Sync workspace: config, docs, scripts, CI, operator rules, and submodule pointers.

- Update dbis_core, cross-chain-pmm-lps, explorer-monorepo, metamask-integration, pr-workspace/chains
- Omit embedded publish git dirs and empty placeholders from index

Made-with: Cursor

scripts/security/ensure-proxmox-ssh-access.sh

@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+# Verify key-based SSH from this machine to all Proxmox management targets (read-only by default).
+# Optionally install your pubkey with ssh-copy-id (you will be prompted for password once per host).
+#
+# Usage (repo root):
+#   bash scripts/security/ensure-proxmox-ssh-access.sh
+#   bash scripts/security/ensure-proxmox-ssh-access.sh --fqdn
+#   bash scripts/security/ensure-proxmox-ssh-access.sh --copy   # ssh-copy-id to each target (interactive)
+#
+# Env: SSH_USER (default: PROXMOX_SSH_USER from ip-addresses or root)
+#      SSH_KEY (default: ~/.ssh/id_ed25519.pub or id_rsa.pub)
+
+set -uo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+# shellcheck source=/dev/null
+source "$PROJECT_ROOT/config/ip-addresses.conf"
+
+SSH_USER="${SSH_USER:-${PROXMOX_SSH_USER:-root}}"
+SSH_OPTS=(-o BatchMode=yes -o ConnectTimeout=12 -o StrictHostKeyChecking=accept-new)
+USE_FQDN=0
+DO_COPY=0
+for a in "$@"; do
+	case "$a" in
+		--fqdn) USE_FQDN=1 ;;
+		--copy) DO_COPY=1 ;;
+		-h | --help)
+			sed -n '1,20p' "$0"
+			exit 0
+			;;
+	esac
+done
+
+PUB="${SSH_KEY:-}"
+if [[ -z "$PUB" ]]; then
+	[[ -f "${HOME}/.ssh/id_ed25519.pub" ]] && PUB="${HOME}/.ssh/id_ed25519.pub"
+	[[ -z "$PUB" && -f "${HOME}/.ssh/id_rsa.pub" ]] && PUB="${HOME}/.ssh/id_rsa.pub"
+fi
+
+targets=()
+if [[ "$USE_FQDN" -eq 1 ]]; then
+	targets=(
+		"${PROXMOX_FQDN_ML110}"
+		"${PROXMOX_FQDN_R630_01}"
+		"${PROXMOX_FQDN_R630_02}"
+		"${PROXMOX_FQDN_R630_03}"
+		"${PROXMOX_FQDN_R630_04}"
+	)
+	echo "=== Proxmox SSH check (by FQDN *.sankofa.nexus) ==="
+else
+	targets=(
+		"${PROXMOX_HOST_ML110}"
+		"${PROXMOX_HOST_R630_01}"
+		"${PROXMOX_HOST_R630_02}"
+		"${PROXMOX_HOST_R630_03}"
+		"${PROXMOX_HOST_R630_04}"
+	)
+	echo "=== Proxmox SSH check (by management IP) ==="
+fi
+
+fail=0
+for t in "${targets[@]}"; do
+	printf '%-28s ' "$t"
+	if [[ "$USE_FQDN" -eq 1 ]] && ! getent ahosts "$t" &>/dev/null; then
+		echo "SKIP (DNS unresolved — add UDM/local DNS or /etc/hosts; see scripts/verify/check-proxmox-mgmt-fqdn.sh --print-hosts)"
+		fail=1
+		continue
+	fi
+	_tmp="$(mktemp)"
+	if ssh "${SSH_OPTS[@]}" "${SSH_USER}@${t}" "hostname -f 2>/dev/null || hostname" &>"$_tmp"; then
+		echo "OK ($(tr -d '\r\n' <"$_tmp"))"
+	else
+		echo "FAIL"
+		sed 's/^/  /' "$_tmp" | head -3
+		fail=1
+	fi
+	rm -f "$_tmp"
+done
+
+if [[ "$DO_COPY" -eq 1 ]]; then
+	if [[ -z "$PUB" || ! -f "$PUB" ]]; then
+		echo "[ERROR] No public key found; set SSH_KEY=path/to/id_*.pub"
+		exit 1
+	fi
+	echo ""
+	echo "=== ssh-copy-id (interactive; password per host) ==="
+	for t in "${targets[@]}"; do
+		if [[ "$USE_FQDN" -eq 1 ]] && ! getent ahosts "$t" &>/dev/null; then
+			echo "[SKIP] $t (unresolved)"
+			continue
+		fi
+		echo "--- $t ---"
+		ssh-copy-id -i "$PUB" -o StrictHostKeyChecking=accept-new "${SSH_USER}@${t}" || true
+	done
+fi
+
+exit "$fail"