task 297: lock down default ingress rules

author: Paul Buetow <paul@buetow.org> 2026-03-20 12:27:24 +0200
committer: Paul Buetow <paul@buetow.org> 2026-03-20 12:27:24 +0200
commit: b5271e79dfca05e9745b66c3b8b096ee21a833c3 (patch)
tree: 39b6893cc403c1d94a1fd44314d411624356084d /snippets/hyperstack/hyperstack-vm.toml
parent: 79797aea15b44272fd099ea0611a74497b3200ca (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/snippets/hyperstack/hyperstack-vm.toml b/snippets/hyperstack/hyperstack-vm.toml
index e23294f..e82c97f 100644
--- a/snippets/hyperstack/hyperstack-vm.toml
+++ b/snippets/hyperstack/hyperstack-vm.toml
@@ -31,12 +31,14 @@ connect_timeout_sec = 10
 [network]
 wireguard_udp_port = 56710
 wireguard_subnet = "192.168.3.0/24"
+# Secure default: "auto" resolves your current public egress IP to /32 at runtime.
+# Override with explicit CIDRs if you deploy from multiple networks or want broader access.
+allowed_ssh_cidrs = ["auto"]
+allowed_wireguard_cidrs = ["auto"]
 # Port 11434 is shared by both Ollama and vLLM for firewall compatibility.
 ollama_port = 11434
 # Port 4000: LiteLLM Anthropic-API proxy (used with vLLM).
 litellm_port = 4000
-allowed_ssh_cidrs = ["0.0.0.0/0"]
-allowed_wireguard_cidrs = ["0.0.0.0/0"]
 
 [bootstrap]
 enable_guest_bootstrap = true
author	Paul Buetow <paul@buetow.org>	2026-03-20 12:27:24 +0200
committer	Paul Buetow <paul@buetow.org>	2026-03-20 12:27:24 +0200
commit	b5271e79dfca05e9745b66c3b8b096ee21a833c3 (patch)
tree	39b6893cc403c1d94a1fd44314d411624356084d /snippets/hyperstack/hyperstack-vm.toml
parent	79797aea15b44272fd099ea0611a74497b3200ca (diff)