fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
171 lines
5.0 KiB
Bash
Executable File
171 lines
5.0 KiB
Bash
Executable File
#!/bin/bash
|
||
set -euo pipefail
|
||
|
||
# Load IP configuration
|
||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
||
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
|
||
|
||
|
||
# Fix Proxmox Firewall Access - Allow Default Network (192.168.0.0/24)
|
||
# Usage: ./scripts/proxmox/fix-firewall-access.sh
|
||
|
||
set -e
|
||
|
||
PROXMOX_HOSTS=(
|
||
"${PROXMOX_HOST_ML110:-192.168.11.10}:ml110"
|
||
"${PROXMOX_HOST_R630_01:-192.168.11.11}:r630-01"
|
||
"${PROXMOX_HOST_R630_02:-192.168.11.12}:r630-02"
|
||
)
|
||
|
||
DEFAULT_NETWORK="192.168.0.0/24"
|
||
CURRENT_NETWORK="${NETWORK_192_168_11_0:-192.168.11.0}/24"
|
||
|
||
echo "🔧 Proxmox Firewall Configuration Script"
|
||
echo ""
|
||
echo "This script will configure firewall rules on all Proxmox hosts"
|
||
echo "to allow access from Default network (192.168.0.0/24)"
|
||
echo ""
|
||
|
||
# Function to check if host is reachable
|
||
check_host() {
|
||
local host=$1
|
||
if ping -c 1 -W 2 $host >/dev/null 2>&1; then
|
||
return 0
|
||
else
|
||
return 1
|
||
fi
|
||
}
|
||
|
||
# Function to check SSH access
|
||
check_ssh() {
|
||
local host=$1
|
||
if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host "echo 'SSH OK'" >/dev/null 2>&1; then
|
||
return 0
|
||
else
|
||
return 1
|
||
fi
|
||
}
|
||
|
||
# Function to get firewall status
|
||
get_firewall_status() {
|
||
local host=$1
|
||
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \
|
||
"pve-firewall status 2>/dev/null || echo 'disabled'" 2>/dev/null
|
||
}
|
||
|
||
# Function to enable firewall
|
||
enable_firewall() {
|
||
local host=$1
|
||
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \
|
||
"pve-firewall compile 2>/dev/null && echo 'enabled' || echo 'error'" 2>/dev/null
|
||
}
|
||
|
||
# Function to check if rule exists
|
||
rule_exists() {
|
||
local host=$1
|
||
local network=$2
|
||
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \
|
||
"grep -q '$network' /etc/pve/firewall/cluster.fw 2>/dev/null || \
|
||
grep -q '$network' /etc/pve/firewall/host.fw 2>/dev/null" 2>/dev/null
|
||
}
|
||
|
||
# Function to add firewall rule
|
||
add_firewall_rule() {
|
||
local host=$1
|
||
local hostname=$2
|
||
|
||
echo " Configuring firewall on $hostname ($host)..."
|
||
|
||
# Check if host firewall file exists, create if not
|
||
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \
|
||
"test -f /etc/pve/firewall/host.fw || echo '[OPTIONS]
|
||
enable: 1
|
||
|
||
[RULES]' > /etc/pve/firewall/host.fw" 2>/dev/null
|
||
|
||
# Check if rule already exists
|
||
if rule_exists $host $DEFAULT_NETWORK; then
|
||
echo " ✅ Rule for $DEFAULT_NETWORK already exists"
|
||
else
|
||
echo " ➕ Adding rule to allow $DEFAULT_NETWORK..."
|
||
|
||
# Add rule to host firewall
|
||
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \
|
||
"cat >> /etc/pve/firewall/host.fw << 'EOF'
|
||
|
||
# Allow Default Network (192.168.0.0/24)
|
||
IN ACCEPT -source $DEFAULT_NETWORK -log nocomment
|
||
EOF
|
||
" 2>/dev/null
|
||
|
||
if [ $? -eq 0 ]; then
|
||
echo " ✅ Rule added successfully"
|
||
else
|
||
echo " ❌ Failed to add rule"
|
||
return 1
|
||
fi
|
||
fi
|
||
|
||
# Enable firewall if not already enabled
|
||
local status=$(get_firewall_status $host)
|
||
if [[ "$status" == *"disabled"* ]] || [[ "$status" == "" ]]; then
|
||
echo " 🔄 Enabling firewall..."
|
||
enable_firewall $host
|
||
fi
|
||
|
||
# Compile firewall rules
|
||
echo " 🔄 Compiling firewall rules..."
|
||
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \
|
||
"pve-firewall compile 2>/dev/null && pve-firewall restart 2>/dev/null || true" 2>/dev/null
|
||
|
||
echo " ✅ Firewall configured on $hostname"
|
||
}
|
||
|
||
# Main execution
|
||
echo "📋 Processing Proxmox hosts..."
|
||
echo ""
|
||
|
||
for host_entry in "${PROXMOX_HOSTS[@]}"; do
|
||
IFS=':' read -r ip hostname <<< "$host_entry"
|
||
|
||
echo "🔍 Checking $hostname ($ip)..."
|
||
|
||
# Check if host is reachable
|
||
if ! check_host $ip; then
|
||
echo " ❌ Host $ip is not reachable (ping failed)"
|
||
echo ""
|
||
continue
|
||
fi
|
||
|
||
# Check SSH access
|
||
if ! check_ssh $ip; then
|
||
echo " ⚠️ SSH access failed - may need to configure SSH keys"
|
||
echo " You can manually configure firewall via web UI:"
|
||
echo " https://$ip:8006 → Datacenter → Firewall → Host Firewall"
|
||
echo ""
|
||
continue
|
||
fi
|
||
|
||
# Configure firewall
|
||
add_firewall_rule $ip $hostname
|
||
echo ""
|
||
done
|
||
|
||
echo "✅ Firewall configuration complete!"
|
||
echo ""
|
||
echo "📋 Summary:"
|
||
echo " All accessible Proxmox hosts have been configured to allow"
|
||
echo " traffic from Default network (192.168.0.0/24)"
|
||
echo ""
|
||
echo "🧪 Test connectivity:"
|
||
echo " # From Default network (192.168.0.x)"
|
||
echo " ping ${PROXMOX_HOST_ML110:-192.168.11.10} # ml110"
|
||
echo " ping ${PROXMOX_HOST_R630_01:-192.168.11.11} # r630-01"
|
||
echo " ping ${PROXMOX_HOST_R630_02:-192.168.11.12} # r630-02"
|
||
echo ""
|
||
echo " # Web UI access"
|
||
echo " https://${PROXMOX_HOST_ML110}:8006 # ml110"
|
||
echo " https://${PROXMOX_HOST_R630_01}:8006 # r630-01"
|
||
echo " https://${PROXMOX_HOST_R630_02}:8006 # r630-02"
|