ops(sol): add public edge host preparation
Some checks failed
prepare-sol-public-edge / prepare (push) Has been cancelled
Some checks failed
prepare-sol-public-edge / prepare (push) Has been cancelled
This commit is contained in:
29
sol/public-edge/README.md
Normal file
29
sol/public-edge/README.md
Normal file
@@ -0,0 +1,29 @@
|
||||
# sol public edge
|
||||
|
||||
Host preparation for public `HTTP` and `HTTPS` exposure on `sol`.
|
||||
|
||||
## Purpose
|
||||
|
||||
- reserve and open `80/tcp` and `443/tcp` on `sol`
|
||||
- keep the host-side firewall state reproducible from Git
|
||||
- support the cluster-side `public-edge` module in `trade-next/trade-gitops`
|
||||
|
||||
## Operator Flow
|
||||
|
||||
From the repository root:
|
||||
|
||||
```bash
|
||||
./sol/public-edge/scripts/prepare-sol-public-edge.sh
|
||||
```
|
||||
|
||||
Or push to `main` and let `.gitea/workflows/prepare-sol-public-edge.yaml` execute the same step from the `trade-next` runner.
|
||||
|
||||
This script:
|
||||
|
||||
- verifies the target host is reachable over SSH
|
||||
- opens `80/tcp` and `443/tcp` on `enp6s0` in `ufw` if the rules are missing
|
||||
- prints the resulting `ufw` rules and current listeners on `80` and `443`
|
||||
|
||||
## Workflow Prerequisite
|
||||
|
||||
- organization secret `SOL_SSH_PRIVATE_KEY_B64` must contain the base64-encoded private key for `user@149.50.96.162`
|
||||
46
sol/public-edge/scripts/prepare-sol-public-edge.sh
Executable file
46
sol/public-edge/scripts/prepare-sol-public-edge.sh
Executable file
@@ -0,0 +1,46 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
TARGET_HOST="${TARGET_HOST:-149.50.96.162}"
|
||||
TARGET_USER="${TARGET_USER:-user}"
|
||||
SSH_PORT="${SSH_PORT:-22}"
|
||||
SSH_IDENTITY_FILE="${SSH_IDENTITY_FILE:-}"
|
||||
PUBLIC_IFACE="${PUBLIC_IFACE:-enp6s0}"
|
||||
|
||||
ssh_target() {
|
||||
local -a cmd=(ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -p "$SSH_PORT")
|
||||
if [ -n "$SSH_IDENTITY_FILE" ]; then
|
||||
cmd+=(-i "$SSH_IDENTITY_FILE")
|
||||
fi
|
||||
cmd+=("${TARGET_USER}@${TARGET_HOST}")
|
||||
cmd+=("$@")
|
||||
"${cmd[@]}"
|
||||
}
|
||||
|
||||
remote_rule_present() {
|
||||
local pattern="$1"
|
||||
ssh_target "sudo ufw status numbered | grep -F -- $(printf '%q' "$pattern") >/dev/null"
|
||||
}
|
||||
|
||||
ensure_rule() {
|
||||
local port="$1"
|
||||
local comment="$2"
|
||||
local pattern="${port}/tcp on ${PUBLIC_IFACE}"
|
||||
if remote_rule_present "$pattern"; then
|
||||
echo "ufw rule already present: ${pattern}"
|
||||
else
|
||||
ssh_target "sudo ufw allow in on ${PUBLIC_IFACE} to any port ${port} proto tcp comment '${comment}'"
|
||||
echo "added ufw rule: ${pattern}"
|
||||
fi
|
||||
}
|
||||
|
||||
ensure_rule 80 trade-public-http
|
||||
ensure_rule 443 trade-public-https
|
||||
|
||||
echo
|
||||
echo "[ufw]"
|
||||
ssh_target "sudo ufw status numbered"
|
||||
|
||||
echo
|
||||
echo "[listeners]"
|
||||
ssh_target "sudo ss -ltn '( sport = :80 or sport = :443 )' || true"
|
||||
Reference in New Issue
Block a user