From 13535da3d8da0d29906e2f176127f7bb82b2d207 Mon Sep 17 00:00:00 2001 From: William Gill Date: Fri, 12 Jun 2026 17:23:55 -0500 Subject: [PATCH] fix(base): drop dead AUTO_UPDATE knob from base.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit base.yml set AUTO_UPDATE=1 but never forwarded it to harden-ssh.sh (which defaults to 0), so base hosts never actually scheduled daily updates despite the config implying they did. Auto-update is intentionally bastion-only for now — jumphost.yml / harden-jumphost.sh enable it by default, and base (container) hosts will get a dedicated docker-image updater later — so remove the knob entirely rather than wire it through. No behavior change. Also drop cloud-init/base.yml from the README "Daily updates" line that claimed it takes AUTO_UPDATE=1. --- README.md | 6 +++--- cloud-init/base.yml | 1 - 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ad21e56..4594066 100644 --- a/README.md +++ b/README.md @@ -215,9 +215,9 @@ every key). A publish token is optional — leave it empty for a read-gated topi [`scripts/auto-update.sh`](scripts/auto-update.sh) keeps a host patched unattended — ideal for an SSH-only bastion, where a routine upgrade can barely break anything. `harden-jumphost.sh` schedules it **by default** (set -`AUTO_UPDATE=0` to skip); `harden-ssh.sh` and `cloud-init/base.yml` take -`AUTO_UPDATE=1`. It runs daily via busybox `crond` (`/etc/periodic/daily`) on -Alpine or a systemd timer on Debian/Alma. +`AUTO_UPDATE=0` to skip); `harden-ssh.sh` takes `AUTO_UPDATE=1`. It runs +daily via busybox `crond` (`/etc/periodic/daily`) on Alpine or a systemd +timer on Debian/Alma. Each run: - applies all **in-branch** package upgrades (`apk`/`apt`/`dnf`); diff --git a/cloud-init/base.yml b/cloud-init/base.yml index dd9738e..a499833 100644 --- a/cloud-init/base.yml +++ b/cloud-init/base.yml @@ -29,7 +29,6 @@ runcmd: DATACENTER="Globally Everywhere" SSH_PORT=22 ALLOWED_IP= # optional: whitelist your client IP in sshguard - AUTO_UPDATE=1 # schedule daily unattended updates (0 to skip) ENABLE_FIREWALL=1 # deny-by-default host firewall (0 to skip) OPEN_PORTS="" # extra inbound ports, e.g. "80/tcp 443/tcp" # ==================