task 297: lock down default ingress rules

author: Paul Buetow <paul@buetow.org> 2026-03-20 12:27:24 +0200
committer: Paul Buetow <paul@buetow.org> 2026-03-20 12:27:24 +0200
commit: b5271e79dfca05e9745b66c3b8b096ee21a833c3 (patch)
tree: 39b6893cc403c1d94a1fd44314d411624356084d /snippets/hyperstack/README.md
parent: 79797aea15b44272fd099ea0611a74497b3200ca (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/snippets/hyperstack/README.md b/snippets/hyperstack/README.md
index 9e196a8..6175d61 100644
--- a/snippets/hyperstack/README.md
+++ b/snippets/hyperstack/README.md
@@ -26,6 +26,9 @@ The VM gets `192.168.3.1`; your local machine gets `192.168.3.2`.
 
 - Hyperstack account with API key in `~/.hyperstack`
 - SSH key registered in Hyperstack as `earth` (or change `ssh.hyperstack_key_name` in the TOML)
+- Review `[network].allowed_ssh_cidrs` and `[network].allowed_wireguard_cidrs` in your TOML.
+  The secure default is `["auto"]`, which resolves your current public egress IP to `/32`.
+  Set explicit CIDRs or `HYPERSTACK_OPERATOR_CIDR` if you deploy from a different network.
 - WireGuard setup script: `wg1-setup.sh` (present in this directory)
 - Ruby with `toml-rb` gem: `bundle install`
 
@@ -124,6 +127,10 @@ Edit `hyperstack-vm.toml` to change defaults. Key sections:
 | `[network]` | Ports, WireGuard subnet, allowed CIDRs |
 | `[wireguard]` | Auto-setup script path |
 
+`allowed_ssh_cidrs` and `allowed_wireguard_cidrs` accept either explicit CIDRs such as
+`["203.0.113.4/32"]` or `["auto"]`. `auto` resolves the current public operator IP at runtime;
+set `HYPERSTACK_OPERATOR_CIDR` to override that detection when needed.
+
 ## Monitoring vLLM
 
 ```bash
author	Paul Buetow <paul@buetow.org>	2026-03-20 12:27:24 +0200
committer	Paul Buetow <paul@buetow.org>	2026-03-20 12:27:24 +0200
commit	b5271e79dfca05e9745b66c3b8b096ee21a833c3 (patch)
tree	39b6893cc403c1d94a1fd44314d411624356084d /snippets/hyperstack/README.md
parent	79797aea15b44272fd099ea0611a74497b3200ca (diff)