diff --git a/tf/modules/ooni_th_droplet/main.tf b/tf/modules/ooni_th_droplet/main.tf
index f679d238..17485b5f 100644
--- a/tf/modules/ooni_th_droplet/main.tf
+++ b/tf/modules/ooni_th_droplet/main.tf
@@ -14,8 +14,11 @@ data "cloudinit_config" "ooni_th" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = file("${path.module}/templates/cloud-init.yml")
-  }
+    content      = templatefile("${path.module}/templates/cloud-init.yml", {
+                      distro_id          = "ubuntu",
+                      distro_codename    = "jammy"
+                   })
+    }
 
 }
 
diff --git a/tf/modules/ooni_th_droplet/templates/cloud-init.yml b/tf/modules/ooni_th_droplet/templates/cloud-init.yml
index 111502ef..6ffeb111 100644
--- a/tf/modules/ooni_th_droplet/templates/cloud-init.yml
+++ b/tf/modules/ooni_th_droplet/templates/cloud-init.yml
@@ -21,8 +21,22 @@ package_update: true
 packages:
   - oohelperd
   - nginx
+  - unattended-upgrades
 
 write_files:
+  - path: /etc/apt/apt.conf.d/20auto-upgrades
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+
+  - path: /etc/apt/apt.conf.d/50unattended-upgrades
+    content: |
+      Unattended-Upgrade::Allowed-Origins {
+        //"${distro_id} stable";
+        "${distro_id} ${distro_codename}-security";
+        "${distro_id} ${distro_codename}-updates";
+      };
+  
   - path: /etc/nginx/sites-available/default
     content: |
       proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=thcache:100M