diff --git a/bundles/apt/files/apt.conf-unattended-upgrades b/bundles/apt/files/apt.conf-unattended-upgrades
new file mode 100644
index 0000000..d0675da
--- /dev/null
+++ b/bundles/apt/files/apt.conf-unattended-upgrades
@@ -0,0 +1,27 @@
+Unattended-Upgrade::Origins-Pattern {
+        "origin=Debian,codename=\$\{distro_codename\},label=Debian";
+        "origin=Debian,codename=\$\{distro_codename\},label=Debian-Security";
+
+        // External packages
+% for item in sorted(data.get('origins')):
+        "origin=${item}";
+% endfor
+};
+
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::MinimalSteps "true";
+
+% if data.get('mail', None):
+Unattended-Upgrade::Mail "${data['mail']}";
+Unattended-Upgrade::MailOnlyOnError "false";
+% endif
+
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+% if data.get('reboot', False):
+Unattended-Upgrade::Automatic-Reboot "true";
+% else:
+Unattended-Upgrade::Automatic-Reboot "false";
+% endif
diff --git a/bundles/apt/items.py b/bundles/apt/items.py
new file mode 100644
index 0000000..d2d8135
--- /dev/null
+++ b/bundles/apt/items.py
@@ -0,0 +1,68 @@
+actions = {
+    'apt_update': {
+        'command': 'apt-get update',
+        'needed_by': [
+            'pkg_apt:',
+        ],
+        'triggered': True,
+        'cascade_skip': False,
+    },
+}
+
+files = {
+    '/etc/apt/apt.conf.d/50unattended-upgrades': {
+        'content_type': 'mako',
+        'source': 'apt.conf-unattended-upgrades',
+        'context': {'data': node.metadata.get('apt', {}).get('unattended-upgrades', {})}
+    },
+}
+
+directories = {
+    '/etc/apt/sources.list.d': {},
+}
+
+pkg_apt = {
+    'apt-transport-https': {},
+    'unattended-upgrades': {},
+}
+
+gpg_keys = set()
+for name, data in node.metadata.get('apt', {}).get('repos', {}).items():
+    files['/etc/apt/sources.list.d/{}.list'.format(name)] = {
+        'content_type': 'mako',
+        'content': "\n".join(data['items']),
+        'triggers': [
+            'action:apt_update',
+        ],
+    }
+
+    if 'key' in data:
+        gpg_keys.add(data['key'])
+
+        files['/etc/apt/sources.list.d/{}.list'.format(name)]['needs'] = [
+            'action:add_gpg_key_{}'.format(data['key']),
+        ]
+
+previous_action = None
+for key in gpg_keys:
+    files['/etc/apt/gpg-keys/{}'.format(key)] = {
+        'source': 'gpg-keys/{}'.format(key),
+    }
+
+    action_name = 'add_gpg_key_{}'.format(key)
+    action_item_name = 'action:' + action_name
+    actions[action_name] = {
+        'command': 'apt-key add /etc/apt/gpg-keys/{}'.format(key),
+        'unless': 'apt-key export {} 2>/dev/null | grep -q "END PGP PUBLIC KEY BLOCK"'.format(key),
+        'cascade_skip': False,
+        'needed_by': ["action:apt_update"],
+        'needs': list(filter(None, [
+            'file:/etc/apt/gpg-keys/{}'.format(key),
+            previous_action,
+        ])),
+    }
+    previous_action = action_item_name
+
+if node.metadata.get('apt', {}).get('packages', {}):
+    for package, options in node.metadata['apt']['packages'].items():
+        pkg_apt[package] = options
diff --git a/groups/all.py b/groups/all.py
index 2a33f3a..2d1f85b 100644
--- a/groups/all.py
+++ b/groups/all.py
@@ -3,6 +3,7 @@ groups['all'] = {
         r".*",
     ),
     'bundles': {
+        'apt',
         'users',
     },
     'metadata': {