Saltstack has been really useful to manage my homelab - namely updates are less of a pain now since I can run them from a central place. Here is how I run updates for my cluster:

# Run the update across all instances
salt '*' pkg.upgrade

# I use prometheus / node-exporter to keep an eye on which nodes
# update - this runs the scrape that fetches the number of upgrades
# available in apt
salt '*' service.start prometheus-node-exporter-apt.service

Along that, I’ve installed the debian unattended-upgrades to get security upgrades without having to do anything interactively.

Other notes

Some things I learned

• i use prometheus node exporter to figure out if updates are available
• the apt metric updates actually run on a systemd timer (so not instant, every 15 minutes); i checked the debian package
• salt separates normal updates from kernel updates (this was confusing at first) - you have to use the kernelpkg.upgrade module
• one nice thing about systemd/timers is you can just run the service one-off using the systemctl command