fix(base): drop dead AUTO_UPDATE knob from base.yml

base.yml set AUTO_UPDATE=1 but never forwarded it to harden-ssh.sh (which
defaults to 0), so base hosts never actually scheduled daily updates despite
the config implying they did. Auto-update is intentionally bastion-only for
now — jumphost.yml / harden-jumphost.sh enable it by default, and base
(container) hosts will get a dedicated docker-image updater later — so remove
the knob entirely rather than wire it through. No behavior change.
Also drop cloud-init/base.yml from the README "Daily updates" line that
claimed it takes AUTO_UPDATE=1.
This commit is contained in:
2026-06-12 17:23:55 -05:00
parent e23557b4fb
commit 13535da3d8
2 changed files with 3 additions and 4 deletions
+3 -3
View File
@@ -215,9 +215,9 @@ every key). A publish token is optional — leave it empty for a read-gated topi
[`scripts/auto-update.sh`](scripts/auto-update.sh) keeps a host patched
unattended — ideal for an SSH-only bastion, where a routine upgrade can barely
break anything. `harden-jumphost.sh` schedules it **by default** (set
`AUTO_UPDATE=0` to skip); `harden-ssh.sh` and `cloud-init/base.yml` take
`AUTO_UPDATE=1`. It runs daily via busybox `crond` (`/etc/periodic/daily`) on
Alpine or a systemd timer on Debian/Alma.
`AUTO_UPDATE=0` to skip); `harden-ssh.sh` takes `AUTO_UPDATE=1`. It runs
daily via busybox `crond` (`/etc/periodic/daily`) on Alpine or a systemd
timer on Debian/Alma.
Each run:
- applies all **in-branch** package upgrades (`apk`/`apt`/`dnf`);
-1
View File
@@ -29,7 +29,6 @@ runcmd:
DATACENTER="Globally Everywhere"
SSH_PORT=22
ALLOWED_IP= # optional: whitelist your client IP in sshguard
AUTO_UPDATE=1 # schedule daily unattended updates (0 to skip)
ENABLE_FIREWALL=1 # deny-by-default host firewall (0 to skip)
OPEN_PORTS="" # extra inbound ports, e.g. "80/tcp 443/tcp"
# ==================