From b5271e79dfca05e9745b66c3b8b096ee21a833c3 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Fri, 20 Mar 2026 12:27:24 +0200
Subject: task 297: lock down default ingress rules

---
 snippets/hyperstack/hyperstack-vm1.toml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'snippets/hyperstack/hyperstack-vm1.toml')

diff --git a/snippets/hyperstack/hyperstack-vm1.toml b/snippets/hyperstack/hyperstack-vm1.toml
index c5c940a..1b116bd 100644
--- a/snippets/hyperstack/hyperstack-vm1.toml
+++ b/snippets/hyperstack/hyperstack-vm1.toml
@@ -35,12 +35,14 @@ wireguard_subnet = "192.168.3.0/24"
 # VM1 gets the first server-side WireGuard IP (gateway address + 0).
 # earth (client) is 192.168.3.2; VM1 is 192.168.3.1; VM2 is 192.168.3.3.
 wireguard_server_ip = "192.168.3.1"
+# Secure default: "auto" resolves your current public egress IP to /32 at runtime.
+# Override with explicit CIDRs if you deploy from multiple networks or want broader access.
+allowed_ssh_cidrs = ["auto"]
+allowed_wireguard_cidrs = ["auto"]
 # Port 11434 is shared by both Ollama and vLLM for firewall compatibility.
 ollama_port = 11434
 # Port 4000: LiteLLM Anthropic-API proxy (used with vLLM).
 litellm_port = 4000
-allowed_ssh_cidrs = ["0.0.0.0/0"]
-allowed_wireguard_cidrs = ["0.0.0.0/0"]
 
 [bootstrap]
 enable_guest_bootstrap = true
-- 
cgit v1.2.3