# Configure-Server Cleanup And Firewall Design ## Goal Turn this repository from a copied `configure-stormux` launcher into a minimal server-focused entrypoint that starts where the conversion process leaves off. For the first pass, the top-level interface should expose only firewall management and exit. ## Current State `configure-server.sh` is still structured like the workstation-oriented `configure-stormux` script. Most menu entries and helper includes target desktop, accessibility, gaming, or first-boot setup behavior that should already be complete before this tool is run. The only server-specific behavior is `.includes/convert-to-server.sh`, which is a destructive one-shot conversion script rather than an ongoing management interface. ## Scope This change covers: - Reworking `configure-server.sh` into a server-specific launcher. - Adding a dedicated firewall submenu implemented in a new `.includes/firewall.sh`. - Removing obsolete `.includes` scripts that are no longer used by the server launcher. - Updating touched user-facing strings from `configure-stormux` or `Stormux` phrasing where it materially improves correctness for this repo. This change does not cover: - User management. - Nginx or other service setup. - Advanced firewall rule editing beyond basic allow/status/enable/disable flows. - Reusing `.includes/convert-to-server.sh` from the main menu. ## Top-Level Interface The top-level menu in `configure-server.sh` will contain exactly: - `Firewall` - `Exit` Selecting `Firewall` will source `.includes/firewall.sh`. Selecting `Exit` or cancelling the menu will terminate the script cleanly. ## Firewall Submenu The firewall submenu is intentionally narrow and dialog-driven. It will provide: - `Install ufw` - `Enable firewall` - `Disable firewall` - `Allow SSH` - `Open custom port` - `View status` - `Back` Behavior details: - `Install ufw` installs the package only if it is not already present. - `Enable firewall` runs `ufw enable`. - `Disable firewall` runs `ufw disable`. - `Allow SSH` allows the current OpenSSH port if detectable from `sshd_config` or `sshd_config.d`; otherwise it falls back to port `22/tcp`. - `Open custom port` prompts for either a bare port such as `80` or an explicit `port/protocol` string such as `443/tcp` and validates the input before calling `ufw allow`. - `View status` shows `ufw status verbose` in a dialog-friendly text view. ## File Boundaries - `configure-server.sh` - Owns startup checks, logging, shared include loading, and the top-level menu loop. - `.includes/firewall.sh` - Owns the firewall submenu and firewall-specific helper functions. - `.includes/functions.sh` - Continues to own shared helpers still used by the launcher or firewall flow. - `.includes/ui.sh` - Continues to own dialog wrapper functions. Obsolete include files that are no longer referenced by the top-level server launcher will be deleted as part of this cleanup. ## Cleanup Rules - Remove menu options and code paths tied to desktop setup, screen readers, gaming, IRC help, GUI installs, EEPROM updates, timezone setup, first-user renaming, or the old conversion step. - Delete the corresponding unused `.includes` scripts from the repository rather than leaving dead files behind. - Keep changes scoped to this server cleanup and firewall addition; do not add placeholders for future subsystems. ## Error Handling - Missing `ufw` will be reported clearly for actions that require it, with `Install ufw` available as the explicit fix path. - Invalid custom port input will show a message and return to the firewall menu without applying a rule. - Commands that require privilege will continue using the existing `sudoFlags` handling. ## Verification Verification for this change will be limited to the narrowest relevant shell checks: - `bash -n` on each edited shell script. - `shellcheck` on each edited shell script. No runtime firewall manipulation will be claimed as verified unless it is actually executed in this environment.