scripts/security/firewall-proxmox-8006.sh

#!/usr/bin/env bash
# Phase 2 Security: Restrict Proxmox API port 8006 to admin CIDR. Default: dry-run.
# Usage: ./scripts/security/firewall-proxmox-8006.sh [--dry-run|--apply] [ADMIN_CIDR]
# Example: ./scripts/security/firewall-proxmox-8006.sh --dry-run ${NETWORK_192_168_11_0:-192.168.11.0}/24

set -euo pipefail

DRY_RUN=true
ADMIN_CIDR="${ADMIN_CIDR:-${NETWORK_192_168_11_0:-192.168.11.0}/24}"
for arg in "$@"; do
  [[ "$arg" == "--apply" ]] && DRY_RUN=false
  [[ "$arg" =~ ^[0-9].* ]] && ADMIN_CIDR="$arg"
done

echo "[Phase 2 Security] Firewall 8006 (DRY_RUN=$DRY_RUN) ADMIN_CIDR=$ADMIN_CIDR"
if $DRY_RUN; then
  echo "UFW: ufw allow from $ADMIN_CIDR to any port 8006; ufw deny 8006; ufw reload"
  echo "See: docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Security"
  exit 0
fi
if command -v ufw &>/dev/null; then
  sudo ufw allow from "$ADMIN_CIDR" to any port 8006
  sudo ufw reload
  echo "[OK] UFW updated for 8006."
fi
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates - ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-12 15:46:57 -08:00			`#!/usr/bin/env bash`
			`# Phase 2 Security: Restrict Proxmox API port 8006 to admin CIDR. Default: dry-run.`
			`# Usage: ./scripts/security/firewall-proxmox-8006.sh [--dry-run\|--apply] [ADMIN_CIDR]`
			`# Example: ./scripts/security/firewall-proxmox-8006.sh --dry-run ${NETWORK_192_168_11_0:-192.168.11.0}/24`

			`set -euo pipefail`

			`DRY_RUN=true`
			`ADMIN_CIDR="${ADMIN_CIDR:-${NETWORK_192_168_11_0:-192.168.11.0}/24}"`
			`for arg in "$@"; do`
			`[[ "$arg" == "--apply" ]] && DRY_RUN=false`
			`[[ "$arg" =~ ^[0-9].* ]] && ADMIN_CIDR="$arg"`
			`done`

			`echo "[Phase 2 Security] Firewall 8006 (DRY_RUN=$DRY_RUN) ADMIN_CIDR=$ADMIN_CIDR"`
			`if $DRY_RUN; then`
			`echo "UFW: ufw allow from $ADMIN_CIDR to any port 8006; ufw deny 8006; ufw reload"`
			`echo "See: docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Security"`
			`exit 0`
			`fi`
			`if command -v ufw &>/dev/null; then`
			`sudo ufw allow from "$ADMIN_CIDR" to any port 8006`
			`sudo ufw reload`
			`echo "[OK] UFW updated for 8006."`
			`fi`