[westurner]

Unattended upgrades fail and sit there requiring manual intervention (due to lack of transactional updates and/or multiple flash slots (root partitions and bootloader configuration)).

Pull style configuration requires the device to hold credentials in order to authorize access to download the new policy set.

It's possible to add an /etc/init.d that runs sysupgrade on boot, install Python and Ansible, configure and confirm remote logging, and then run `ansible-pull`.

ansible-openwrt eliminates the need to have Python on a device: https://github.com/gekmihesg/ansible-openwrt

But then log collection; unless all of the nodes have correctly configured log forwarding at each stage of firmware upgrade, pull-style configuration management will lose logs that push-style configuration management can easily centrally log.