#!/usr/bin/env bash set -euo pipefail TARGET_HOST="${TARGET_HOST:-149.50.96.162}" TARGET_USER="${TARGET_USER:-user}" SSH_PORT="${SSH_PORT:-22}" SSH_IDENTITY_FILE="${SSH_IDENTITY_FILE:-}" PUBLIC_IFACE="${PUBLIC_IFACE:-enp6s0}" ssh_target() { local -a cmd=(ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -p "$SSH_PORT") if [ -n "$SSH_IDENTITY_FILE" ]; then cmd+=(-i "$SSH_IDENTITY_FILE") fi cmd+=("${TARGET_USER}@${TARGET_HOST}") cmd+=("$@") "${cmd[@]}" } remote_rule_present() { local pattern="$1" ssh_target "sudo ufw status numbered | grep -F -- $(printf '%q' "$pattern") >/dev/null" } ensure_rule() { local port="$1" local comment="$2" local pattern="${port}/tcp on ${PUBLIC_IFACE}" if remote_rule_present "$pattern"; then echo "ufw rule already present: ${pattern}" else ssh_target "sudo ufw allow in on ${PUBLIC_IFACE} to any port ${port} proto tcp comment '${comment}'" echo "added ufw rule: ${pattern}" fi } ensure_rule 80 trade-public-http ensure_rule 443 trade-public-https echo echo "[ufw]" ssh_target "sudo ufw status numbered" echo echo "[listeners]" ssh_target "sudo ss -ltn '( sport = :80 or sport = :443 )' || true"