Add auto-updates and Docker log rotation to server setup

In the "Secure Your Server" guide step:
- Install unattended-upgrades for automatic OS security patches
- dpkg-reconfigure to enable daily auto-updates
- Callout explaining auto-updates won't touch Docker/WordPress
- Create /etc/docker/daemon.json with log rotation (10MB max,
  3 files per container) before Docker is installed
- mkdir -p to handle pre-Docker directory creation
- Harmless docker restart with || true fallback
- Updated intro text to reflect four setup concerns

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

guide.md

@@ -151,9 +151,9 @@ If you get "Connection refused" or "Connection timed out," wait a minute — you
 
 [step: Secure Your Server]
 
-Before installing anything else, let's lock down your server with a **firewall** and **brute-force protection**. This takes about 2 minutes and prevents the vast majority of automated attacks.
+Before installing anything else, let's lock down your server with a **firewall**, **brute-force protection**, **automatic security updates**, and **Docker log management**. This takes about 3 minutes and prevents the vast majority of problems before they start.
 
-Think of it this way: your server is now on the public internet, and automated bots are already scanning it looking for easy targets. These two tools stop them cold.
+Think of it this way: your server is now on the public internet, and automated bots are already scanning it looking for easy targets. These steps stop them cold and keep your server healthy long-term.
 
 **First, update your server's software:**
 
@@ -165,15 +165,16 @@ apt update && apt upgrade -y
 
 This may take a minute. If you see a pink/purple screen asking about restarting services, just press **Enter** to accept the defaults.
 
-**Install the firewall and fail2ban:**
+**Install the firewall, fail2ban, and automatic updates:**
 
 [code:bash]
-apt install -y ufw fail2ban
+apt install -y ufw fail2ban unattended-upgrades
 [/code]
 
-This installs two tools:
+This installs three tools:
 - [UFW](https://wiki.ubuntu.com/UncomplicatedFirewall) (Uncomplicated Firewall) — blocks all network traffic except what you explicitly allow
 - [Fail2ban](https://www.fail2ban.org/) — watches for repeated failed login attempts and automatically bans those IP addresses
+- [Unattended Upgrades](https://wiki.debian.org/UnattendedUpgrades) — automatically installs security patches so you don't have to remember to do it manually
 
 **Configure the firewall:**
 
@@ -264,8 +265,58 @@ This shows fail2ban is monitoring SSH login attempts. After a few hours online,
 **What does fail2ban actually do?** By default, if someone (or a bot) fails to log in via SSH 5 times within 10 minutes, fail2ban bans their IP address for 10 minutes. This makes brute-force password guessing effectively impossible — a bot that can try thousands of passwords per second gets cut off after just 5 attempts.
 [/callout]
 
+**Enable automatic security updates:**
+
+Your server should install security patches on its own — you don't want to rely on remembering to SSH in and run updates. Enable it with:
+
+[code:bash]
+dpkg-reconfigure -plow unattended-upgrades
+[/code]
+
+When asked "Automatically download and install stable updates?", select **Yes** and press Enter.
+
+That's all it takes. From now on, your server will check for and install security updates daily in the background. It won't restart your server or touch your website — it only patches the underlying operating system.
+
+[callout:info]
+**Will auto-updates break anything?** No. Unattended upgrades only installs security patches for your operating system (Ubuntu/Debian), not major version upgrades. It won't touch Docker, WordPress, or anything in your website. It's the same type of automatic update your phone does overnight.
+[/callout]
+
+**Set up Docker log rotation:**
+
+Docker containers generate log files that grow over time. Without a size limit, these logs can eventually fill up your server's disk. Let's set a sensible limit now so this never becomes a problem.
+
+Create the Docker configuration file:
+
+[code:bash]
+mkdir -p /etc/docker
+cat > /etc/docker/daemon.json << 'EOF'
+{
+  "log-driver": "json-file",
+  "log-opts": {
+    "max-size": "10m",
+    "max-file": "3"
+  }
+}
+EOF
+[/code]
+
+This tells Docker to:
+- Keep each log file to a maximum of **10 megabytes**
+- Keep at most **3** rotated log files per container
+- That's a maximum of 30 MB of logs per container — plenty for troubleshooting, but no risk of filling your disk
+
+[callout:info]
+You're running this **before** the WebsiteBox installer, so Docker may or may not be installed yet. That's fine — if Docker isn't installed yet, the file will be waiting for it. If Docker is already installed, restart it to apply the setting: `systemctl restart docker`
+[/callout]
+
+Now restart Docker if it's already running (if it's not installed yet, this will harmlessly fail):
+
+[code:bash]
+systemctl restart docker 2>/dev/null || true
+[/code]
+
 [callout:tip]
-**That's it for server security.** You now have a firewall blocking all unnecessary ports and fail2ban stopping brute-force attacks. Combined with the security features WebsiteBox sets up later (Wordfence, rate-limited logins, encrypted HTTPS), your server will be well-protected. For further hardening down the road, see the "Going Further" step at the end of this guide.
+**That's it for server setup.** You now have a firewall blocking all unnecessary ports, fail2ban stopping brute-force attacks, automatic security updates keeping your OS patched, and Docker log rotation preventing disk bloat. Combined with the security features WebsiteBox sets up later (Wordfence, rate-limited logins, encrypted HTTPS), your server will be well-protected and low-maintenance. For further hardening down the road, see the "Going Further" step at the end of this guide.
 [/callout]
 
 [step: Run the Installer]