47 lines
1.2 KiB
Bash
Executable File
47 lines
1.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
TARGET_HOST="${TARGET_HOST:-149.50.96.162}"
|
|
TARGET_USER="${TARGET_USER:-user}"
|
|
SSH_PORT="${SSH_PORT:-22}"
|
|
SSH_IDENTITY_FILE="${SSH_IDENTITY_FILE:-}"
|
|
PUBLIC_IFACE="${PUBLIC_IFACE:-enp6s0}"
|
|
|
|
ssh_target() {
|
|
local -a cmd=(ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -p "$SSH_PORT")
|
|
if [ -n "$SSH_IDENTITY_FILE" ]; then
|
|
cmd+=(-i "$SSH_IDENTITY_FILE")
|
|
fi
|
|
cmd+=("${TARGET_USER}@${TARGET_HOST}")
|
|
cmd+=("$@")
|
|
"${cmd[@]}"
|
|
}
|
|
|
|
remote_rule_present() {
|
|
local pattern="$1"
|
|
ssh_target "sudo ufw status numbered | grep -F -- $(printf '%q' "$pattern") >/dev/null"
|
|
}
|
|
|
|
ensure_rule() {
|
|
local port="$1"
|
|
local comment="$2"
|
|
local pattern="${port}/tcp on ${PUBLIC_IFACE}"
|
|
if remote_rule_present "$pattern"; then
|
|
echo "ufw rule already present: ${pattern}"
|
|
else
|
|
ssh_target "sudo ufw allow in on ${PUBLIC_IFACE} to any port ${port} proto tcp comment '${comment}'"
|
|
echo "added ufw rule: ${pattern}"
|
|
fi
|
|
}
|
|
|
|
ensure_rule 80 trade-public-http
|
|
ensure_rule 443 trade-public-https
|
|
|
|
echo
|
|
echo "[ufw]"
|
|
ssh_target "sudo ufw status numbered"
|
|
|
|
echo
|
|
echo "[listeners]"
|
|
ssh_target "sudo ss -ltn '( sport = :80 or sport = :443 )' || true"
|