diff --git a/bundles/apt/files/apt.conf-auto-upgrades b/bundles/apt/files/apt.conf-auto-upgrades
deleted file mode 100644
index 5bf85d3..0000000
--- a/bundles/apt/files/apt.conf-auto-upgrades
+++ /dev/null
@@ -1,3 +0,0 @@
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Unattended-Upgrade "1";
-APT::Periodic::AutocleanInterval "7";
diff --git a/bundles/apt/files/apt.conf-unattended-upgrades b/bundles/apt/files/apt.conf-unattended-upgrades
deleted file mode 100644
index 322ba16..0000000
--- a/bundles/apt/files/apt.conf-unattended-upgrades
+++ /dev/null
@@ -1,31 +0,0 @@
-Unattended-Upgrade::Origins-Pattern {
-        "origin=Debian,codename=${os_release},label=Debian";
-        "origin=Debian,codename=${os_release},label=Debian-Security";
-
-% if node_has_backports:
-        "a=${os_release}-backports,n=${os_release}-backports";
-% endif
-
-        // External packages
-% for item in sorted(data.get('origins', set())):
-        "${item}";
-% endfor
-};
-
-Unattended-Upgrade::AutoFixInterruptedDpkg "true";
-Unattended-Upgrade::MinimalSteps "false";
-
-% if data.get('mail', None):
-Unattended-Upgrade::Mail "${data['mail']}";
-Unattended-Upgrade::MailOnlyOnError "false";
-% endif
-
-Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
-Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
-Unattended-Upgrade::Remove-Unused-Dependencies "true";
-
-% if data.get('reboot', True):
-Unattended-Upgrade::Automatic-Reboot "true";
-% else:
-Unattended-Upgrade::Automatic-Reboot "false";
-% endif
diff --git a/bundles/apt/files/upgrade-and-reboot b/bundles/apt/files/upgrade-and-reboot
new file mode 100644
index 0000000..8029b54
--- /dev/null
+++ b/bundles/apt/files/upgrade-and-reboot
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# With systemd, we can force logging to the journal. This is better than
+# spamming the world with cron mails. You can then view these logs using
+# "journalctl -rat upgrade-and-reboot".
+if [[ "$1" != '-w' ]]
+then
+    if which systemd-cat >/dev/null 2>&1
+    then
+        if [[ "$1" != "is-logging" ]]
+        then
+            exec systemd-cat -t upgrade-and-reboot "$0" is-logging "$@"
+        else
+            shift
+        fi
+    fi
+fi
+
+
+logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd"')
+if [[ -n "$logins" ]]
+then
+    echo "Will abort now, there are active SSH logins: $logins"
+    exit 1
+fi
+
+softlockdir=/var/lib/bundlewrap/soft-${node.name}
+mkdir -p "$softlockdir"
+printf '{"comment": "UPDATE", "date": %s, "expiry": %s, "id": "UNATTENDED", "items": ["*"], "user": "root@localhost"}\n' \
+    $(date +%s) \
+    $(date -d 'now + 30 mins' +%s) \
+    >"$softlockdir"/UNATTENDED
+trap 'rm -f "$softlockdir"/UNATTENDED' EXIT
+
+apt-get update
+
+DEBIAN_FRONTEND=noninteractive apt-get -y -q  -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef dist-upgrade
+
+ret=$?
+if (( $ret != 0 ))
+then
+    exit 1
+fi
+
+apt-get autoclean
+apt-get autoremove
+
+if [[ -f /var/run/reboot-required ]]
+then
+    date | mail -s "SYSREBOOTNOW $(cat /etc/node.name)" ${data['mail']}
+    systemctl reboot
+fi
diff --git a/bundles/apt/items.py b/bundles/apt/items.py
index 1e2c416..77f2e64 100644
--- a/bundles/apt/items.py
+++ b/bundles/apt/items.py
@@ -23,18 +23,13 @@ actions = {
 }
 
 files = {
-    '/etc/apt/apt.conf.d/50unattended-upgrades': {
+    '/usr/local/sbin/upgrade-and-reboot': {
         'content_type': 'mako',
-        'source': 'apt.conf-unattended-upgrades',
+        'mode': '0700',
         'context': {
             'data': node.metadata.get('apt', {}).get('unattended-upgrades', {}),
-            'node_has_backports': ('backports' in node.metadata.get('apt', {}).get('repos', {})),
-            'os_release': supported_os[node.os][node.os_version[0]],
         }
     },
-    '/etc/apt/apt.conf.d/20auto-upgrades': {
-        'source': 'apt.conf-auto-upgrades',
-    },
     '/etc/cloud': {
         'delete': True,
     },
@@ -63,7 +58,6 @@ directories = {
 
 pkg_apt = {
     'apt-transport-https': {},
-    'unattended-upgrades': {},
 
     'arping': {},
     'at': {},
@@ -112,6 +106,9 @@ pkg_apt = {
     'popularity-contest': {
         'installed': False,
     },
+    'unattended-upgrades': {
+        'installed': False,
+    },
 }
 
 
diff --git a/bundles/apt/metadata.py b/bundles/apt/metadata.py
new file mode 100644
index 0000000..b1242a6
--- /dev/null
+++ b/bundles/apt/metadata.py
@@ -0,0 +1,7 @@
+defaults = {
+    'cron': {
+        'upgrade-and-reboot': '{minute} 1 * * 5    root    /usr/local/sbin/upgrade-and-reboot'.format(
+            minute=node.magic_number % 30,
+        ),
+    },
+}
diff --git a/bundles/jenkins-ci/metadata.py b/bundles/jenkins-ci/metadata.py
index b89e925..6db7622 100644
--- a/bundles/jenkins-ci/metadata.py
+++ b/bundles/jenkins-ci/metadata.py
@@ -7,11 +7,6 @@ defaults = {
                 ],
             },
         },
-        'unattended-upgrades': {
-            'origins': {
-                'o=jenkins.io,a=binary',
-            },
-        },
         'packages': {
             'openjdk-11-jre': {},
             'jenkins': {
diff --git a/bundles/matrix-synapse/metadata.py b/bundles/matrix-synapse/metadata.py
index 4355d73..5c770be 100644
--- a/bundles/matrix-synapse/metadata.py
+++ b/bundles/matrix-synapse/metadata.py
@@ -7,11 +7,6 @@ defaults = {
                 ],
             },
         },
-        'unattended-upgrades': {
-            'origins': {
-                'o=matrix.org,n=buster,c=main',
-            },
-        },
         'packages': {
             'matrix-synapse-py3': {},
         },
diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py
index 3f31328..2fe5815 100644
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@@ -7,11 +7,6 @@ defaults = {
                 ],
             },
         },
-        'unattended-upgrades': {
-            'origins': {
-                'o=nginx,a=stable,l=nginx,c=nginx',
-            },
-        },
         'packages': {
             'nginx': {},
         },
diff --git a/bundles/nodejs/metadata.py b/bundles/nodejs/metadata.py
index f497563..65a2b41 100644
--- a/bundles/nodejs/metadata.py
+++ b/bundles/nodejs/metadata.py
@@ -13,12 +13,6 @@ defaults = {
                 ],
             },
         },
-        'unattended-upgrades': {
-            'origins': {
-                'o=Node Source,l=Node Source,c=main',
-                'o=yarn,a=stable,n=stable,l=yarn-stable,c=main',
-            },
-        },
         'packages': {
             'nodejs': {},
             'yarn': {},
diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py
index d5e63f8..19a0d9d 100644
--- a/nodes/htz/ex42-1048908.py
+++ b/nodes/htz/ex42-1048908.py
@@ -43,21 +43,6 @@ nodes['htz.ex42-1048908'] = {
                 'weechat-python': {},
                 'weechat-ruby': {},
             },
-            'unattended-upgrades': {
-                'origins': {
-                    'site=weechat.org',
-
-                    # TODO move to bundles
-                    'o=Rspamd,n=buster,l=Rspamd,c=main',
-
-                    # FIXME We can't upgrade miniflux automatically,
-                    # because the apt package doesn't (currently?) do
-                    # database migrations by itself. This leads to
-                    # miniflux not starting up after being upgraded.
-                    #'site=apt.miniflux.app',
-                },
-                'reboot': False,
-            },
             'repos': {
                 'backports': {
                     'install_gpg_key': False, # default debian signing key