From d16dcc2aa73da08f8bde7d950cc42e63007704b1 Mon Sep 17 00:00:00 2001 From: mpabi Date: Sun, 12 Apr 2026 20:12:32 +0200 Subject: [PATCH] fix(sol): bootstrap public edge host firewall in workflow --- .gitea/workflows/deploy-sol-public-edge.yaml | 44 ++++++++++++++++++++ environments/sol/public-edge/README.md | 2 +- 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/deploy-sol-public-edge.yaml b/.gitea/workflows/deploy-sol-public-edge.yaml index 1898343..cae3136 100644 --- a/.gitea/workflows/deploy-sol-public-edge.yaml +++ b/.gitea/workflows/deploy-sol-public-edge.yaml @@ -16,6 +16,49 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + - name: Install OpenSSH client + run: | + if ! command -v ssh >/dev/null 2>&1; then + apt-get update + apt-get install -y --no-install-recommends openssh-client + fi + + - name: Materialize sol SSH key + env: + SOL_SSH_PRIVATE_KEY_B64: ${{ secrets.SOL_SSH_PRIVATE_KEY_B64 }} + run: | + test -n "$SOL_SSH_PRIVATE_KEY_B64" + install -d -m 0700 "$HOME/.ssh" + printf '%s' "$SOL_SSH_PRIVATE_KEY_B64" | base64 -d >"$HOME/.ssh/sol_mevnode" + chmod 600 "$HOME/.ssh/sol_mevnode" + + - name: Prepare host firewall + run: | + ssh_target() { + ssh \ + -i "$HOME/.ssh/sol_mevnode" \ + -o IdentitiesOnly=yes \ + -o StrictHostKeyChecking=no \ + user@149.50.96.162 \ + "$@" + } + + ensure_rule() { + local port="$1" + local comment="$2" + local pattern="${port}/tcp on enp6s0" + if ssh_target "sudo ufw status numbered | grep -F -- $(printf '%q' "$pattern") >/dev/null"; then + echo "ufw rule already present: ${pattern}" + else + ssh_target "sudo ufw allow in on enp6s0 to any port ${port} proto tcp comment '${comment}'" + echo "added ufw rule: ${pattern}" + fi + } + + ensure_rule 80 trade-public-http + ensure_rule 443 trade-public-https + ssh_target "sudo ufw status numbered" + - name: Materialize kubeconfig env: K3S_KUBECONFIG_B64: ${{ secrets.K3S_KUBECONFIG_B64 }} @@ -78,6 +121,7 @@ jobs: KUBECONFIG: /tmp/kubeconfig run: | kubectl -n trade-r001-canary get ingress trade-frontend-public -o wide + kubectl -n kube-system get ds traefik -o wide curl -fsS --resolve trade.mpabi.pl:80:149.50.96.162 http://trade.mpabi.pl/healthz - name: Report TLS state diff --git a/environments/sol/public-edge/README.md b/environments/sol/public-edge/README.md index bb97511..1024d94 100644 --- a/environments/sol/public-edge/README.md +++ b/environments/sol/public-edge/README.md @@ -25,7 +25,7 @@ Public ingress and TLS edge for the reconstructed `R001` trade surface on `sol`. ./sol/public-edge/scripts/prepare-sol-public-edge.sh ``` -2. Push this repository to `main` and let `deploy-sol-public-edge` apply the cluster-side resources. +2. Push this repository to `main` and let `deploy-sol-public-edge` prepare the host firewall and apply the cluster-side resources. The workflow bootstraps `cert-manager` and `Traefik` first, then applies `ClusterIssuer/letsencrypt-prod` only after the cert-manager CRDs are ready.