fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
26 lines
929 B
Bash
Executable File
26 lines
929 B
Bash
Executable File
#!/usr/bin/env bash
|
|
# Phase 2 Security: Restrict Proxmox API port 8006 to admin CIDR. Default: dry-run.
|
|
# Usage: ./scripts/security/firewall-proxmox-8006.sh [--dry-run|--apply] [ADMIN_CIDR]
|
|
# Example: ./scripts/security/firewall-proxmox-8006.sh --dry-run ${NETWORK_192_168_11_0:-192.168.11.0}/24
|
|
|
|
set -euo pipefail
|
|
|
|
DRY_RUN=true
|
|
ADMIN_CIDR="${ADMIN_CIDR:-${NETWORK_192_168_11_0:-192.168.11.0}/24}"
|
|
for arg in "$@"; do
|
|
[[ "$arg" == "--apply" ]] && DRY_RUN=false
|
|
[[ "$arg" =~ ^[0-9].* ]] && ADMIN_CIDR="$arg"
|
|
done
|
|
|
|
echo "[Phase 2 Security] Firewall 8006 (DRY_RUN=$DRY_RUN) ADMIN_CIDR=$ADMIN_CIDR"
|
|
if $DRY_RUN; then
|
|
echo "UFW: ufw allow from $ADMIN_CIDR to any port 8006; ufw deny 8006; ufw reload"
|
|
echo "See: docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Security"
|
|
exit 0
|
|
fi
|
|
if command -v ufw &>/dev/null; then
|
|
sudo ufw allow from "$ADMIN_CIDR" to any port 8006
|
|
sudo ufw reload
|
|
echo "[OK] UFW updated for 8006."
|
|
fi
|