diff --git a/roles/debian/apt_unattended_upgrades/defaults/main.yml b/roles/debian/apt_unattended_upgrades/defaults/main.yml
index a63f3e140..9d43f255e 100644
--- a/roles/debian/apt_unattended_upgrades/defaults/main.yml
+++ b/roles/debian/apt_unattended_upgrades/defaults/main.yml
@@ -16,3 +16,6 @@ apt_unattended_upgrades:
   automatic_reboot_with_users: "false" # reboot even if users are logged in
   automatic_reboot_time: "02:00"
   enable_syslog: "false" # make apt log upgrades to syslog as well as apt history
+  rebootnotifyallow: false # Send email when reboot is required
+  rebootnotifymailfrom: "sysadmins@example.com" # Send reboot notify email from address
+  rebootnotifymailto: "sysadmins@example.com" # Send reboot notify email to address
diff --git a/roles/debian/apt_unattended_upgrades/tasks/main.yml b/roles/debian/apt_unattended_upgrades/tasks/main.yml
index 52b6d681a..25f5e4b4e 100644
--- a/roles/debian/apt_unattended_upgrades/tasks/main.yml
+++ b/roles/debian/apt_unattended_upgrades/tasks/main.yml
@@ -55,3 +55,74 @@
     state: restarted
     enabled: true
   when: apt_unattended_upgrades.enable
+
+- name: Deploy apt reboot hook
+  ansible.builtin.copy:
+    dest: /etc/apt/apt.conf.d/99notify-reboot
+    owner: root
+    group: root
+    mode: "0644"
+    content: 'DPkg::Post-Invoke { "/usr/local/sbin/apt-reboot-notify-hook"; };'
+    backup: true
+    force: true
+  when:
+    - apt_unattended_upgrades.enable
+    - apt_unattended_upgrades.rebootnotifyallow
+
+- name: Deploy apt-reboot-notify-hook script
+  ansible.builtin.template:
+    src: apt-reboot-notify-hook.j2
+    dest: /usr/local/sbin/apt-reboot-notify-hook
+    owner: root
+    group: root
+    mode: "0755"
+    force: true
+  when:
+    - apt_unattended_upgrades.enable
+    - apt_unattended_upgrades.rebootnotifyallow
+
+- name: Install reboot-required daily reminder script
+  ansible.builtin.template:
+    src: reboot-required-notify.j2
+    dest: /usr/local/sbin/reboot-required-notify
+    owner: root
+    group: root
+    mode: "0755"
+    force: true
+  when:
+    - apt_unattended_upgrades.enable
+    - apt_unattended_upgrades.rebootnotifyallow
+
+- name: Install reboot-required systemd service
+  ansible.builtin.template:
+    src: reboot-required-notify.service.j2
+    dest: /etc/systemd/system/reboot-required-notify.service
+    owner: root
+    group: root
+    mode: "0644"
+    force: true
+  when:
+    - apt_unattended_upgrades.enable
+    - apt_unattended_upgrades.rebootnotifyallow
+
+- name: Install reboot-required systemd timer
+  ansible.builtin.template:
+    src: reboot-required-notify.timer.j2
+    dest: /etc/systemd/system/reboot-required-notify.timer
+    owner: root
+    group: root
+    mode: "0644"
+    force: true
+  when:
+    - apt_unattended_upgrades.enable
+    - apt_unattended_upgrades.rebootnotifyallow
+
+- name: Reload systemd and enable reboot-required timer
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    daemon_reload: true
+    name: reboot-required-notify.timer
+  when:
+    - apt_unattended_upgrades.enable
+    - apt_unattended_upgrades.rebootnotifyallow
diff --git a/roles/debian/apt_unattended_upgrades/templates/apt-reboot-notify-hook.j2 b/roles/debian/apt_unattended_upgrades/templates/apt-reboot-notify-hook.j2
new file mode 100644
index 000000000..98676b7d2
--- /dev/null
+++ b/roles/debian/apt_unattended_upgrades/templates/apt-reboot-notify-hook.j2
@@ -0,0 +1,9 @@
+#!/bin/sh
+set -eu
+if [ -f /run/reboot-required ] && [ ! -f /run/reboot-mail-sent ]; then
+  HOST=$(/bin/hostname -f)
+  printf 'A reboot is required on %s\n\nFlag: /run/reboot-required\n' "$HOST" \
+    | /usr/bin/mail -s "Reboot required on $HOST" -r "{{ apt_unattended_upgrades.rebootnotifymailfrom }}" "{{ apt_unattended_upgrades.rebootnotifymailto }}"
+  /usr/bin/touch /run/reboot-mail-sent
+fi
+exit 0
diff --git a/roles/debian/apt_unattended_upgrades/templates/reboot-required-notify.j2 b/roles/debian/apt_unattended_upgrades/templates/reboot-required-notify.j2
new file mode 100644
index 000000000..21104dca1
--- /dev/null
+++ b/roles/debian/apt_unattended_upgrades/templates/reboot-required-notify.j2
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -eu
+HOST="$(/bin/hostname -f)"
+STAMP_DIR="/var/lib/reboot-notify"
+STAMP_FILE="${STAMP_DIR}/last-notified"
+TODAY="$(/bin/date +%F)"
+if [ ! -f /run/reboot-required ]; then exit 0; fi
+/bin/mkdir -p "$STAMP_DIR"
+if [ -f "$STAMP_FILE" ] && [ "$(cat "$STAMP_FILE")" = "$TODAY" ]; then exit 0; fi
+(
+  echo "A reboot is still required on ${HOST}."
+  echo
+  echo "Flag present: /run/reboot-required"
+) | /usr/bin/mail -s "Reminder: reboot required on ${HOST}" -r "{{ apt_unattended_upgrades.rebootnotifymailfrom }}" "{{ apt_unattended_upgrades.rebootnotifymailto }}"
+echo "$TODAY" > "$STAMP_FILE"
diff --git a/roles/debian/apt_unattended_upgrades/templates/reboot-required-notify.service.j2 b/roles/debian/apt_unattended_upgrades/templates/reboot-required-notify.service.j2
new file mode 100644
index 000000000..00b01f0d0
--- /dev/null
+++ b/roles/debian/apt_unattended_upgrades/templates/reboot-required-notify.service.j2
@@ -0,0 +1,5 @@
+[Unit]
+Description=Send daily email reminder if /run/reboot-required exists
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/reboot-required-notify
diff --git a/roles/debian/apt_unattended_upgrades/templates/reboot-required-notify.timer.j2 b/roles/debian/apt_unattended_upgrades/templates/reboot-required-notify.timer.j2
new file mode 100644
index 000000000..5fa3a3796
--- /dev/null
+++ b/roles/debian/apt_unattended_upgrades/templates/reboot-required-notify.timer.j2
@@ -0,0 +1,8 @@
+[Unit]
+Description=Daily reminder for reboot-required
+[Timer]
+OnCalendar=08:30
+Persistent=true
+Unit=reboot-required-notify.service
+[Install]
+WantedBy=timers.target