diff --git a/tasks/configure_autoupdate.yml b/tasks/configure_autoupdate.yml
index caf98859009abc3c9d66a0317b26bcd690c1d14a..834cdb746d73694399cef0b67628e667a276e114 100644
--- a/tasks/configure_autoupdate.yml
+++ b/tasks/configure_autoupdate.yml
@@ -33,6 +33,7 @@
       loop:
         - 'APT::Periodic::Update-Package-Lists "1";'
         - 'APT::Periodic::Unattended-Upgrade "1";'
+        - 'APT::Periodic::AutocleanInterval "7";'
     - name: configure unattended upgrade mail settings
       ansible.builtin.lineinfile:
         path: "/etc/apt/apt.conf.d/90unattended-upgrades-mail"
@@ -50,6 +51,20 @@
       ansible.builtin.file:
         path: "/etc/apt/apt.conf.d/51only-security-upgrades"
         state: absent
+    - name: cleanup after apt
+      ansible.builtin.lineinfile:
+        path: "/etc/apt/apt.conf.d/50unattended-upgrades"
+        create: true
+        mode: "0644"
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+      loop:
+        - regexp: '//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";'
+          line: 'Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";'
+        - regexp: '//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";'
+          line: 'Unattended-Upgrade::Remove-New-Unused-Dependencies "true";'
+        - regexp: '//Unattended-Upgrade::Remove-Unused-Dependencies "false";'
+          line: 'Unattended-Upgrade::Remove-Unused-Dependencies "false";'
 
 # based on: https://access.redhat.com/solutions/2823901
 - name: Install & configurate autoupdate (RedHat)