scripts/security/run-security-on-proxmox-hosts.sh

#!/usr/bin/env bash
# Run Phase 2 security (SSH key-only, firewall 8006) on all Proxmox hosts via SSH.
# Usage: bash scripts/security/run-security-on-proxmox-hosts.sh [--dry-run|--apply]
# Requires: SSH as root to 192.168.11.10, .11, .12 (or PROXMOX_ML110, PROXMOX_R630_01, PROXMOX_R630_02).
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
[ -f "$PROJECT_ROOT/.env" ] && set +u && source "$PROJECT_ROOT/.env" 2>/dev/null || true && set -u

DRY_RUN=true
[[ "${1:-}" == "--apply" ]] && DRY_RUN=false

HOSTS="${PROXMOX_ML110:-192.168.11.10} ${PROXMOX_R630_01:-192.168.11.11} ${PROXMOX_R630_02:-192.168.11.12}"
ADMIN_CIDR="${ADMIN_CIDR:-${NETWORK_192_168_11_0:-192.168.11.0}/24}"
SSH_OPTS="-o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new"

echo "[Security] Proxmox hosts: $HOSTS (DRY_RUN=$DRY_RUN)"
for h in $HOSTS; do
  echo "--- $h ---"
  if $DRY_RUN; then
    echo "  Would run: SSH key-only (disable password) + UFW allow $ADMIN_CIDR to 8006"
    continue
  fi
  ssh $SSH_OPTS root@"$h" "sudo sed -i.bak 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl reload sshd 2>/dev/null || true" && echo "  SSH: password auth disabled" || echo "  SSH: skip or failed"
  ssh $SSH_OPTS root@"$h" "command -v ufw >/dev/null && (sudo ufw allow from $ADMIN_CIDR to any port 8006; sudo ufw --force reload) || echo '  UFW not found'" && echo "  UFW: 8006 restricted to $ADMIN_CIDR" || echo "  UFW: skip or failed"
done
echo "Done."
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates - ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-12 15:46:57 -08:00			`#!/usr/bin/env bash`
			`# Run Phase 2 security (SSH key-only, firewall 8006) on all Proxmox hosts via SSH.`
			`# Usage: bash scripts/security/run-security-on-proxmox-hosts.sh [--dry-run\|--apply]`
			`# Requires: SSH as root to 192.168.11.10, .11, .12 (or PROXMOX_ML110, PROXMOX_R630_01, PROXMOX_R630_02).`
			`set -euo pipefail`

			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"`
			`source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null \|\| true`
			`[ -f "$PROJECT_ROOT/.env" ] && set +u && source "$PROJECT_ROOT/.env" 2>/dev/null \|\| true && set -u`

			`DRY_RUN=true`
			`[[ "${1:-}" == "--apply" ]] && DRY_RUN=false`

			`HOSTS="${PROXMOX_ML110:-192.168.11.10} ${PROXMOX_R630_01:-192.168.11.11} ${PROXMOX_R630_02:-192.168.11.12}"`
			`ADMIN_CIDR="${ADMIN_CIDR:-${NETWORK_192_168_11_0:-192.168.11.0}/24}"`
			`SSH_OPTS="-o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new"`

			`echo "[Security] Proxmox hosts: $HOSTS (DRY_RUN=$DRY_RUN)"`
			`for h in $HOSTS; do`
			`echo "--- $h ---"`
			`if $DRY_RUN; then`
			`echo " Would run: SSH key-only (disable password) + UFW allow $ADMIN_CIDR to 8006"`
			`continue`
			`fi`
			`ssh $SSH_OPTS root@"$h" "sudo sed -i.bak 's/^#PasswordAuthentication./PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl reload sshd 2>/dev/null \|\| true" && echo " SSH: password auth disabled" \|\| echo " SSH: skip or failed"`
			`ssh $SSH_OPTS root@"$h" "command -v ufw >/dev/null && (sudo ufw allow from $ADMIN_CIDR to any port 8006; sudo ufw --force reload) \|\| echo ' UFW not found'" && echo " UFW: 8006 restricted to $ADMIN_CIDR" \|\| echo " UFW: skip or failed"`
			`done`
			`echo "Done."`