Skip ufw on OpenStack (auto-detected), add security group setup script

setup-host.sh now detects OpenStack via metadata endpoint and skips ufw.
New setup-openstack-secgroup.sh creates the required security group with
SSH, mosh, and ICMP rules via the OpenStack CLI.

deploy/README.md

@@ -6,6 +6,7 @@ Scripts for setting up a fresh Linux VM to host opencode-devbox.
 
 - **`cloud-init.yml`** — cloud-init user-data template for automated VM provisioning on OpenStack, Proxmox, or any cloud with cloud-init support
 - **`setup-host.sh`** — interactive post-install script for VMs that weren't provisioned with cloud-init
+- **`setup-openstack-secgroup.sh`** — creates an OpenStack security group with the right rules (SSH, mosh, ICMP)
 
 ## Supported distributions
 
@@ -47,9 +48,29 @@ cd opencode-devbox/deploy
 - Docker Engine (from Docker's official apt repo, not distro's `docker.io`)
 - Docker Compose plugin (v2)
 - `tmux`, `mosh`, `git`
-- `ufw` firewall with SSH (22) and mosh (UDP 60000-61000) allowed
+- `ufw` firewall with SSH (22) and mosh (UDP 60000-61000) allowed — **skipped on OpenStack** (detected automatically; use security groups instead)
 - IPv4 DNS preference (works around Docker Hub IPv6 connectivity issues)
 
+## OpenStack security groups
+
+On OpenStack, firewalling is handled by security groups rather than ufw. The `setup-host.sh` script detects OpenStack automatically and skips ufw configuration.
+
+To create the required security group:
+
+```bash
+./setup-openstack-secgroup.sh
+```
+
+This creates a security group named `opencode-devbox` with rules for SSH (TCP 22), mosh (UDP 60000-61000), and ICMP. Apply it to your instance:
+
+```bash
+# New instance
+openstack server create --security-group opencode-devbox ...
+
+# Existing instance
+openstack server add security group <instance-name> opencode-devbox
+```
+
 ## VM sizing recommendations
 
 | Use case | vCPU | RAM | Disk |