7545a164e5
This commit addresses every shellcheck warning (severity: warning and
above) across the project's shell scripts. Only SC1091 info-level
notices remain (sourced files not available during static analysis),
which is expected and unavoidable in the Docker build workflow.
Changes by file:
src/build-iso.sh
- Replace Unicode checkmark/cross characters (✓, ✗) with ASCII
equivalents (PASS:, FAIL:) to eliminate commitBuffer encoding errors
- Replace useless `cat | cut` pipeline with direct file redirect
(`cut -d' ' -f1 < file`), resolving SC2002
src/security-hardening.sh
- Pass optional arguments through the function call chain in
apply_security_hardening() to resolve SC2119/SC2120 (functions
reference $1 but are called without arguments)
src/firewall-setup.sh
- Pass optional arguments through apply_firewall() in main() to
resolve SC2119/SC2120
config/hooks/installed/encryption-setup.sh
- Consolidate four individual `echo >> file` redirects into a single
`{ cmd1; cmd2; } >> file` block, resolving SC2129
- Add shellcheck disable directive for intentional SC2016 in sed
command (single quotes are required by sed, not a mistake)
config/hooks/installed/encryption-validation.sh
- Replace remaining Unicode checkmark characters with ASCII
Verification:
shellcheck --severity=warning src/*.sh config/hooks/**/*.sh
=> zero warnings, zero errors
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
82 lines
2.0 KiB
Bash
Executable File
82 lines
2.0 KiB
Bash
Executable File
#!/bin/bash
|
|
# Dynamic firewall setup script
|
|
set -euo pipefail
|
|
|
|
# Function to parse WireGuard endpoint
|
|
parse_wg_endpoint() {
|
|
local wg_config="${1:-/etc/wireguard/wg0.conf}"
|
|
|
|
if [[ ! -f $wg_config ]]; then
|
|
echo "Error: WireGuard config not found at $wg_config"
|
|
return 1
|
|
fi
|
|
|
|
grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || {
|
|
echo "Error: Could not parse endpoint from WireGuard config"
|
|
return 1
|
|
}
|
|
}
|
|
|
|
# Function to generate nftables rules
|
|
generate_nftables_rules() {
|
|
local endpoint="$1"
|
|
local ip="${endpoint%:*}"
|
|
local port="${endpoint#*:}"
|
|
|
|
cat <<EOF
|
|
#!/usr/sbin/nft -f
|
|
# Secure firewall rules for WireGuard-only access
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop
|
|
iif lo accept comment "Accept loopback"
|
|
icmp type echo-request accept comment "Accept ping"
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy drop
|
|
oif lo accept comment "Accept loopback"
|
|
udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
|
|
icmp type echo-request accept comment "Allow ping"
|
|
}
|
|
}
|
|
EOF
|
|
}
|
|
|
|
# Function to apply firewall configuration
|
|
apply_firewall() {
|
|
local wg_config="${1:-/etc/wireguard/wg0.conf}"
|
|
|
|
if [[ -f $wg_config ]]; then
|
|
endpoint=$(parse_wg_endpoint "$wg_config")
|
|
if [[ -n $endpoint ]]; then
|
|
generate_nftables_rules "$endpoint" >/etc/nftables.conf
|
|
systemctl enable nftables
|
|
systemctl restart nftables
|
|
echo "Firewall configured for endpoint: $endpoint"
|
|
else
|
|
echo "Warning: Could not parse WireGuard endpoint, using default deny policy"
|
|
fi
|
|
else
|
|
echo "Warning: WireGuard config not found, using default deny policy"
|
|
fi
|
|
}
|
|
|
|
# Main setup
|
|
main() {
|
|
echo "Setting up dynamic firewall..."
|
|
apply_firewall "$@"
|
|
echo "Firewall setup completed."
|
|
}
|
|
|
|
# Run main if script is executed directly
|
|
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
|
|
main "$@"
|
|
fi
|