diff --git a/auto-updates.yml b/auto-updates.yml
new file mode 100644
index 0000000..7790f86
--- /dev/null
+++ b/auto-updates.yml
@@ -0,0 +1,7 @@
+- import_playbook: dyngroups.yml
+- hosts: Fedora
+  roles:
+  - role: dnf-automatic
+    tags:
+    - auto-update
+    - dnf-automatic
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 2732950..7a96cbb 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -100,3 +100,13 @@ promtail_ca: |
   0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
   DaY+6wQ=
   -----END CERTIFICATE-----
+
+dnf_automatic_email_from: dnf@pyrocufflink.net
+dnf_automatic_email_to: gyrfalcon@ebonfire.com
+dnf_automatic_email_host: mail.pyrocufflink.blue
+
+dnf_automatic_schedule: >-
+  {{ ['Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat', 'Sun']
+     | random(seed=inventory_hostname)
+     | string
+  }} *-*-* 04:00:00 America/Chicago
diff --git a/host_vars/git0.pyrocufflink.blue.yml b/host_vars/git0.pyrocufflink.blue.yml
index 4d13613..932b8d8 100644
--- a/host_vars/git0.pyrocufflink.blue.yml
+++ b/host_vars/git0.pyrocufflink.blue.yml
@@ -1,2 +1,3 @@
 gitea_ssh_domain: git.pyrocufflink.blue
 gitea_root_url: 'https://{{ gitea_ssh_domain }}/'
+dnf_automatic_reboot: never
diff --git a/roles/dnf-automatic/defaults/main.yml b/roles/dnf-automatic/defaults/main.yml
new file mode 100644
index 0000000..3474e71
--- /dev/null
+++ b/roles/dnf-automatic/defaults/main.yml
@@ -0,0 +1,4 @@
+dnf_automatic_reboot: when-needed
+dnf_automatic_email_from: root@example.com
+dnf_automatic_email_to: root
+dnf_automatic_email_host: localhost
diff --git a/roles/dnf-automatic/handlers/main.yml b/roles/dnf-automatic/handlers/main.yml
new file mode 100644
index 0000000..c106514
--- /dev/null
+++ b/roles/dnf-automatic/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+- name: restart dnf-automatic.timer
+  systemd:
+    name: dnf-automatic.timer
+    state: restarted
diff --git a/roles/dnf-automatic/tasks/main.yml b/roles/dnf-automatic/tasks/main.yml
new file mode 100644
index 0000000..80d7aa0
--- /dev/null
+++ b/roles/dnf-automatic/tasks/main.yml
@@ -0,0 +1,54 @@
+- name: ensure dnf-automatic is installed
+  dnf:
+    name: dnf-automatic
+    state: present
+  tags:
+  - install
+
+- name: ensure dnf-automatic is configured
+  template:
+    src: dnf-automatic.conf.j2
+    dest: /etc/dnf/automatic.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+
+- name: ensure dnf-automatic.timer systemd drop-in directory exists
+  file:
+    path: /etc/systemd/system/dnf-automatic.timer.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - config
+- name: ensure dnf-automatic.timer schedule is set
+  template:
+    src: dnf-automatic.schedule.conf.j2
+    dest: /etc/systemd/system/dnf-automatic.timer.d/schedule.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart dnf-automatic.timer
+  tags:
+  - config
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure dnf-automatic.timer unit is enabled
+  systemd:
+    name: dnf-automatic.timer
+    enabled: true
+  tags:
+  - service
+- name: ensure dnf-automatic.timer unit is started
+  systemd:
+    name: dnf-automatic.timer
+    state: started
+  tags:
+  - service
diff --git a/roles/dnf-automatic/templates/dnf-automatic.conf.j2 b/roles/dnf-automatic/templates/dnf-automatic.conf.j2
new file mode 100644
index 0000000..a6dc3ab
--- /dev/null
+++ b/roles/dnf-automatic/templates/dnf-automatic.conf.j2
@@ -0,0 +1,101 @@
+[commands]
+#  What kind of upgrade to perform:
+# default                            = all available upgrades
+# security                           = only the security upgrades
+upgrade_type = default
+random_sleep = 0
+
+# Maximum time in seconds to wait until the system is on-line and able to
+# connect to remote repositories.
+network_online_timeout = 60
+
+# To just receive updates use dnf-automatic-notifyonly.timer
+
+# Whether updates should be downloaded when they are available, by
+# dnf-automatic.timer. notifyonly.timer, download.timer and
+# install.timer override this setting.
+download_updates = yes
+
+# Whether updates should be applied when they are available, by
+# dnf-automatic.timer. notifyonly.timer, download.timer and
+# install.timer override this setting.
+apply_updates = yes
+
+# When the system should reboot following upgrades:
+# never                              = don't reboot after upgrades
+# when-changed                       = reboot after any changes
+# when-needed                        = reboot when necessary to apply changes
+reboot = {{ dnf_automatic_reboot }}
+
+# The command that is run to trigger a system reboot.
+reboot_command = "shutdown -r +5 'Rebooting after applying package updates'"
+
+
+[emitters]
+# Name to use for this system in messages that are emitted.  Default is the
+# hostname.
+# system_name = my-host
+
+# How to send messages.  Valid options are stdio, email and motd.  If
+# emit_via includes stdio, messages will be sent to stdout; this is useful
+# to have cron send the messages.  If emit_via includes email, this
+# program will send email itself according to the configured options.
+# If emit_via includes motd, /etc/motd file will have the messages. if
+# emit_via includes command_email, then messages will be send via a shell
+# command compatible with sendmail.
+# Default is email,stdio.
+# If emit_via is None or left blank, no messages will be sent.
+emit_via = stdio email
+
+
+[email]
+# The address to send email messages from.
+email_from = {{ dnf_automatic_email_from }}
+
+# List of addresses to send messages to.
+email_to = {{ dnf_automatic_email_to }}
+
+# Name of the host to connect to to send email messages.
+email_host = {{ dnf_automatic_email_host }}
+
+# Port number to connect to at the email host.
+email_port = 25
+
+# Use TLS or STARTTLS to connect to the email host.
+email_tls = no
+
+
+[command]
+# The shell command to execute. This is a Python format string, as used in
+# str.format(). The format function will pass a shell-quoted argument called
+# `body`.
+# command_format = "cat"
+
+# The contents of stdin to pass to the command. It is a format string with the
+# same arguments as `command_format`.
+# stdin_format = "{body}"
+
+
+[command_email]
+# The shell command to use to send email. This is a Python format string,
+# as used in str.format(). The format function will pass shell-quoted arguments
+# called body, subject, email_from, email_to.
+# command_format = "mail -Ssendwait -s {subject} -r {email_from} {email_to}"
+
+# The contents of stdin to pass to the command. It is a format string with the
+# same arguments as `command_format`.
+# stdin_format = "{body}"
+
+# The address to send email messages from.
+email_from = root@example.com
+
+# List of addresses to send messages to.
+email_to = root
+
+
+[base]
+# This section overrides dnf.conf
+
+# Use this to filter DNF core messages
+debuglevel = 1
+installonly_limit = 2
diff --git a/roles/dnf-automatic/templates/dnf-automatic.schedule.conf.j2 b/roles/dnf-automatic/templates/dnf-automatic.schedule.conf.j2
new file mode 100644
index 0000000..b1ac345
--- /dev/null
+++ b/roles/dnf-automatic/templates/dnf-automatic.schedule.conf.j2
@@ -0,0 +1,3 @@
+[Timer]
+OnCalendar=
+OnCalendar={{ dnf_automatic_schedule }}