Initial commit: VaultMesh Skills collection
Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Vault Sovereign
64
node-hardening/scripts/10_ufw_plan.sh
Executable file
64
node-hardening/scripts/10_ufw_plan.sh
Executable file
@@ -0,0 +1,64 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
SCRIPT_NAME="$(basename "$0")"
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
|
||||
|
||||
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
|
||||
|
||||
log_info() { echo "[INFO] $(date -Iseconds) $*"; }
|
||||
log_warn() { echo "[WARN] $(date -Iseconds) $*" >&2; }
|
||||
log_error() { echo "[ERROR] $(date -Iseconds) $*" >&2; }
|
||||
|
||||
detect_ssh_client_ip() {
|
||||
if [[ -n "${SSH_CLIENT:-}" ]]; then
|
||||
awk '{print $1}' <<<"$SSH_CLIENT"
|
||||
elif [[ -n "${SSH_CONNECTION:-}" ]]; then
|
||||
awk '{print $1}' <<<"$SSH_CONNECTION"
|
||||
else
|
||||
echo ""
|
||||
fi
|
||||
}
|
||||
|
||||
main() {
|
||||
mkdir -p "$OUTPUT_DIR"
|
||||
local ssh_port="${SSH_PORT:-22}"
|
||||
local allow_http="${ALLOW_HTTP:-true}"
|
||||
local allow_https="${ALLOW_HTTPS:-true}"
|
||||
local ssh_ip
|
||||
ssh_ip="$(detect_ssh_client_ip)"
|
||||
|
||||
log_info "UFW Plan (no changes applied)"
|
||||
log_info "Target SSH_PORT=$ssh_port"
|
||||
[[ -n "$ssh_ip" ]] && log_info "Detected SSH client IP=$ssh_ip" || log_warn "No SSH client IP detected"
|
||||
|
||||
echo
|
||||
echo "--- Intended policy ---"
|
||||
echo "Default: deny incoming"
|
||||
echo "Default: allow outgoing"
|
||||
echo
|
||||
echo "--- Intended allow rules ---"
|
||||
echo "1) Allow SSH: $ssh_port/tcp (always)"
|
||||
if [[ -n "$ssh_ip" ]]; then
|
||||
echo "2) Pin SSH from current client IP: from $ssh_ip to any port $ssh_port/tcp (optional safety)"
|
||||
else
|
||||
echo "2) No client IP detected; IP pinning skipped"
|
||||
fi
|
||||
if [[ "$allow_http" == "true" ]]; then
|
||||
echo "3) Allow HTTP: 80/tcp"
|
||||
else
|
||||
echo "3) HTTP not allowed"
|
||||
fi
|
||||
if [[ "$allow_https" == "true" ]]; then
|
||||
echo "4) Allow HTTPS: 443/tcp"
|
||||
else
|
||||
echo "4) HTTPS not allowed"
|
||||
fi
|
||||
echo
|
||||
echo "--- Safety notes ---"
|
||||
echo "- Apply script will refuse unless DRY_RUN=0"
|
||||
echo "- If you are on SSH, keep a second session open"
|
||||
}
|
||||
|
||||
[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"
|
||||
Reference in New Issue
Block a user