I have a parc of identical debian wheezy machines. They are competely identical hardware & software except the IP address and some VPN keys. I want to update these machines completely automatically. Many sources on the web point out, that this can be dangerous. As all my machines are identical, I believe it is safe to test the updates on one machine, and if it goes well, authorize/deploy the update fully automatically on all other machines.

Main question: what is the best method to do this?

Here are my current ideas on how to do it.

1. use cron-apt in full auto mode (no interaction) on the machines
2. point sources.list to a repository which I control
3. test updates coming from public update repositories and include them in my private repos only if the tests are succesful

If you agree that this a good way to go, what tools are available to set-up the private repository and how can I selectively include in it only the updates I tested (basically, update my private repository selectively using the public repository)?