fix(base): drop dead AUTO_UPDATE knob from base.yml
base.yml set AUTO_UPDATE=1 but never forwarded it to harden-ssh.sh (which defaults to 0), so base hosts never actually scheduled daily updates despite the config implying they did. Auto-update is intentionally bastion-only for now — jumphost.yml / harden-jumphost.sh enable it by default, and base (container) hosts will get a dedicated docker-image updater later — so remove the knob entirely rather than wire it through. No behavior change. Also drop cloud-init/base.yml from the README "Daily updates" line that claimed it takes AUTO_UPDATE=1.
This commit is contained in:
@@ -215,9 +215,9 @@ every key). A publish token is optional — leave it empty for a read-gated topi
|
||||
[`scripts/auto-update.sh`](scripts/auto-update.sh) keeps a host patched
|
||||
unattended — ideal for an SSH-only bastion, where a routine upgrade can barely
|
||||
break anything. `harden-jumphost.sh` schedules it **by default** (set
|
||||
`AUTO_UPDATE=0` to skip); `harden-ssh.sh` and `cloud-init/base.yml` take
|
||||
`AUTO_UPDATE=1`. It runs daily via busybox `crond` (`/etc/periodic/daily`) on
|
||||
Alpine or a systemd timer on Debian/Alma.
|
||||
`AUTO_UPDATE=0` to skip); `harden-ssh.sh` takes `AUTO_UPDATE=1`. It runs
|
||||
daily via busybox `crond` (`/etc/periodic/daily`) on Alpine or a systemd
|
||||
timer on Debian/Alma.
|
||||
|
||||
Each run:
|
||||
- applies all **in-branch** package upgrades (`apk`/`apt`/`dnf`);
|
||||
|
||||
@@ -29,7 +29,6 @@ runcmd:
|
||||
DATACENTER="Globally Everywhere"
|
||||
SSH_PORT=22
|
||||
ALLOWED_IP= # optional: whitelist your client IP in sshguard
|
||||
AUTO_UPDATE=1 # schedule daily unattended updates (0 to skip)
|
||||
ENABLE_FIREWALL=1 # deny-by-default host firewall (0 to skip)
|
||||
OPEN_PORTS="" # extra inbound ports, e.g. "80/tcp 443/tcp"
|
||||
# ==================
|
||||
|
||||
Reference in New Issue
Block a user