diff --git a/auto-upgrade.nix b/auto-upgrade.nix
new file mode 100644
index 0000000..844dd02
--- /dev/null
+++ b/auto-upgrade.nix
@@ -0,0 +1,13 @@
+{ config, ... }:
+
+{
+  # Rebuild once a day to automatically apply security patches
+  system.autoUpgrade.enable = true;
+  nix.optimise.automatic = true;
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-older-than 30d";
+  };
+}
+
diff --git a/master.nix b/master.nix
index b83561c..998a798 100644
--- a/master.nix
+++ b/master.nix
@@ -19,6 +19,7 @@ in
     ./user/stormwind/master.nix
     ./sshd.nix
     ./tailscale.nix
+    ./auto-upgrade.nix
   ];
 
   # This value determines the NixOS release from which the default