Skip ufw on OpenStack (auto-detected), add security group setup script

setup-host.sh now detects OpenStack via metadata endpoint and skips ufw.
New setup-openstack-secgroup.sh creates the required security group with
SSH, mosh, and ICMP rules via the OpenStack CLI.

deploy/setup-host.sh

@@ -86,15 +86,25 @@ else
 fi
 
 # ── Firewall ────────────────────────────────────────────────────────
-info "Configuring firewall (ufw)..."
-sudo ufw default deny incoming >/dev/null
-sudo ufw default allow outgoing >/dev/null
-sudo ufw allow ssh >/dev/null
-sudo ufw allow 60000:61000/udp comment 'mosh' >/dev/null
-if ! sudo ufw status | grep -q "Status: active"; then
-  sudo ufw --force enable
+# Detect OpenStack — if running on OpenStack, skip ufw (security groups handle firewalling)
+SKIP_UFW=false
+if curl -s --connect-timeout 2 http://169.254.169.254/openstack/ &>/dev/null; then
+  SKIP_UFW=true
+  warn "OpenStack detected — skipping ufw (use security groups instead)"
+  warn "Ensure your security group allows: SSH (22/tcp), mosh (60000-61000/udp)"
+fi
+
+if [[ "$SKIP_UFW" == "false" ]]; then
+  info "Configuring firewall (ufw)..."
+  sudo ufw default deny incoming >/dev/null
+  sudo ufw default allow outgoing >/dev/null
+  sudo ufw allow ssh >/dev/null
+  sudo ufw allow 60000:61000/udp comment 'mosh' >/dev/null
+  if ! sudo ufw status | grep -q "Status: active"; then
+    sudo ufw --force enable
+  fi
+  ok "Firewall active — SSH and mosh allowed"
 fi
-ok "Firewall active — SSH and mosh allowed"
 
 # ── IPv4 preference for Docker Hub ──────────────────────────────────
 if ! grep -q 'precedence ::ffff:0:0/96' /etc/gai.conf 2>/dev/null; then