Unattended-Upgrade::Allowed-Origins {
+	"${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	"${distro_id}:${distro_codename}-updates";
+};
+
+Unattended-Upgrade::Package-Blacklist {};
+
+Unattended-Upgrade::DevRelease "false";
+
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+Unattended-Upgrade::MinimalSteps "true";
+
+Unattended-Upgrade::InstallOnShutdown "false";
+
+//Unattended-Upgrade::Mail "";
+
+// "always", "only-on-error" or "on-change"
+//Unattended-Upgrade::MailReport "on-change";
+
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+Unattended-Upgrade::Automatic-Reboot "true";
+
+Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
+
+Unattended-Upgrade::Automatic-Reboot-Time "now";
+
+Unattended-Upgrade::SyslogEnable "true";
+
+Unattended-Upgrade::SyslogFacility "daemon";
+
+Unattended-Upgrade::OnlyOnACPower "false";
+
+Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";
+
+Unattended-Upgrade::Verbose "false";
+
+Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
diff --git a/handlers/main.yml b/handlers/main.yml
index 2f7cbb9f27107ffd4662e52a314724860062ff59..e455fa34e72b7e02ea801d511aa8c033cd41d959 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,4 +1,23 @@
 ---
 
 - name: restart-sshd
-  service: name=sshd state=restarted
+  service:
+    name: sshd
+    state: restarted
+
+- name: restart-cron
+  ansible.builtin.service:
+    name: cron
+    state: restarted
+
+- name: restart-apt-update-timer
+  ansible.builtin.systemd:
+    name: apt-daily.timer
+    state: restarted
+    enabled: true
+
+- name: restart-apt-upgrade-timer
+  ansible.builtin.systemd:
+    name: apt-daily-upgrade.timer 
+    state: restarted
+    enabled: true
diff --git a/tasks/main.yml b/tasks/main.yml
index 18357ccd7437117e1d4f756727a6b6908e5fe4ec..7e94fae3ccdc9af027e27cad9d55508cc99169f6 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -3,7 +3,14 @@
   include_vars: "{{ ansible_os_family }}.yml"
 
 - name: Set machine hostname
-  hostname: name="{{ inventory_hostname_short | lower | regex_replace('_','') }}"
+  hostname:
+    name: "{{ inventory_hostname_short | lower | regex_replace('_','') }}"
+
+- name: Set timezone to Europe/Paris
+  community.general.timezone:
+    name: Europe/Paris
+  notify:
+    - restart-cron
 
 - name: Never include APT phased update
   copy:
@@ -81,6 +88,69 @@
     mode: '0644'
   when: ansible_os_family == "Debian"
 
+- name: Remove Unattended Upgrades
+  apt:
+    name: "unattended-upgrades"
+    autoremove: true
+    purge: true
+    state: absent
+  when: ansible_os_family == "Debian" and inventory_hostname not in groups.maintenance_contract
+
+- name: Install Unattended Upgrades
+  apt:
+    name: "unattended-upgrades"
+    state: present
+  when: ansible_os_family == "Debian" and inventory_hostname in groups.maintenance_contract
+
+- name: Copy Unattended Upgrades configuration
+  ansible.builtin.copy:
+    src: 'apt-unattended-upgrades'
+    dest: '/etc/apt/apt.conf.d/50unattended-upgrades'
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups.maintenance_contract
+
+- name: Create apt-daily timer directory if it does not exist
+  ansible.builtin.file:
+    path: '/etc/systemd/system/apt-daily.timer.d'
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  when: inventory_hostname in groups.maintenance_contract
+
+- name: override apt-daily timer
+  ansible.builtin.copy:
+    src: 'apt-daily.timer'
+    dest: '/etc/systemd/system/apt-daily.timer.d/override.conf'
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups.maintenance_contract
+  notify:
+    - restart-apt-update-timer
+
+- name: Create apt-daily-upgrade timer directory if it does not exist
+  ansible.builtin.file:
+    path: '/etc/systemd/system/apt-daily-upgrade.timer.d'
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  when: inventory_hostname in groups.maintenance_contract
+
+- name: override apt-daily-upgrade timer
+  ansible.builtin.copy:
+    src: 'apt-daily-upgrade.timer'
+    dest: '/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf'
+    owner: root
+    group: root
+    mode: '0644'
+  when: inventory_hostname in groups.maintenance_contract
+  notify:
+    - restart-apt-upgrade-timer
+
 - name: Create {{ host_user }} group
   group:
     name: "{{ host_user }}"
diff --git a/vars/Debian.yml b/vars/Debian.yml
index 6538faab773105d32fc73eff16c896dbae038962..61ed1d65e9e83f612b060a7b164988d7fc8bfb4a 100644
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@@ -2,7 +2,6 @@
 packages_to_remove:
   - samba*
   - snapd
-  - unattended-upgrades
   - popularity-contest
   - ubuntu-advantage-tools
 files_to_remove: