From fa3bb12d4485c023180cd6b5ac3ce85a1a50a863 Mon Sep 17 00:00:00 2001
From: Joakim Persson <joakim.persson@icloud.com>
Date: Sun, 19 Apr 2026 13:22:07 +0200
Subject: [PATCH] Skip ufw on OpenStack in cloud-init, matching setup-host.sh
 behavior

---
 deploy/cloud-init.yml | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/deploy/cloud-init.yml b/deploy/cloud-init.yml
index cd8397b..dacd485 100644
--- a/deploy/cloud-init.yml
+++ b/deploy/cloud-init.yml
@@ -62,12 +62,17 @@ runcmd:
   - apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
   - usermod -aG docker devbox
 
-  # Firewall — allow SSH, mosh, and optionally HTTPS if running web-accessible services
-  - ufw default deny incoming
-  - ufw default allow outgoing
-  - ufw allow ssh
-  - ufw allow 60000:61000/udp
-  - ufw --force enable
+  # Firewall — skip on OpenStack (use security groups instead)
+  - |
+    if curl -s --connect-timeout 2 http://169.254.169.254/openstack/ >/dev/null 2>&1; then
+      echo "OpenStack detected — skipping ufw (use security groups instead)"
+    else
+      ufw default deny incoming
+      ufw default allow outgoing
+      ufw allow ssh
+      ufw allow 60000:61000/udp
+      ufw --force enable
+    fi
 
   # Disable IPv6 preference for Docker (avoids intermittent Docker Hub connectivity issues)
   - echo 'precedence ::ffff:0:0/96  100' >> /etc/gai.conf