Skip ufw on OpenStack (auto-detected), add security group setup script

setup-host.sh now detects OpenStack via metadata endpoint and skips ufw.
New setup-openstack-secgroup.sh creates the required security group with
SSH, mosh, and ICMP rules via the OpenStack CLI.

deploy/README.md

@@ -6,6 +6,7 @@ Scripts for setting up a fresh Linux VM to host opencode-devbox.
 
 - **`cloud-init.yml`** — cloud-init user-data template for automated VM provisioning on OpenStack, Proxmox, or any cloud with cloud-init support
 - **`setup-host.sh`** — interactive post-install script for VMs that weren't provisioned with cloud-init
+- **`setup-openstack-secgroup.sh`** — creates an OpenStack security group with the right rules (SSH, mosh, ICMP)
 
 ## Supported distributions
 
@@ -47,9 +48,29 @@ cd opencode-devbox/deploy
 - Docker Engine (from Docker's official apt repo, not distro's `docker.io`)
 - Docker Compose plugin (v2)
 - `tmux`, `mosh`, `git`
-- `ufw` firewall with SSH (22) and mosh (UDP 60000-61000) allowed
+- `ufw` firewall with SSH (22) and mosh (UDP 60000-61000) allowed — **skipped on OpenStack** (detected automatically; use security groups instead)
 - IPv4 DNS preference (works around Docker Hub IPv6 connectivity issues)
 
+## OpenStack security groups
+
+On OpenStack, firewalling is handled by security groups rather than ufw. The `setup-host.sh` script detects OpenStack automatically and skips ufw configuration.
+
+To create the required security group:
+
+```bash
+./setup-openstack-secgroup.sh
+```
+
+This creates a security group named `opencode-devbox` with rules for SSH (TCP 22), mosh (UDP 60000-61000), and ICMP. Apply it to your instance:
+
+```bash
+# New instance
+openstack server create --security-group opencode-devbox ...
+
+# Existing instance
+openstack server add security group <instance-name> opencode-devbox
+```
+
 ## VM sizing recommendations
 
 | Use case | vCPU | RAM | Disk |

deploy/setup-host.sh

@@ -86,6 +86,15 @@ else
 fi
 
 # ── Firewall ────────────────────────────────────────────────────────
+# Detect OpenStack — if running on OpenStack, skip ufw (security groups handle firewalling)
+SKIP_UFW=false
+if curl -s --connect-timeout 2 http://169.254.169.254/openstack/ &>/dev/null; then
+  SKIP_UFW=true
+  warn "OpenStack detected — skipping ufw (use security groups instead)"
+  warn "Ensure your security group allows: SSH (22/tcp), mosh (60000-61000/udp)"
+fi
+
+if [[ "$SKIP_UFW" == "false" ]]; then
   info "Configuring firewall (ufw)..."
   sudo ufw default deny incoming >/dev/null
   sudo ufw default allow outgoing >/dev/null
@@ -95,6 +104,7 @@ if ! sudo ufw status | grep -q "Status: active"; then
     sudo ufw --force enable
   fi
   ok "Firewall active — SSH and mosh allowed"
+fi
 
 # ── IPv4 preference for Docker Hub ──────────────────────────────────
 if ! grep -q 'precedence ::ffff:0:0/96' /etc/gai.conf 2>/dev/null; then

deploy/setup-openstack-secgroup.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# setup-openstack-secgroup.sh — Create an OpenStack security group for opencode-devbox
+#
+# Prerequisites:
+#   - OpenStack CLI installed (pip install python-openstackclient)
+#   - Authenticated (source your openrc.sh or clouds.yaml configured)
+#
+# Usage:
+#   ./setup-openstack-secgroup.sh [group-name]
+#
+# Default group name: opencode-devbox
+
+set -euo pipefail
+
+GROUP_NAME="${1:-opencode-devbox}"
+
+BOLD="\033[1m"; GREEN="\033[32m"; YELLOW="\033[33m"; RESET="\033[0m"
+info()  { echo -e "${BOLD}==>${RESET} $*"; }
+ok()    { echo -e "${GREEN}${BOLD}✓${RESET} $*"; }
+warn()  { echo -e "${YELLOW}${BOLD}!${RESET} $*"; }
+
+if ! command -v openstack &>/dev/null; then
+  echo "Error: openstack CLI not found. Install with: pip install python-openstackclient"
+  exit 1
+fi
+
+# Check if group already exists
+if openstack security group show "$GROUP_NAME" &>/dev/null; then
+  warn "Security group '$GROUP_NAME' already exists — updating rules"
+else
+  info "Creating security group '$GROUP_NAME'..."
+  openstack security group create "$GROUP_NAME" \
+    --description "opencode-devbox: SSH, mosh, HTTPS"
+  ok "Security group created"
+fi
+
+# Add rules (idempotent — OpenStack ignores duplicates)
+info "Adding rules..."
+
+# SSH (TCP 22)
+openstack security group rule create "$GROUP_NAME" \
+  --protocol tcp --dst-port 22 --remote-ip 0.0.0.0/0 \
+  --description "SSH" 2>/dev/null && ok "SSH (TCP 22)" || warn "SSH rule already exists"
+
+# Mosh (UDP 60000-61000)
+openstack security group rule create "$GROUP_NAME" \
+  --protocol udp --dst-port 60000:61000 --remote-ip 0.0.0.0/0 \
+  --description "mosh" 2>/dev/null && ok "mosh (UDP 60000-61000)" || warn "mosh rule already exists"
+
+# ICMP (ping — useful for diagnostics)
+openstack security group rule create "$GROUP_NAME" \
+  --protocol icmp --remote-ip 0.0.0.0/0 \
+  --description "ICMP ping" 2>/dev/null && ok "ICMP ping" || warn "ICMP rule already exists"
+
+echo ""
+ok "Security group '$GROUP_NAME' ready"
+echo ""
+echo -e "${BOLD}Apply to a new instance:${RESET}"
+echo "  openstack server create --security-group $GROUP_NAME ..."
+echo ""
+echo -e "${BOLD}Apply to an existing instance:${RESET}"
+echo "  openstack server add security group <instance-name> $GROUP_NAME"
+echo ""