#!/usr/bin/env bash
# Phase 2 Security: Restrict Proxmox API port 8006 to admin CIDR. Default: dry-run.
# Usage: ./scripts/security/firewall-proxmox-8006.sh [--dry-run|--apply] [ADMIN_CIDR]
# Example: ./scripts/security/firewall-proxmox-8006.sh --dry-run ${NETWORK_192_168_11_0:-192.168.11.0}/24

set -euo pipefail

DRY_RUN=true
ADMIN_CIDR="${ADMIN_CIDR:-${NETWORK_192_168_11_0:-192.168.11.0}/24}"
for arg in "$@"; do
  [[ "$arg" == "--apply" ]] && DRY_RUN=false
  [[ "$arg" =~ ^[0-9].* ]] && ADMIN_CIDR="$arg"
done

echo "[Phase 2 Security] Firewall 8006 (DRY_RUN=$DRY_RUN) ADMIN_CIDR=$ADMIN_CIDR"
if $DRY_RUN; then
  echo "UFW: ufw allow from $ADMIN_CIDR to any port 8006; ufw deny 8006; ufw reload"
  echo "See: docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Security"
  exit 0
fi
if command -v ufw &>/dev/null; then
  sudo ufw allow from "$ADMIN_CIDR" to any port 8006
  sudo ufw reload
  echo "[OK] UFW updated for 8006."
fi