ops(sol): add public edge host preparation
Some checks failed
prepare-sol-public-edge / prepare (push) Has been cancelled

This commit is contained in:
mpabi
2026-04-12 20:07:29 +02:00
commit 7f1a776029
4 changed files with 129 additions and 0 deletions

29
sol/public-edge/README.md Normal file
View File

@@ -0,0 +1,29 @@
# sol public edge
Host preparation for public `HTTP` and `HTTPS` exposure on `sol`.
## Purpose
- reserve and open `80/tcp` and `443/tcp` on `sol`
- keep the host-side firewall state reproducible from Git
- support the cluster-side `public-edge` module in `trade-next/trade-gitops`
## Operator Flow
From the repository root:
```bash
./sol/public-edge/scripts/prepare-sol-public-edge.sh
```
Or push to `main` and let `.gitea/workflows/prepare-sol-public-edge.yaml` execute the same step from the `trade-next` runner.
This script:
- verifies the target host is reachable over SSH
- opens `80/tcp` and `443/tcp` on `enp6s0` in `ufw` if the rules are missing
- prints the resulting `ufw` rules and current listeners on `80` and `443`
## Workflow Prerequisite
- organization secret `SOL_SSH_PRIVATE_KEY_B64` must contain the base64-encoded private key for `user@149.50.96.162`

View File

@@ -0,0 +1,46 @@
#!/usr/bin/env bash
set -euo pipefail
TARGET_HOST="${TARGET_HOST:-149.50.96.162}"
TARGET_USER="${TARGET_USER:-user}"
SSH_PORT="${SSH_PORT:-22}"
SSH_IDENTITY_FILE="${SSH_IDENTITY_FILE:-}"
PUBLIC_IFACE="${PUBLIC_IFACE:-enp6s0}"
ssh_target() {
local -a cmd=(ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -p "$SSH_PORT")
if [ -n "$SSH_IDENTITY_FILE" ]; then
cmd+=(-i "$SSH_IDENTITY_FILE")
fi
cmd+=("${TARGET_USER}@${TARGET_HOST}")
cmd+=("$@")
"${cmd[@]}"
}
remote_rule_present() {
local pattern="$1"
ssh_target "sudo ufw status numbered | grep -F -- $(printf '%q' "$pattern") >/dev/null"
}
ensure_rule() {
local port="$1"
local comment="$2"
local pattern="${port}/tcp on ${PUBLIC_IFACE}"
if remote_rule_present "$pattern"; then
echo "ufw rule already present: ${pattern}"
else
ssh_target "sudo ufw allow in on ${PUBLIC_IFACE} to any port ${port} proto tcp comment '${comment}'"
echo "added ufw rule: ${pattern}"
fi
}
ensure_rule 80 trade-public-http
ensure_rule 443 trade-public-https
echo
echo "[ufw]"
ssh_target "sudo ufw status numbered"
echo
echo "[listeners]"
ssh_target "sudo ss -ltn '( sport = :80 or sport = :443 )' || true"