diff --git a/deploy/README.md b/deploy/README.md index 3d57344..060e481 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -6,6 +6,7 @@ Scripts for setting up a fresh Linux VM to host opencode-devbox. - **`cloud-init.yml`** — cloud-init user-data template for automated VM provisioning on OpenStack, Proxmox, or any cloud with cloud-init support - **`setup-host.sh`** — interactive post-install script for VMs that weren't provisioned with cloud-init +- **`setup-openstack-secgroup.sh`** — creates an OpenStack security group with the right rules (SSH, mosh, ICMP) ## Supported distributions @@ -47,9 +48,29 @@ cd opencode-devbox/deploy - Docker Engine (from Docker's official apt repo, not distro's `docker.io`) - Docker Compose plugin (v2) - `tmux`, `mosh`, `git` -- `ufw` firewall with SSH (22) and mosh (UDP 60000-61000) allowed +- `ufw` firewall with SSH (22) and mosh (UDP 60000-61000) allowed — **skipped on OpenStack** (detected automatically; use security groups instead) - IPv4 DNS preference (works around Docker Hub IPv6 connectivity issues) +## OpenStack security groups + +On OpenStack, firewalling is handled by security groups rather than ufw. The `setup-host.sh` script detects OpenStack automatically and skips ufw configuration. + +To create the required security group: + +```bash +./setup-openstack-secgroup.sh +``` + +This creates a security group named `opencode-devbox` with rules for SSH (TCP 22), mosh (UDP 60000-61000), and ICMP. Apply it to your instance: + +```bash +# New instance +openstack server create --security-group opencode-devbox ... + +# Existing instance +openstack server add security group opencode-devbox +``` + ## VM sizing recommendations | Use case | vCPU | RAM | Disk | diff --git a/deploy/setup-host.sh b/deploy/setup-host.sh index d6ea4df..e343450 100755 --- a/deploy/setup-host.sh +++ b/deploy/setup-host.sh @@ -86,15 +86,25 @@ else fi # ── Firewall ──────────────────────────────────────────────────────── -info "Configuring firewall (ufw)..." -sudo ufw default deny incoming >/dev/null -sudo ufw default allow outgoing >/dev/null -sudo ufw allow ssh >/dev/null -sudo ufw allow 60000:61000/udp comment 'mosh' >/dev/null -if ! sudo ufw status | grep -q "Status: active"; then - sudo ufw --force enable +# Detect OpenStack — if running on OpenStack, skip ufw (security groups handle firewalling) +SKIP_UFW=false +if curl -s --connect-timeout 2 http://169.254.169.254/openstack/ &>/dev/null; then + SKIP_UFW=true + warn "OpenStack detected — skipping ufw (use security groups instead)" + warn "Ensure your security group allows: SSH (22/tcp), mosh (60000-61000/udp)" +fi + +if [[ "$SKIP_UFW" == "false" ]]; then + info "Configuring firewall (ufw)..." + sudo ufw default deny incoming >/dev/null + sudo ufw default allow outgoing >/dev/null + sudo ufw allow ssh >/dev/null + sudo ufw allow 60000:61000/udp comment 'mosh' >/dev/null + if ! sudo ufw status | grep -q "Status: active"; then + sudo ufw --force enable + fi + ok "Firewall active — SSH and mosh allowed" fi -ok "Firewall active — SSH and mosh allowed" # ── IPv4 preference for Docker Hub ────────────────────────────────── if ! grep -q 'precedence ::ffff:0:0/96' /etc/gai.conf 2>/dev/null; then diff --git a/deploy/setup-openstack-secgroup.sh b/deploy/setup-openstack-secgroup.sh new file mode 100755 index 0000000..4a68562 --- /dev/null +++ b/deploy/setup-openstack-secgroup.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# setup-openstack-secgroup.sh — Create an OpenStack security group for opencode-devbox +# +# Prerequisites: +# - OpenStack CLI installed (pip install python-openstackclient) +# - Authenticated (source your openrc.sh or clouds.yaml configured) +# +# Usage: +# ./setup-openstack-secgroup.sh [group-name] +# +# Default group name: opencode-devbox + +set -euo pipefail + +GROUP_NAME="${1:-opencode-devbox}" + +BOLD="\033[1m"; GREEN="\033[32m"; YELLOW="\033[33m"; RESET="\033[0m" +info() { echo -e "${BOLD}==>${RESET} $*"; } +ok() { echo -e "${GREEN}${BOLD}✓${RESET} $*"; } +warn() { echo -e "${YELLOW}${BOLD}!${RESET} $*"; } + +if ! command -v openstack &>/dev/null; then + echo "Error: openstack CLI not found. Install with: pip install python-openstackclient" + exit 1 +fi + +# Check if group already exists +if openstack security group show "$GROUP_NAME" &>/dev/null; then + warn "Security group '$GROUP_NAME' already exists — updating rules" +else + info "Creating security group '$GROUP_NAME'..." + openstack security group create "$GROUP_NAME" \ + --description "opencode-devbox: SSH, mosh, HTTPS" + ok "Security group created" +fi + +# Add rules (idempotent — OpenStack ignores duplicates) +info "Adding rules..." + +# SSH (TCP 22) +openstack security group rule create "$GROUP_NAME" \ + --protocol tcp --dst-port 22 --remote-ip 0.0.0.0/0 \ + --description "SSH" 2>/dev/null && ok "SSH (TCP 22)" || warn "SSH rule already exists" + +# Mosh (UDP 60000-61000) +openstack security group rule create "$GROUP_NAME" \ + --protocol udp --dst-port 60000:61000 --remote-ip 0.0.0.0/0 \ + --description "mosh" 2>/dev/null && ok "mosh (UDP 60000-61000)" || warn "mosh rule already exists" + +# ICMP (ping — useful for diagnostics) +openstack security group rule create "$GROUP_NAME" \ + --protocol icmp --remote-ip 0.0.0.0/0 \ + --description "ICMP ping" 2>/dev/null && ok "ICMP ping" || warn "ICMP rule already exists" + +echo "" +ok "Security group '$GROUP_NAME' ready" +echo "" +echo -e "${BOLD}Apply to a new instance:${RESET}" +echo " openstack server create --security-group $GROUP_NAME ..." +echo "" +echo -e "${BOLD}Apply to an existing instance:${RESET}" +echo " openstack server add security group $GROUP_NAME" +echo ""