diff --git a/README.md b/README.md index ad21e56..4594066 100644 --- a/README.md +++ b/README.md @@ -215,9 +215,9 @@ every key). A publish token is optional — leave it empty for a read-gated topi [`scripts/auto-update.sh`](scripts/auto-update.sh) keeps a host patched unattended — ideal for an SSH-only bastion, where a routine upgrade can barely break anything. `harden-jumphost.sh` schedules it **by default** (set -`AUTO_UPDATE=0` to skip); `harden-ssh.sh` and `cloud-init/base.yml` take -`AUTO_UPDATE=1`. It runs daily via busybox `crond` (`/etc/periodic/daily`) on -Alpine or a systemd timer on Debian/Alma. +`AUTO_UPDATE=0` to skip); `harden-ssh.sh` takes `AUTO_UPDATE=1`. It runs +daily via busybox `crond` (`/etc/periodic/daily`) on Alpine or a systemd +timer on Debian/Alma. Each run: - applies all **in-branch** package upgrades (`apk`/`apt`/`dnf`); diff --git a/cloud-init/base.yml b/cloud-init/base.yml index dd9738e..a499833 100644 --- a/cloud-init/base.yml +++ b/cloud-init/base.yml @@ -29,7 +29,6 @@ runcmd: DATACENTER="Globally Everywhere" SSH_PORT=22 ALLOWED_IP= # optional: whitelist your client IP in sshguard - AUTO_UPDATE=1 # schedule daily unattended updates (0 to skip) ENABLE_FIREWALL=1 # deny-by-default host firewall (0 to skip) OPEN_PORTS="" # extra inbound ports, e.g. "80/tcp 443/tcp" # ==================