configure-server/docs/superpowers/specs/2026-04-16-server-firewall-cleanup-design.md

Configure-Server Cleanup And Firewall Design

Goal

Turn this repository from a copied configure-stormux launcher into a minimal server-focused entrypoint that starts where the conversion process leaves off. For the first pass, the top-level interface should expose only firewall management and exit.

Current State

configure-server.sh is still structured like the workstation-oriented configure-stormux script. Most menu entries and helper includes target desktop, accessibility, gaming, or first-boot setup behavior that should already be complete before this tool is run. The only server-specific behavior is .includes/convert-to-server.sh, which is a destructive one-shot conversion script rather than an ongoing management interface.

Scope

This change covers:

• Reworking configure-server.sh into a server-specific launcher.
• Adding a dedicated firewall submenu implemented in a new .includes/firewall.sh.
• Removing obsolete .includes scripts that are no longer used by the server launcher.
• Updating touched user-facing strings from configure-stormux or Stormux phrasing where it materially improves correctness for this repo.

This change does not cover:

• User management.
• Nginx or other service setup.
• Advanced firewall rule editing beyond basic allow/status/enable/disable flows.
• Reusing .includes/convert-to-server.sh from the main menu.

Top-Level Interface

The top-level menu in configure-server.sh will contain exactly:

• Firewall
• Exit

Selecting Firewall will source .includes/firewall.sh. Selecting Exit or cancelling the menu will terminate the script cleanly.

Firewall Submenu

The firewall submenu is intentionally narrow and dialog-driven. It will provide:

• Install ufw
• Enable firewall
• Disable firewall
• Allow SSH
• Open custom port
• View status
• Back

Behavior details:

• Install ufw installs the package only if it is not already present.
• Enable firewall runs ufw enable.
• Disable firewall runs ufw disable.
• Allow SSH allows the current OpenSSH port if detectable from sshd_config or sshd_config.d; otherwise it falls back to port 22/tcp.
• Open custom port prompts for either a bare port such as 80 or an explicit port/protocol string such as 443/tcp and validates the input before calling ufw allow.
• View status shows ufw status verbose in a dialog-friendly text view.

File Boundaries

• configure-server.sh
  • Owns startup checks, logging, shared include loading, and the top-level menu loop.
• .includes/firewall.sh
  • Owns the firewall submenu and firewall-specific helper functions.
• .includes/functions.sh
  • Continues to own shared helpers still used by the launcher or firewall flow.
• .includes/ui.sh
  • Continues to own dialog wrapper functions.

Obsolete include files that are no longer referenced by the top-level server launcher will be deleted as part of this cleanup.

Cleanup Rules

• Remove menu options and code paths tied to desktop setup, screen readers, gaming, IRC help, GUI installs, EEPROM updates, timezone setup, first-user renaming, or the old conversion step.
• Delete the corresponding unused .includes scripts from the repository rather than leaving dead files behind.
• Keep changes scoped to this server cleanup and firewall addition; do not add placeholders for future subsystems.

Error Handling

• Missing ufw will be reported clearly for actions that require it, with Install ufw available as the explicit fix path.
• Invalid custom port input will show a message and return to the firewall menu without applying a rule.
• Commands that require privilege will continue using the existing sudoFlags handling.

Verification

Verification for this change will be limited to the narrowest relevant shell checks:

• bash -n on each edited shell script.
• shellcheck on each edited shell script.

No runtime firewall manipulation will be claimed as verified unless it is actually executed in this environment.