task 297: lock down default ingress rules

author: Paul Buetow <paul@buetow.org> 2026-03-20 12:27:24 +0200
committer: Paul Buetow <paul@buetow.org> 2026-03-20 12:27:24 +0200
commit: b5271e79dfca05e9745b66c3b8b096ee21a833c3 (patch)
tree: 39b6893cc403c1d94a1fd44314d411624356084d /snippets/hyperstack/hyperstack-vm1.toml
parent: 79797aea15b44272fd099ea0611a74497b3200ca (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/snippets/hyperstack/hyperstack-vm1.toml b/snippets/hyperstack/hyperstack-vm1.toml
index c5c940a..1b116bd 100644
--- a/snippets/hyperstack/hyperstack-vm1.toml
+++ b/snippets/hyperstack/hyperstack-vm1.toml
@@ -35,12 +35,14 @@ wireguard_subnet = "192.168.3.0/24"
 # VM1 gets the first server-side WireGuard IP (gateway address + 0).
 # earth (client) is 192.168.3.2; VM1 is 192.168.3.1; VM2 is 192.168.3.3.
 wireguard_server_ip = "192.168.3.1"
+# Secure default: "auto" resolves your current public egress IP to /32 at runtime.
+# Override with explicit CIDRs if you deploy from multiple networks or want broader access.
+allowed_ssh_cidrs = ["auto"]
+allowed_wireguard_cidrs = ["auto"]
 # Port 11434 is shared by both Ollama and vLLM for firewall compatibility.
 ollama_port = 11434
 # Port 4000: LiteLLM Anthropic-API proxy (used with vLLM).
 litellm_port = 4000
-allowed_ssh_cidrs = ["0.0.0.0/0"]
-allowed_wireguard_cidrs = ["0.0.0.0/0"]
 
 [bootstrap]
 enable_guest_bootstrap = true
author	Paul Buetow <paul@buetow.org>	2026-03-20 12:27:24 +0200
committer	Paul Buetow <paul@buetow.org>	2026-03-20 12:27:24 +0200
commit	b5271e79dfca05e9745b66c3b8b096ee21a833c3 (patch)
tree	39b6893cc403c1d94a1fd44314d411624356084d /snippets/hyperstack/hyperstack-vm1.toml
parent	79797aea15b44272fd099ea0611a74497b3200ca (diff)