That really depends on your stack. A plain LTS Linux distro + bind9 + zonefile formatted blocking data + security auto updates is pretty hands off to me.
(the tone of that blog post of mine is a bit vitriolic and the advice isn't exactly serious, but the fact of the matter is that sooner or later things will break)
OK, fair enough. I guess you can minimally complicate this by updating an exactly identical machine/boot drive first, and then immediately alerting if health checks fail on that. But it really doesn't seem that bad to me. I've run a VPS that's been self-updating continuously since Feb 2019, and I've not had many breaking issues with the OS.
(the tone of that blog post of mine is a bit vitriolic and the advice isn't exactly serious, but the fact of the matter is that sooner or later things will break)