diff --git a/ansible/playbooks/customize.yml b/ansible/playbooks/customize.yml
index 4985dc1..b82f1ba 100644
--- a/ansible/playbooks/customize.yml
+++ b/ansible/playbooks/customize.yml
@@ -45,3 +45,58 @@
       ansible.builtin.command:
         cmd: loginctl enable-linger openclaw
       changed_when: false
+
+    # ── Automatic security updates ─────────────────────────────────────────
+    # The upstream role installs unattended-upgrades with security-only updates.
+    # We extend it here to enable automatic reboots for kernel/libc updates,
+    # scheduled at 03:30 (after the 03:00 config backup).
+
+    - name: Ensure unattended-upgrades is installed
+      ansible.builtin.apt:
+        name:
+          - unattended-upgrades
+          - apt-listchanges
+        state: present
+
+    - name: Configure unattended-upgrades
+      ansible.builtin.copy:
+        dest: /etc/apt/apt.conf.d/50unattended-upgrades
+        mode: "0644"
+        content: |
+          // OpenClaw VM — automatic security updates
+          Unattended-Upgrade::Allowed-Origins {
+              "${distro_id}:${distro_codename}-security";
+              "${distro_id}ESMApps:${distro_codename}-apps-security";
+              "${distro_id}ESM:${distro_codename}-infra-security";
+          };
+          Unattended-Upgrade::Package-Blacklist {};
+          Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+          Unattended-Upgrade::MinimalSteps "true";
+          Unattended-Upgrade::Remove-Unused-Dependencies "true";
+          Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+          Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+          // Reboot at 03:30 if required (after the 03:00 config backup)
+          Unattended-Upgrade::Automatic-Reboot "true";
+          Unattended-Upgrade::Automatic-Reboot-Time "03:30";
+      notify: Restart unattended-upgrades
+
+    - name: Enable daily apt update and upgrade triggers
+      ansible.builtin.copy:
+        dest: /etc/apt/apt.conf.d/20auto-upgrades
+        mode: "0644"
+        content: |
+          APT::Periodic::Update-Package-Lists "1";
+          APT::Periodic::Unattended-Upgrade "1";
+          APT::Periodic::AutocleanInterval "7";
+
+    - name: Ensure unattended-upgrades service is running and enabled
+      ansible.builtin.systemd:
+        name: unattended-upgrades
+        state: started
+        enabled: true
+
+  handlers:
+    - name: Restart unattended-upgrades
+      ansible.builtin.systemd:
+        name: unattended-upgrades
+        state: restarted