diff --git a/playbooks/maintenance.yaml b/playbooks/maintenance.yaml
new file mode 100644
index 0000000..9a7150b
--- /dev/null
+++ b/playbooks/maintenance.yaml
@@ -0,0 +1,7 @@
+- name: Make Sure System Package Are Up-To-Date
+  hosts: all
+  roles:
+    - apt_update_and_upgrade
+
+- name: Run deploy Playbook
+  ansible.builtin.import_playbook: deploy.yaml
diff --git a/playbooks/roles/apt_update_and_upgrade/README.md b/playbooks/roles/apt_update_and_upgrade/README.md
new file mode 100644
index 0000000..c0e0acc
--- /dev/null
+++ b/playbooks/roles/apt_update_and_upgrade/README.md
@@ -0,0 +1,11 @@
+# Role `apt_update_and_upgrade`
+
+This role does an `apt-get update`, `apt-get dist-upgrade` and a potential reboot (if packages got upgraded) on the specified hosts.
+
+## `hosts`
+
+The `hosts` for this role need to be the VMs, which should be updated and upgraded.
+
+## Required Variables
+
+This role doesn't have any required variables.
diff --git a/playbooks/roles/apt_update_and_upgrade/tasks/main.yaml b/playbooks/roles/apt_update_and_upgrade/tasks/main.yaml
new file mode 100644
index 0000000..cdc9922
--- /dev/null
+++ b/playbooks/roles/apt_update_and_upgrade/tasks/main.yaml
@@ -0,0 +1,15 @@
+- name: update, upgrade and potentially reboot
+  become: true
+  block:
+  - name: apt-get update
+    ansible.builtin.apt:
+      update-cache: true
+
+  - name: apt-get dist-upgrade
+    ansible.builtin.apt:
+      upgrade: dist
+    register: apt_update_and_upgrade__upgrade_result
+
+  - name: reboot, after package upgrade
+    ansible.builtin.reboot:
+    when: apt_update_and_upgrade__upgrade_result.changed