ci: allow skipping firewall bootstrap on constrained kernels

benvinegar · benvinegar · commit 1cbeaeefc012 · 2026-02-28T22:08:29.000-05:00
diff --git a/bin/ci/setup-arch.sh b/bin/ci/setup-arch.sh
@@ -29,8 +29,10 @@ BAUDBOT_BOOTSTRAP_TARGET="/usr/local/bin/baudbot" \
 # Prompts: admin user, LLM choice(1=Anthropic), Anthropic key,
 # Slack mode(2=advanced), Slack bot, Slack app, Slack users,
 # Browser?(n), Sentry?(n), launch(n)
+# Arch CI droplets frequently lack netfilter modules required by setup-firewall;
+# skip firewall bootstrap here to keep install/integration coverage stable.
 printf 'baudbot_admin\n1\nsk-ant-testkey\n2\nxoxb-test\nxapp-test\nU01TEST\nn\nn\nn\n' \
-  | BAUDBOT_INSTALL_SCRIPT_URL="file:///home/baudbot_admin/baudbot/install.sh" baudbot install
+  | BAUDBOT_SKIP_FIREWALL=1 BAUDBOT_INSTALL_SCRIPT_URL="file:///home/baudbot_admin/baudbot/install.sh" baudbot install
 
 echo "=== Verifying install ==="
 # .env exists with correct permissions
diff --git a/setup.sh b/setup.sh
@@ -274,14 +274,18 @@ echo "=== Protecting source repo ==="
 #   mount --bind "$REPO_DIR" "$REPO_DIR" && mount -o remount,bind,ro "$REPO_DIR"
 echo "Source repo at $REPO_DIR is admin-owned (not writable by baudbot_agent)"
 
-echo "=== Setting up firewall ==="
-"$REPO_DIR/bin/setup-firewall.sh"
-
-echo "=== Making firewall persistent ==="
-sed "s|__REPO_DIR__|$REPO_DIR|g" "$REPO_DIR/bin/baudbot-firewall.service" > /etc/systemd/system/baudbot-firewall.service
-systemctl daemon-reload
-systemctl enable baudbot-firewall
-echo "Firewall will be restored on boot via systemd"
+if [ "${BAUDBOT_SKIP_FIREWALL:-0}" = "1" ]; then
+  echo "=== Skipping firewall setup (BAUDBOT_SKIP_FIREWALL=1) ==="
+else
+  echo "=== Setting up firewall ==="
+  "$REPO_DIR/bin/setup-firewall.sh"
+
+  echo "=== Making firewall persistent ==="
+  sed "s|__REPO_DIR__|$REPO_DIR|g" "$REPO_DIR/bin/baudbot-firewall.service" > /etc/systemd/system/baudbot-firewall.service
+  systemctl daemon-reload
+  systemctl enable baudbot-firewall
+  echo "Firewall will be restored on boot via systemd"
+fi
 
 echo "=== Verifying baudbot CLI path ==="
 if [ -x /usr/local/bin/baudbot ]; then
