@ebowwa/hetzner 0.2.2 → 0.3.1

package/bootstrap/cloud-init.ts

@@ -1,394 +0,0 @@
-/**
- * Cloud-Init Bootstrap Generator
- *
- * Generates cloud-init YAML scripts for first-boot server provisioning.
- * Handles seed repository installation and initial setup.
- *
- * Security Integration:
- * This module integrates all security modules in the correct order:
- * 1. UFW Firewall (network-level defense)
- * 2. Kernel Hardening (system-level hardening)
- * 3. SSH Hardening (service-level hardening)
- * 4. Security Audit (verification and reporting)
- */
-
-import {
-  sshdHardeningPackages,
-  sshdHardeningWriteFiles,
-  sshdHardeningRunCmd,
-} from "./ssh-hardening";
-import {
-  ufwFirewallPackages,
-  ufwFirewallWriteFiles,
-  ufwFirewallRunCmd,
-  DEFAULT_UFW_WORKER_OPTIONS,
-} from "./firewall";
-import {
-  kernelHardeningPackages,
-  kernelHardeningWriteFiles,
-  kernelHardeningRunCmd,
-} from "./kernel-hardening";
-import {
-  securityAuditPackages,
-  securityAuditWriteFiles,
-  securityAuditRunCmd,
-} from "./security-audit";
-
-export interface BootstrapOptions {
-  /** Seed repository URL (default: https://github.com/ebowwa/seed) */
-  seedRepo?: string;
-  /** Seed repository branch (default: dev) */
-  seedBranch?: string;
-  /** Installation path (default: /root/seed) */
-  seedPath?: string;
-  /** Whether to run setup.sh non-interactively (default: true) */
-  runSetup?: boolean;
-  /** Additional environment variables for setup.sh */
-  setupEnv?: Record<string, string>;
-  /** Additional packages to install */
-  packages?: string[];
-  /** Additional commands to run after seed installation */
-  additionalCommands?: string[];
-  /** Enable security hardening (default: true) */
-  enableSecurity?: boolean;
-}
-
-/**
- * Generate a cloud-init YAML script for seed installation
- *
- * @param options - Bootstrap configuration options
- * @returns Cloud-init YAML string
- */
-export function generateSeedBootstrap(options: BootstrapOptions = {}): string {
-  const {
-    seedRepo = "https://github.com/ebowwa/seed",
-    seedBranch = "dev",
-    seedPath = "/root/seed",
-    runSetup = true,
-    setupEnv = {},
-    packages = [],
-    additionalCommands = [],
-    enableSecurity = true,
-  } = options;
-
-  const lines: string[] = [];
-
-  // Cloud-config header
-  lines.push("#cloud-config");
-  lines.push("");
-
-  // System updates
-  lines.push("# Update system packages");
-  lines.push("package_update: true");
-  lines.push("package_upgrade: true");
-  lines.push("");
-
-  // Required packages
-  lines.push("# Install required packages");
-  lines.push("packages:");
-  lines.push("  - git");
-  lines.push("  - curl");
-  lines.push("  - jq");
-  lines.push("  - unzip");
-  lines.push("  - tmux");
-
-  // Security Module 1: UFW Firewall packages
-  if (enableSecurity) {
-    lines.push("  # Security: UFW Firewall");
-    lines.push(...ufwFirewallPackages());
-  }
-
-  // Security Module 2: Kernel hardening packages
-  if (enableSecurity) {
-    lines.push("  # Security: Kernel hardening");
-    lines.push(...kernelHardeningPackages());
-  }
-
-  // Security Module 3: SSH hardening packages (fail2ban)
-  if (enableSecurity) {
-    lines.push("  # Security: SSH hardening");
-    lines.push(...sshdHardeningPackages());
-  }
-
-  // Security Module 4: Security audit packages (lynis)
-  if (enableSecurity) {
-    lines.push("  # Security: Security audit");
-    lines.push(...securityAuditPackages());
-  }
-
-  // Add additional packages
-  for (const pkg of packages) {
-    lines.push(`  - ${pkg}`);
-  }
-  lines.push("");
-
-  // Status tracking file
-  lines.push("# Write bootstrap status file");
-  lines.push("write_files:");
-  lines.push("  - path: /root/.bootstrap-status");
-  lines.push("    owner: root:root");
-  lines.push("    permissions: '0644'");
-  lines.push("    content: |");
-  lines.push("      status=started");
-  lines.push("      started_at=$(date -Iseconds)");
-  lines.push("      source=cloud-init");
-  if (enableSecurity) {
-    lines.push("      security=enabled");
-  }
-  lines.push("");
-
-  // Add bun to system-wide PATH via /etc/environment
-  // NOTE: /etc/environment uses simple KEY="value" format (no variables, no comments)
-  // We need to replace PATH rather than append, and include all standard paths
-  lines.push("  # Add bun to /etc/environment for all users/shells");
-  lines.push("  # Format: Simple KEY=\"value\" pairs, no variable expansion");
-  lines.push("  - path: /etc/environment");
-  lines.push("    owner: root:root");
-  lines.push("    permissions: '0644'");
-  lines.push("    content: |");
-  lines.push("      PATH=\"/root/.bun/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"");
-  lines.push("");
-
-  // Security Module 1: UFW Firewall configuration files
-  if (enableSecurity) {
-    lines.push("  # Security Module 1: UFW Firewall configuration");
-    lines.push(...ufwFirewallWriteFiles(DEFAULT_UFW_WORKER_OPTIONS));
-  }
-
-  // Security Module 2: Kernel hardening configuration files
-  if (enableSecurity) {
-    lines.push("  # Security Module 2: Kernel hardening");
-    lines.push(...kernelHardeningWriteFiles());
-  }
-
-  // Security Module 3: SSH hardening configuration files
-  if (enableSecurity) {
-    lines.push("  # Security Module 3: SSH hardening");
-    lines.push(...sshdHardeningWriteFiles());
-  }
-
-  // Security Module 4: Security audit script
-  if (enableSecurity) {
-    lines.push("  # Security Module 4: Security audit");
-    lines.push(...securityAuditWriteFiles());
-  }
-
-  // Node-agent systemd service
-  lines.push("  # Node-agent systemd service for Ralph Loop orchestration");
-  lines.push("  - path: /etc/systemd/system/node-agent.service");
-  lines.push("    owner: root:root");
-  lines.push("    permissions: '0644'");
-  lines.push("    content: |");
-  lines.push("      [Unit]");
-  lines.push("      Description=Node Agent for Ralph Loop Orchestration");
-  lines.push("      Documentation=https://github.com/ebowwa/seed");
-  lines.push("      After=network-online.target");
-  lines.push("      Wants=network-online.target");
-  lines.push("");
-  lines.push("      [Service]");
-  lines.push("      Type=simple");
-  lines.push("      User=root");
-  lines.push(`      WorkingDirectory=${seedPath}/node-agent`);
-  lines.push("      ExecStart=/root/.bun/bin/bun run src/index.ts");
-  lines.push(`      EnvironmentFile=-${seedPath}/node-agent/.env`);
-  lines.push("      Environment=PORT=8911");
-  lines.push("      Restart=always");
-  lines.push("      RestartSec=10");
-  lines.push("      StandardOutput=journal");
-  lines.push("      StandardError=journal");
-  lines.push("      SyslogIdentifier=node-agent");
-  lines.push("");
-  // Security hardening for node-agent service
-  if (enableSecurity) {
-    lines.push("      # Security hardening");
-    lines.push("      NoNewPrivileges=true");
-    lines.push("      PrivateTmp=true");
-    lines.push("      ProtectSystem=strict");
-    lines.push("      ProtectHome=true");
-    lines.push("      ReadOnlyPaths=/");
-    lines.push("      ReadWritePaths=/var/log " + seedPath + "/node-agent");
-  }
-  lines.push("");
-  lines.push("      [Install]");
-  lines.push("      WantedBy=multi-user.target");
-  lines.push("");
-
-  // Run commands
-  lines.push("# Bootstrap commands");
-  lines.push("runcmd:");
-
-  // Install Bun and create node symlink
-  lines.push("  # Install Bun");
-  lines.push("  - curl -fsSL https://bun.sh/install | bash");
-  lines.push("  - ln -sf /root/.bun/bin/bun /root/.bun/bin/node  # Create 'node' symlink to bun");
-  lines.push("");
-
-  // Clone seed repository
-  lines.push(`  # Clone seed repository`);
-  lines.push(`  - git clone --depth 1 --branch ${seedBranch} ${seedRepo} ${seedPath}`);
-  lines.push("");
-
-  if (runSetup) {
-    // Build environment variables
-    const envVars = ["NONINTERACTIVE=1", ...Object.entries(setupEnv).map(([k, v]) => `${k}=${v}`)];
-    const envString = envVars.join(" ");
-
-    lines.push(`  # Run seed setup non-interactively`);
-    lines.push(`  - cd ${seedPath} && ${envString} bash ./setup.sh 2>&1 | tee /var/log/seed-setup.log`);
-    lines.push("");
-
-    // Create completion marker
-    lines.push(`  # Mark setup complete`);
-    lines.push(`  - touch ${seedPath}/.seed-setup-complete`);
-    lines.push("");
-  }
-
-  // Additional commands
-  if (additionalCommands.length > 0) {
-    lines.push(`  # Additional custom commands`);
-    for (const cmd of additionalCommands) {
-      lines.push(`  - ${cmd}`);
-    }
-    lines.push("");
-  }
-
-  // Security Module 1: UFW Firewall activation (runs first)
-  if (enableSecurity) {
-    lines.push("  # Security Module 1: Activate UFW Firewall");
-    lines.push(...ufwFirewallRunCmd(DEFAULT_UFW_WORKER_OPTIONS));
-  }
-
-  // Security Module 2: Kernel hardening activation
-  if (enableSecurity) {
-    lines.push("  # Security Module 2: Apply kernel hardening");
-    lines.push(...kernelHardeningRunCmd());
-  }
-
-  // Security Module 3: SSH hardening activation
-  if (enableSecurity) {
-    lines.push("  # Security Module 3: Activate SSH hardening");
-    lines.push(...sshdHardeningRunCmd());
-  }
-
-  // Security Module 4: Security audit (runs last)
-  if (enableSecurity) {
-    lines.push("  # Security Module 4: Run security audit");
-    lines.push(...securityAuditRunCmd());
-  }
-
-  // Mark bootstrap complete
-  lines.push(`  # Mark bootstrap complete`);
-  lines.push(`  - echo "status=complete" >> /root/.bootstrap-status`);
-  lines.push(`  - echo "completed_at=$(date -Iseconds)" >> /root/.bootstrap-status`);
-  if (enableSecurity) {
-    lines.push(`  - echo "security_hardening=applied" >> /root/.bootstrap-status`);
-  }
-  lines.push("");
-  lines.push("  # Start node-agent service");
-  lines.push("  - systemctl daemon-reload");
-  lines.push("  - systemctl enable node-agent");
-  lines.push("  - systemctl start node-agent");
-
-  return lines.join("\n");
-}
-
-/**
- * Generate a minimal cloud-init script that uses #include to fetch from a URL
- *
- * This is useful for larger bootstrap scripts or when you want to update
- * the bootstrap without code changes.
- *
- * @param url - URL to fetch the cloud-init config from
- * @returns Cloud-init YAML string with #include directive
- */
-export function generateRemoteBootstrap(url: string): string {
-  return `#include\n${url}`;
-}
-
-/**
- * Bootstrap configuration presets for common scenarios
- */
-export const BootstrapPresets = {
-  /**
-   * Default seed installation with setup.sh and full security hardening
-   */
-  default: () => generateSeedBootstrap(),
-
-  /**
-   * Seed installation with full security hardening and verbose logging
-   */
-  secure: () =>
-    generateSeedBootstrap({
-      setupEnv: {
-        DEBUG: "1",
-        VERBOSE: "1",
-      },
-    }),
-
-  /**
-   * Seed installation without running setup.sh (useful for debugging)
-   */
-  cloneOnly: () => generateSeedBootstrap({ runSetup: false }),
-
-  /**
-   * Development bootstrap without security hardening (for testing)
-   */
-  development: () =>
-    generateSeedBootstrap({
-      enableSecurity: false,
-      packages: ["htop", "vim", "strace"],
-    }),
-
-  /**
-   * Verbose bootstrap with logging enabled
-   */
-  verbose: () =>
-    generateSeedBootstrap({
-      setupEnv: {
-        DEBUG: "1",
-        VERBOSE: "1",
-      },
-    }),
-} as const;
-
-// Re-export Genesis bootstrap functions
-export {
-  generateGenesisBootstrap,
-  generateRemoteGenesisBootstrap,
-  GenesisBootstrapPresets,
-  type GenesisBootstrapOptions,
-} from "./genesis";
-
-// Re-export SSH hardening components so callers can compose custom
-// cloud-init scripts with hardening baked in (e.g. for non-standard node types)
-export {
-  sshdHardeningPackages,
-  sshdHardeningWriteFiles,
-  sshdHardeningRunCmd,
-} from "./ssh-hardening";
-
-// Re-export UFW firewall components
-export {
-  ufwFirewallPackages,
-  ufwFirewallWriteFiles,
-  ufwFirewallRunCmd,
-  DEFAULT_UFW_WORKER_OPTIONS,
-  DEFAULT_UFW_GENESIS_OPTIONS,
-  generateUFWFirewallForGenesis,
-  generateUFWFirewallForWorker,
-  type UFWFirewallOptions,
-} from "./firewall";
-
-// Re-export kernel hardening components
-export {
-  kernelHardeningPackages,
-  kernelHardeningWriteFiles,
-  kernelHardeningRunCmd,
-} from "./kernel-hardening";
-
-// Re-export security audit components
-export {
-  securityAuditPackages,
-  securityAuditWriteFiles,
-  securityAuditRunCmd,
-} from "./security-audit";

package/bootstrap/firewall.js

@@ -1,292 +0,0 @@
-"use strict";
-/**
- * UFW Firewall Cloud-Init Components
- *
- * Composable cloud-init blocks for securing servers with UFW (Uncomplicated Firewall).
- * Includes: default deny incoming, allow outgoing, rate limiting, and logging.
- *
- * Background: Hetzner public IPs face constant scanning and brute-force attacks.
- * UFW provides a simple interface to iptables/nftables with secure defaults.
- *
- * This module is imported by cloud-init.ts (seed/worker nodes) and genesis.ts
- * (control plane) so every new server gets firewall protection at first boot.
- *
- * Three composable functions return cloud-init line arrays for splicing into
- * the appropriate YAML sections:
- *   - ufwFirewallPackages()    → packages: section
- *   - ufwFirewallWriteFiles()  → write_files: section
- *   - ufwFirewallRunCmd()      → runcmd: section
- *
- * Security Policy:
- *   - Default: deny incoming, allow outgoing (stateful)
- *   - SSH (22): rate limited to prevent brute-force
- *   - HTTP/HTTPS (80/443): allowed for web services
- *   - Node Agent (8911): allowed for internal communication
- *   - Tailscale (41641): allowed for VPN
- *   - Logging: enabled with rate limiting to prevent log flooding
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_UFW_WORKER_OPTIONS = exports.DEFAULT_UFW_GENESIS_OPTIONS = void 0;
-exports.ufwFirewallPackages = ufwFirewallPackages;
-exports.ufwFirewallWriteFiles = ufwFirewallWriteFiles;
-exports.ufwFirewallRunCmd = ufwFirewallRunCmd;
-exports.generateUFWFirewallForGenesis = generateUFWFirewallForGenesis;
-exports.generateUFWFirewallForWorker = generateUFWFirewallForWorker;
-/**
- * Default firewall options for Genesis control plane servers.
- */
-exports.DEFAULT_UFW_GENESIS_OPTIONS = {
-    allowSSHFrom: [], // Empty = allow from anywhere
-    allowHTTP: true,
-    allowHTTPS: true,
-    allowNodeAgent: false, // Genesis doesn't run node-agent
-    verboseLogging: false,
-};
-/**
- * Default firewall options for worker/seed servers.
- */
-exports.DEFAULT_UFW_WORKER_OPTIONS = {
-    allowSSHFrom: [], // Empty = allow from anywhere
-    allowHTTP: false,
-    allowHTTPS: false,
-    allowNodeAgent: true, // Workers run node-agent on port 8911
-    verboseLogging: false,
-};
-/**
- * Packages required for UFW firewall.
- * Returns cloud-init YAML lines for the `packages:` section.
- *
- * - ufw: Uncomplicated Firewall interface to iptables/nftables
- */
-function ufwFirewallPackages() {
-    return [
-        "  - ufw",
-    ];
-}
-/**
- * Files to write at first boot for UFW firewall configuration.
- * Returns cloud-init YAML lines for the `write_files:` section.
- *
- * Drops 2 files onto the server:
- *
- * 1. /etc/ufw/before.rules
- *    - Custom before rules for stateful firewall behavior
- *    - Allows loopback, established/related connections
- *    - Drops invalid packets early
- *
- * 2. /etc/ufw/sysctl.conf
- *    - Enables kernel network security parameters
- *    - IP spoofing protection
- *    - ICMP redirect protection
- *    - Log martian packets
- */
-function ufwFirewallWriteFiles(options) {
-    if (options === void 0) { options = {}; }
-    var lines = [];
-    // 1. UFW before.rules - stateful firewall rules applied before UFW rules
-    lines.push("  # UFW before.rules - stateful firewall and network security");
-    lines.push("  - path: /etc/ufw/before.rules");
-    lines.push("    owner: root:root");
-    lines.push("    permissions: '0644'");
-    lines.push("    content: |");
-    lines.push("      #");
-    lines.push("      # UFW before.rules - applied before UFW rules");
-    lines.push("      #");
-    lines.push("      # Start with the standard configuration");
-    lines.push("      *filter");
-    lines.push("      :ufw-before-input - [0:0]");
-    lines.push("      :ufw-before-output - [0:0]");
-    lines.push("      :ufw-before-forward - [0:0]");
-    lines.push("      :ufw-not-local - [0:0]");
-    lines.push("      # End of lines to adjust");
-    lines.push("");
-    lines.push("      # Allow all on loopback");
-    lines.push("      -A ufw-before-input -i lo -j ACCEPT");
-    lines.push("      -A ufw-before-output -o lo -j ACCEPT");
-    lines.push("");
-    lines.push("      # Drop invalid packets");
-    lines.push("      -A ufw-before-input -m conntrack --ctstate INVALID -j DROP");
-    lines.push("");
-    lines.push("      # Allow established and related connections");
-    lines.push("      -A ufw-before-input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT");
-    lines.push("      -A ufw-before-output -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT");
-    lines.push("");
-    lines.push("      # Allow ICMP messages (required for PMTU discovery)");
-    lines.push("      -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT");
-    lines.push("      -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT");
-    lines.push("      -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT");
-    lines.push("      -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT");
-    lines.push("");
-    lines.push("      # Drop packets with bogus TCP flags (potential scan)");
-    lines.push("      -A ufw-before-input -p tcp --tcp-flags ALL NONE -j DROP");
-    lines.push("      -A ufw-before-input -p tcp --tcp-flags ALL ALL -j DROP");
-    lines.push("");
-    lines.push("      # Commit changes");
-    lines.push("      COMMIT");
-    lines.push("");
-    // 2. UFW sysctl.conf - kernel network security parameters
-    lines.push("  # UFW sysctl.conf - kernel network hardening");
-    lines.push("  - path: /etc/ufw/sysctl.conf");
-    lines.push("    owner: root:root");
-    lines.push("    permissions: '0644'");
-    lines.push("    content: |");
-    lines.push("      #");
-    lines.push("      # UFW sysctl.conf - kernel network security parameters");
-    lines.push("      #");
-    lines.push("");
-    lines.push("      # IP spoofing protection");
-    lines.push("      net/ipv4/conf/all/rp_filter=1");
-    lines.push("      net/ipv4/conf/default/rp_filter=1");
-    lines.push("");
-    lines.push("      # Ignore ICMP redirect messages");
-    lines.push("      net/ipv4/conf/all/accept_redirects=0");
-    lines.push("      net/ipv6/conf/all/accept_redirects=0");
-    lines.push("      net/ipv4/conf/default/accept_redirects=0");
-    lines.push("      net/ipv6/conf/default/accept_redirects=0");
-    lines.push("");
-    lines.push("      # Ignore send redirects");
-    lines.push("      net/ipv4/conf/all/send_redirects=0");
-    lines.push("      net/ipv4/conf/default/send_redirects=0");
-    lines.push("");
-    lines.push("      # Log martian packets (packets with impossible addresses)");
-    lines.push("      net/ipv4/conf/all/log_martians=1");
-    lines.push("      net/ipv4/conf/default/log_martians=1");
-    lines.push("");
-    lines.push("      # SYN cookies protection (SYN flood mitigation)");
-    lines.push("      net/ipv4/tcp_syncookies=1");
-    lines.push("");
-    lines.push("      # Source address verification (spoofing protection)");
-    lines.push("      net/ipv4/conf/all/secure_redirects=1");
-    lines.push("      net/ipv4/conf/default/secure_redirects=1");
-    lines.push("");
-    return lines;
-}
-/**
- * Commands to configure and activate UFW firewall at first boot.
- * Returns cloud-init YAML lines for the `runcmd:` section.
- *
- * Order matters:
- *   1. Set default policies (deny incoming, allow outgoing)
- *   2. Allow loopback interface
- *   3. Allow SSH with rate limiting (prevents brute-force)
- *   4. Allow HTTP/HTTPS if enabled
- *   5. Allow Node Agent port if enabled
- *   6. Allow Tailscale port (required for VPN)
- *   7. Enable logging with rate limiting
- *   8. Enable and reload UFW
- *   9. Display firewall status
- */
-function ufwFirewallRunCmd(options) {
-    if (options === void 0) { options = {}; }
-    var _a = options.allowSSHFrom, allowSSHFrom = _a === void 0 ? [] : _a, _b = options.allowHTTP, allowHTTP = _b === void 0 ? true : _b, _c = options.allowHTTPS, allowHTTPS = _c === void 0 ? true : _c, _d = options.allowNodeAgent, allowNodeAgent = _d === void 0 ? false : _d, _e = options.additionalPorts, additionalPorts = _e === void 0 ? [] : _e, _f = options.verboseLogging, verboseLogging = _f === void 0 ? false : _f;
-    var lines = [];
-    lines.push("  # UFW Firewall: Configure and enable secure firewall");
-    lines.push("");
-    // Set default policies
-    lines.push("  # Set default policies: deny incoming, allow outgoing");
-    lines.push("  - ufw --force reset");
-    lines.push("  - ufw default deny incoming");
-    lines.push("  - ufw default allow outgoing");
-    lines.push("  - ufw default deny forwarded");
-    lines.push("");
-    // Allow loopback
-    lines.push("  # Allow loopback interface");
-    lines.push("  - ufw allow in on lo");
-    lines.push("");
-    // Allow SSH with rate limiting
-    if (allowSSHFrom.length === 0) {
-        // Allow SSH from anywhere with rate limiting
-        lines.push("  # Allow SSH with rate limiting (6 connections in 30 seconds)");
-        lines.push("  - ufw limit 22/tcp comment 'Rate-limited SSH'");
-    }
-    else {
-        // Allow SSH from specific IPs/CIDRs
-        for (var _i = 0, allowSSHFrom_1 = allowSSHFrom; _i < allowSSHFrom_1.length; _i++) {
-            var source = allowSSHFrom_1[_i];
-            lines.push("  - ufw allow from ".concat(source, " to any port 22 proto tcp comment 'SSH from ").concat(source, "'"));
-        }
-    }
-    lines.push("");
-    // Allow HTTP if enabled
-    if (allowHTTP) {
-        lines.push("  # Allow HTTP");
-        lines.push("  - ufw allow 80/tcp comment 'HTTP'");
-    }
-    // Allow HTTPS if enabled
-    if (allowHTTPS) {
-        lines.push("  # Allow HTTPS");
-        lines.push("  - ufw allow 443/tcp comment 'HTTPS'");
-    }
-    lines.push("");
-    // Allow Node Agent port if enabled
-    if (allowNodeAgent) {
-        lines.push("  # Allow Node Agent (internal communication)");
-        lines.push("  - ufw allow 8911/tcp comment 'Node Agent'");
-        lines.push("");
-    }
-    // Allow Tailscale (required for VPN functionality)
-    lines.push("  # Allow Tailscale VPN");
-    lines.push("  - ufw allow 41641/udp comment 'Tailscale'");
-    lines.push("");
-    // Additional ports
-    if (additionalPorts.length > 0) {
-        lines.push("  # Additional custom ports");
-        for (var _g = 0, additionalPorts_1 = additionalPorts; _g < additionalPorts_1.length; _g++) {
-            var portConfig = additionalPorts_1[_g];
-            var protocol = portConfig.protocol || "tcp";
-            var comment = portConfig.comment || "Custom port ".concat(portConfig.port);
-            lines.push("  - ufw allow ".concat(portConfig.port, "/").concat(protocol, " comment '").concat(comment, "'"));
-        }
-        lines.push("");
-    }
-    // Configure logging
-    if (verboseLogging) {
-        lines.push("  # Enable verbose logging");
-        lines.push("  - ufw logging on");
-        lines.push("  - ufw logging high");
-    }
-    else {
-        lines.push("  # Enable rate-limited logging (prevent log flooding)");
-        lines.push("  - ufw logging on");
-        lines.push("  - ufw logging low");
-    }
-    lines.push("");
-    // Enable and reload UFW
-    lines.push("  # Enable and reload UFW");
-    lines.push("  - ufw --force enable");
-    lines.push("  - ufw reload");
-    lines.push("");
-    // Display status
-    lines.push("  # Display firewall status");
-    lines.push("  - ufw status verbose > /var/log/ufw-bootstrap-status.log");
-    lines.push("");
-    return lines;
-}
-/**
- * Generate complete UFW firewall configuration for Genesis servers.
- *
- * @param options - UFW firewall options (uses DEFAULT_UFW_GENESIS_OPTIONS if not provided)
- * @returns Object with packages, writeFiles, and runCmd arrays
- */
-function generateUFWFirewallForGenesis(options) {
-    if (options === void 0) { options = exports.DEFAULT_UFW_GENESIS_OPTIONS; }
-    return {
-        packages: ufwFirewallPackages(),
-        writeFiles: ufwFirewallWriteFiles(options),
-        runCmd: ufwFirewallRunCmd(options),
-    };
-}
-/**
- * Generate complete UFW firewall configuration for worker/seed servers.
- *
- * @param options - UFW firewall options (uses DEFAULT_UFW_WORKER_OPTIONS if not provided)
- * @returns Object with packages, writeFiles, and runCmd arrays
- */
-function generateUFWFirewallForWorker(options) {
-    if (options === void 0) { options = exports.DEFAULT_UFW_WORKER_OPTIONS; }
-    return {
-        packages: ufwFirewallPackages(),
-        writeFiles: ufwFirewallWriteFiles(options),
-        runCmd: ufwFirewallRunCmd(options),
-    };
-}