fixup! docs(netboot): add full netboot setup guide

Author: iav

extensions/netboot/README.md

@@ -500,10 +500,23 @@ VFS: Mounted root (nfs filesystem) readonly on device 0:17.
 helios64 login:
 ```
 
-Default credentials are `root` / `1234` (the wizard was suppressed at
-build time, so the shell is usable immediately). The
-`armbian-firstrun.service` line means SSH host keys have been
-regenerated on this boot — they'll persist in the NFS rootfs.
+For quick lab validation, default credentials are `root` / `1234`
+because the wizard was suppressed at build time. **Do not leave that
+state on any network you don't fully trust** — the wizard is the only
+thing that normally forces a password change, and netboot deliberately
+skips it. Pick one before the first boot on an untrusted LAN:
+
+- set `ROOTPWD=<strong password>` at build time;
+- or provision a sudo-capable user + `authorized_keys` via
+  `userpatches/customize-image.sh` and disable root password login
+  (`PasswordAuthentication no` / `PermitRootLogin prohibit-password`);
+- or write `PRESET_*` into `/root/.not_logged_in_yet` so
+  `preset-firstrun` applies them non-interactively on first boot
+  (the extension preserves non-empty trigger files — see the
+  `armbian-firstlogin` table above).
+
+The `armbian-firstrun.service` line in the boot log means SSH host keys
+have been regenerated on this boot — they'll persist in the NFS rootfs.
 
 ## Troubleshooting