commit 55a1765582d2083554e2698e0e7aa33576350ea4 Author: Storm Dragon Date: Thu Apr 16 15:48:19 2026 -0400 docs: add configure-server cleanup design diff --git a/docs/superpowers/specs/2026-04-16-server-firewall-cleanup-design.md b/docs/superpowers/specs/2026-04-16-server-firewall-cleanup-design.md new file mode 100644 index 0000000..486af06 --- /dev/null +++ b/docs/superpowers/specs/2026-04-16-server-firewall-cleanup-design.md @@ -0,0 +1,89 @@ +# Configure-Server Cleanup And Firewall Design + +## Goal + +Turn this repository from a copied `configure-stormux` launcher into a minimal server-focused entrypoint that starts where the conversion process leaves off. For the first pass, the top-level interface should expose only firewall management and exit. + +## Current State + +`configure-server.sh` is still structured like the workstation-oriented `configure-stormux` script. Most menu entries and helper includes target desktop, accessibility, gaming, or first-boot setup behavior that should already be complete before this tool is run. The only server-specific behavior is `.includes/convert-to-server.sh`, which is a destructive one-shot conversion script rather than an ongoing management interface. + +## Scope + +This change covers: + +- Reworking `configure-server.sh` into a server-specific launcher. +- Adding a dedicated firewall submenu implemented in a new `.includes/firewall.sh`. +- Removing obsolete `.includes` scripts that are no longer used by the server launcher. +- Updating touched user-facing strings from `configure-stormux` or `Stormux` phrasing where it materially improves correctness for this repo. + +This change does not cover: + +- User management. +- Nginx or other service setup. +- Advanced firewall rule editing beyond basic allow/status/enable/disable flows. +- Reusing `.includes/convert-to-server.sh` from the main menu. + +## Top-Level Interface + +The top-level menu in `configure-server.sh` will contain exactly: + +- `Firewall` +- `Exit` + +Selecting `Firewall` will source `.includes/firewall.sh`. Selecting `Exit` or cancelling the menu will terminate the script cleanly. + +## Firewall Submenu + +The firewall submenu is intentionally narrow and dialog-driven. It will provide: + +- `Install ufw` +- `Enable firewall` +- `Disable firewall` +- `Allow SSH` +- `Open custom port` +- `View status` +- `Back` + +Behavior details: + +- `Install ufw` installs the package only if it is not already present. +- `Enable firewall` runs `ufw enable`. +- `Disable firewall` runs `ufw disable`. +- `Allow SSH` allows the current OpenSSH port if detectable from `sshd_config` or `sshd_config.d`; otherwise it falls back to port `22/tcp`. +- `Open custom port` prompts for either a bare port such as `80` or an explicit `port/protocol` string such as `443/tcp` and validates the input before calling `ufw allow`. +- `View status` shows `ufw status verbose` in a dialog-friendly text view. + +## File Boundaries + +- `configure-server.sh` + - Owns startup checks, logging, shared include loading, and the top-level menu loop. +- `.includes/firewall.sh` + - Owns the firewall submenu and firewall-specific helper functions. +- `.includes/functions.sh` + - Continues to own shared helpers still used by the launcher or firewall flow. +- `.includes/ui.sh` + - Continues to own dialog wrapper functions. + +Obsolete include files that are no longer referenced by the top-level server launcher will be deleted as part of this cleanup. + +## Cleanup Rules + +- Remove menu options and code paths tied to desktop setup, screen readers, gaming, IRC help, GUI installs, EEPROM updates, timezone setup, first-user renaming, or the old conversion step. +- Delete the corresponding unused `.includes` scripts from the repository rather than leaving dead files behind. +- Keep changes scoped to this server cleanup and firewall addition; do not add placeholders for future subsystems. + +## Error Handling + +- Missing `ufw` will be reported clearly for actions that require it, with `Install ufw` available as the explicit fix path. +- Invalid custom port input will show a message and return to the firewall menu without applying a rule. +- Commands that require privilege will continue using the existing `sudoFlags` handling. + +## Verification + +Verification for this change will be limited to the narrowest relevant shell checks: + +- `bash -n` on each edited shell script. +- `shellcheck` on each edited shell script. + +No runtime firewall manipulation will be claimed as verified unless it is actually executed in this environment.