90 lines
3.9 KiB
Markdown
90 lines
3.9 KiB
Markdown
# Configure-Server Cleanup And Firewall Design
|
|
|
|
## Goal
|
|
|
|
Turn this repository from a copied `configure-stormux` launcher into a minimal server-focused entrypoint that starts where the conversion process leaves off. For the first pass, the top-level interface should expose only firewall management and exit.
|
|
|
|
## Current State
|
|
|
|
`configure-server.sh` is still structured like the workstation-oriented `configure-stormux` script. Most menu entries and helper includes target desktop, accessibility, gaming, or first-boot setup behavior that should already be complete before this tool is run. The only server-specific behavior is `.includes/convert-to-server.sh`, which is a destructive one-shot conversion script rather than an ongoing management interface.
|
|
|
|
## Scope
|
|
|
|
This change covers:
|
|
|
|
- Reworking `configure-server.sh` into a server-specific launcher.
|
|
- Adding a dedicated firewall submenu implemented in a new `.includes/firewall.sh`.
|
|
- Removing obsolete `.includes` scripts that are no longer used by the server launcher.
|
|
- Updating touched user-facing strings from `configure-stormux` or `Stormux` phrasing where it materially improves correctness for this repo.
|
|
|
|
This change does not cover:
|
|
|
|
- User management.
|
|
- Nginx or other service setup.
|
|
- Advanced firewall rule editing beyond basic allow/status/enable/disable flows.
|
|
- Reusing `.includes/convert-to-server.sh` from the main menu.
|
|
|
|
## Top-Level Interface
|
|
|
|
The top-level menu in `configure-server.sh` will contain exactly:
|
|
|
|
- `Firewall`
|
|
- `Exit`
|
|
|
|
Selecting `Firewall` will source `.includes/firewall.sh`. Selecting `Exit` or cancelling the menu will terminate the script cleanly.
|
|
|
|
## Firewall Submenu
|
|
|
|
The firewall submenu is intentionally narrow and dialog-driven. It will provide:
|
|
|
|
- `Install ufw`
|
|
- `Enable firewall`
|
|
- `Disable firewall`
|
|
- `Allow SSH`
|
|
- `Open custom port`
|
|
- `View status`
|
|
- `Back`
|
|
|
|
Behavior details:
|
|
|
|
- `Install ufw` installs the package only if it is not already present.
|
|
- `Enable firewall` runs `ufw enable`.
|
|
- `Disable firewall` runs `ufw disable`.
|
|
- `Allow SSH` allows the current OpenSSH port if detectable from `sshd_config` or `sshd_config.d`; otherwise it falls back to port `22/tcp`.
|
|
- `Open custom port` prompts for either a bare port such as `80` or an explicit `port/protocol` string such as `443/tcp` and validates the input before calling `ufw allow`.
|
|
- `View status` shows `ufw status verbose` in a dialog-friendly text view.
|
|
|
|
## File Boundaries
|
|
|
|
- `configure-server.sh`
|
|
- Owns startup checks, logging, shared include loading, and the top-level menu loop.
|
|
- `.includes/firewall.sh`
|
|
- Owns the firewall submenu and firewall-specific helper functions.
|
|
- `.includes/functions.sh`
|
|
- Continues to own shared helpers still used by the launcher or firewall flow.
|
|
- `.includes/ui.sh`
|
|
- Continues to own dialog wrapper functions.
|
|
|
|
Obsolete include files that are no longer referenced by the top-level server launcher will be deleted as part of this cleanup.
|
|
|
|
## Cleanup Rules
|
|
|
|
- Remove menu options and code paths tied to desktop setup, screen readers, gaming, IRC help, GUI installs, EEPROM updates, timezone setup, first-user renaming, or the old conversion step.
|
|
- Delete the corresponding unused `.includes` scripts from the repository rather than leaving dead files behind.
|
|
- Keep changes scoped to this server cleanup and firewall addition; do not add placeholders for future subsystems.
|
|
|
|
## Error Handling
|
|
|
|
- Missing `ufw` will be reported clearly for actions that require it, with `Install ufw` available as the explicit fix path.
|
|
- Invalid custom port input will show a message and return to the firewall menu without applying a rule.
|
|
- Commands that require privilege will continue using the existing `sudoFlags` handling.
|
|
|
|
## Verification
|
|
|
|
Verification for this change will be limited to the narrowest relevant shell checks:
|
|
|
|
- `bash -n` on each edited shell script.
|
|
- `shellcheck` on each edited shell script.
|
|
|
|
No runtime firewall manipulation will be claimed as verified unless it is actually executed in this environment.
|