#!/usr/bin/env bash # Secure Validator Key Permissions (W1-19). Run on Proxmox host as root after validator keys are deployed. # Usage: sudo bash scripts/secure-validator-keys.sh [--dry-run] set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" && pwd)" DRY_RUN=false [[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true # Colors GREEN='\033[0;32m' BLUE='\033[0;34m' YELLOW='\033[1;33m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[✓]${NC} $1"; } log_warn() { echo -e "${YELLOW}[WARNING]${NC} $1"; } if ! command -v pct >/dev/null 2>&1; then echo "Error: pct command not found. This script must be run on Proxmox host." exit 1 fi if [[ $EUID -ne 0 ]] && [[ "$DRY_RUN" != true ]]; then echo "Error: This script must be run as root (or use --dry-run to preview)" exit 1 fi if [[ "$DRY_RUN" == true ]]; then log_info "DRY-RUN: would secure validator keys in VMIDs 1000-1004 (chmod 600/700, chown besu:besu)" fi # Secure keys in validator containers for vmid in 1000 1001 1002 1003 1004; do if pct status "$vmid" 2>/dev/null | grep -q running; then log_info "Securing keys in container $vmid..." if [[ "$DRY_RUN" == true ]]; then log_info " [DRY-RUN] would: find /keys/validators -type f -exec chmod 600 {} \\;; chmod 700 dirs; chown -R besu:besu" else # Set file permissions to 600 for key files pct exec "$vmid" -- find /keys/validators -type f \( -name "*.pem" -o -name "*.priv" -o -name "key" \) -exec chmod 600 {} \; 2>/dev/null || true # Set directory permissions pct exec "$vmid" -- find /keys/validators -type d -exec chmod 700 {} \; 2>/dev/null || true # Set ownership to besu:besu pct exec "$vmid" -- chown -R besu:besu /keys/validators 2>/dev/null || true fi log_success "Container $vmid secured" else log_warn "Container $vmid is not running, skipping" fi done log_success "Validator key security check complete!"