Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
2025-12-12 18:01:35 -08:00
|
|
|
apiVersion: proxmox.sankofa.nexus/v1alpha1
|
|
|
|
|
kind: ProxmoxVM
|
|
|
|
|
metadata:
|
|
|
|
|
name: phoenix-dns-primary
|
|
|
|
|
namespace: default
|
|
|
|
|
labels:
|
|
|
|
|
tenant.sankofa.nexus/id: "infrastructure"
|
|
|
|
|
environment: "production"
|
|
|
|
|
app: "phoenix"
|
|
|
|
|
component: "dns"
|
|
|
|
|
role: "primary"
|
|
|
|
|
spec:
|
|
|
|
|
forProvider:
|
|
|
|
|
node: "ml110-01"
|
|
|
|
|
name: "phoenix-dns-primary"
|
2025-12-13 04:46:50 -08:00
|
|
|
cpu: 2
|
|
|
|
|
memory: "4Gi"
|
Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
2025-12-12 18:01:35 -08:00
|
|
|
disk: "50Gi"
|
|
|
|
|
storage: "local-lvm"
|
|
|
|
|
network: "vmbr0"
|
|
|
|
|
image: "local:iso/ubuntu-22.04-cloud.img"
|
|
|
|
|
site: "site-1"
|
|
|
|
|
userData: |
|
|
|
|
|
#cloud-config
|
|
|
|
|
# Package management
|
|
|
|
|
package_update: true
|
|
|
|
|
package_upgrade: true
|
|
|
|
|
|
|
|
|
|
# Time synchronization (NTP)
|
|
|
|
|
ntp:
|
|
|
|
|
enabled: true
|
|
|
|
|
ntp_client: chrony
|
|
|
|
|
servers:
|
|
|
|
|
- 0.pool.ntp.org
|
|
|
|
|
- 1.pool.ntp.org
|
|
|
|
|
- 2.pool.ntp.org
|
|
|
|
|
- 3.pool.ntp.org
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Required packages
|
|
|
|
|
packages:
|
|
|
|
|
- qemu-guest-agent
|
|
|
|
|
- curl
|
|
|
|
|
- wget
|
|
|
|
|
- net-tools
|
|
|
|
|
- apt-transport-https
|
|
|
|
|
- ca-certificates
|
|
|
|
|
- gnupg
|
|
|
|
|
- lsb-release
|
|
|
|
|
- chrony
|
|
|
|
|
- unattended-upgrades
|
|
|
|
|
- apt-listchanges
|
|
|
|
|
# DNS server packages
|
|
|
|
|
- bind9
|
|
|
|
|
- bind9utils
|
|
|
|
|
- bind9-doc
|
|
|
|
|
- dnsutils
|
|
|
|
|
- ufw
|
|
|
|
|
|
|
|
|
|
# User configuration
|
|
|
|
|
users:
|
|
|
|
|
- name: admin
|
|
|
|
|
groups: sudo
|
|
|
|
|
shell: /bin/bash
|
|
|
|
|
sudo: ALL=(ALL) NOPASSWD:ALL
|
|
|
|
|
lock_passwd: false
|
|
|
|
|
ssh_authorized_keys:
|
|
|
|
|
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbGtLMmN6px4J2QUYk0BjnNT2wytgiTLSDzL+AwhE6qQWbL+h8AeFET2CHeEf09m5KYLAbHkYTq5aUleuXsluPer9A5moPD1UfdSVLpyyIv8OvKU4mnabk4z31yenPD7Wn1hKd3WoZs2ZflFIvzXaVGBoQXFlWztWLO1fh6CXmppf731FMcTMr4x7uxd8dkG4B400a1xWFx7H4e/u33KDUApqimTrwPTfooRLuyyKV7FWpopSvbSl0ANkZsuyrjbQRR3uD66iQaI60sZArTjhjwnJz+VCOnmJhlGmfMMwov4SOemt+Ut3x0Z6CwagjvxbpGf4hoI9coYD89IFzYwXVUyB9CyvlxEyPTX3v8QwIEZtWWPDStAHTkwZ80z+LU/pvP12Su32D4Wu+ziDkONVpxh1Qh6tV+jvuA9oSKno9jLa4FO0ZTs4bPkww8AbglH3h+dV7zd7qtwwW1oeSw5GHaOq/NetfpvPVuYkOe0IxVvlODZ/d6vAjCBZ0fRgtsEuZvmCVrxwGzZEHWLeAF9G/XD+wpaA5OonceeuhF6K4H12TC3AH6ycUPIBdYOeD2askutLprLmukj8xAC5mRW4ehCnXmwjABrhLSJb7A326q6t8EO2+3u12vvMQt7xKi+aY0+wGZXSvHfiabp93OMuf3WL80A8+5NaRtby44fY6bw== defi@defi-oracle.io
|
|
|
|
|
|
|
|
|
|
# Boot commands - executed in order
|
|
|
|
|
runcmd:
|
|
|
|
|
# Verify packages are installed
|
|
|
|
|
- |
|
|
|
|
|
echo "=========================================="
|
|
|
|
|
echo "Verifying required packages are installed..."
|
|
|
|
|
echo "=========================================="
|
|
|
|
|
for pkg in qemu-guest-agent curl wget net-tools chrony unattended-upgrades; do
|
|
|
|
|
if ! dpkg -l | grep -q "^ii.*$pkg"; then
|
|
|
|
|
echo "ERROR: Package $pkg is not installed"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
echo "✅ Package $pkg is installed"
|
|
|
|
|
done
|
|
|
|
|
echo "All required packages verified"
|
|
|
|
|
|
|
|
|
|
# Verify qemu-guest-agent package details
|
|
|
|
|
- |
|
|
|
|
|
echo "=========================================="
|
|
|
|
|
echo "Checking qemu-guest-agent package details..."
|
|
|
|
|
echo "=========================================="
|
|
|
|
|
if dpkg -l | grep -q "^ii.*qemu-guest-agent"; then
|
|
|
|
|
echo "✅ qemu-guest-agent package IS installed"
|
|
|
|
|
dpkg -l | grep qemu-guest-agent
|
|
|
|
|
else
|
|
|
|
|
echo "❌ qemu-guest-agent package is NOT installed"
|
|
|
|
|
echo "Attempting to install..."
|
|
|
|
|
apt-get update
|
|
|
|
|
apt-get install -y qemu-guest-agent
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Enable and start QEMU Guest Agent
|
|
|
|
|
- |
|
|
|
|
|
echo "=========================================="
|
|
|
|
|
echo "Enabling and starting QEMU Guest Agent..."
|
|
|
|
|
echo "=========================================="
|
|
|
|
|
systemctl enable qemu-guest-agent
|
|
|
|
|
systemctl start qemu-guest-agent
|
|
|
|
|
echo "QEMU Guest Agent enabled and started"
|
|
|
|
|
|
|
|
|
|
# Verify guest agent service is running
|
|
|
|
|
- |
|
|
|
|
|
echo "=========================================="
|
|
|
|
|
echo "Verifying QEMU Guest Agent service status..."
|
|
|
|
|
echo "=========================================="
|
|
|
|
|
for i in {1..30}; do
|
|
|
|
|
if systemctl is-active --quiet qemu-guest-agent; then
|
|
|
|
|
echo "✅ QEMU Guest Agent service IS running"
|
|
|
|
|
systemctl status qemu-guest-agent --no-pager -l
|
|
|
|
|
exit 0
|
|
|
|
|
fi
|
|
|
|
|
echo "Waiting for QEMU Guest Agent to start... ($i/30)"
|
|
|
|
|
sleep 1
|
|
|
|
|
done
|
|
|
|
|
echo "⚠️ WARNING: QEMU Guest Agent may not have started properly"
|
|
|
|
|
systemctl status qemu-guest-agent --no-pager -l || true
|
|
|
|
|
echo "Attempting to restart..."
|
|
|
|
|
systemctl restart qemu-guest-agent
|
|
|
|
|
sleep 3
|
|
|
|
|
if systemctl is-active --quiet qemu-guest-agent; then
|
|
|
|
|
echo "✅ QEMU Guest Agent started after restart"
|
|
|
|
|
else
|
|
|
|
|
echo "❌ QEMU Guest Agent failed to start"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Configure BIND9
|
|
|
|
|
- |
|
|
|
|
|
echo "Configuring BIND9 DNS server..."
|
|
|
|
|
# Enable BIND9 to listen on all interfaces
|
|
|
|
|
sed -i 's/OPTIONS=.*/OPTIONS="-u bind -4"/' /etc/default/bind9
|
|
|
|
|
|
|
|
|
|
# Create basic named.conf.local (will be configured post-deployment)
|
|
|
|
|
cat > /etc/bind/named.conf.local <<EOF
|
|
|
|
|
// Local DNS zones for sankofa.nexus
|
|
|
|
|
// This file will be configured post-deployment with actual zone files
|
|
|
|
|
|
|
|
|
|
// Example zone configuration:
|
|
|
|
|
// zone "sankofa.nexus" {
|
|
|
|
|
// type master;
|
|
|
|
|
// file "/etc/bind/db.sankofa.nexus";
|
|
|
|
|
// };
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
# Start and enable BIND9
|
|
|
|
|
systemctl enable named
|
|
|
|
|
systemctl start named
|
|
|
|
|
|
|
|
|
|
# Configure UFW firewall
|
|
|
|
|
- ufw allow 53/tcp
|
|
|
|
|
- ufw allow 53/udp
|
|
|
|
|
- ufw allow 22/tcp
|
|
|
|
|
- ufw --force enable
|
|
|
|
|
|
|
|
|
|
# Verify BIND9 is running
|
|
|
|
|
- |
|
|
|
|
|
if systemctl is-active --quiet named; then
|
|
|
|
|
echo "BIND9 DNS server is running"
|
|
|
|
|
systemctl status named --no-pager
|
|
|
|
|
else
|
|
|
|
|
echo "WARNING: BIND9 may not have started properly"
|
|
|
|
|
systemctl status named --no-pager || true
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Configure automatic security updates
|
|
|
|
|
- |
|
|
|
|
|
echo "Configuring automatic security updates..."
|
|
|
|
|
cat > /etc/apt/apt.conf.d/50unattended-upgrades <<'EOF'
|
|
|
|
|
Unattended-Upgrade::Allowed-Origins {
|
|
|
|
|
"${distro_id}:${distro_codename}-security";
|
|
|
|
|
"${distro_id}ESMApps:${distro_codename}-apps-security";
|
|
|
|
|
"${distro_id}ESM:${distro_codename}-infra-security";
|
|
|
|
|
};
|
|
|
|
|
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
|
|
|
|
Unattended-Upgrade::MinimalSteps "true";
|
|
|
|
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
|
|
|
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
|
|
|
|
Unattended-Upgrade::Automatic-Reboot "false";
|
|
|
|
|
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
|
|
|
|
EOF
|
|
|
|
|
systemctl enable unattended-upgrades
|
|
|
|
|
systemctl start unattended-upgrades
|
|
|
|
|
echo "Automatic security updates configured"
|
|
|
|
|
|
|
|
|
|
# Configure NTP (Chrony)
|
|
|
|
|
- |
|
|
|
|
|
echo "Configuring NTP (Chrony)..."
|
|
|
|
|
systemctl enable chrony
|
|
|
|
|
systemctl restart chrony
|
|
|
|
|
sleep 3
|
|
|
|
|
if systemctl is-active --quiet chrony; then
|
|
|
|
|
echo "NTP (Chrony) is running"
|
|
|
|
|
chronyc tracking | head -1 || true
|
|
|
|
|
else
|
|
|
|
|
echo "WARNING: NTP (Chrony) may not be running"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# SSH hardening
|
|
|
|
|
- |
|
|
|
|
|
echo "Hardening SSH configuration..."
|
|
|
|
|
if ! grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then
|
|
|
|
|
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
|
|
|
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
|
|
|
fi
|
|
|
|
|
if ! grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config; then
|
|
|
|
|
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
|
|
|
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
|
|
|
fi
|
|
|
|
|
if ! grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config; then
|
|
|
|
|
sed -i 's/^#PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
|
|
|
|
|
fi
|
|
|
|
|
systemctl restart sshd
|
|
|
|
|
echo "SSH hardening completed"
|
|
|
|
|
|
|
|
|
|
# Configure automatic security updates
|
|
|
|
|
- |
|
|
|
|
|
echo "Configuring automatic security updates..."
|
|
|
|
|
cat > /etc/apt/apt.conf.d/50unattended-upgrades <<'EOF'
|
|
|
|
|
Unattended-Upgrade::Allowed-Origins {
|
|
|
|
|
"${distro_id}:${distro_codename}-security";
|
|
|
|
|
"${distro_id}ESMApps:${distro_codename}-apps-security";
|
|
|
|
|
"${distro_id}ESM:${distro_codename}-infra-security";
|
|
|
|
|
};
|
|
|
|
|
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
|
|
|
|
Unattended-Upgrade::MinimalSteps "true";
|
|
|
|
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
|
|
|
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
|
|
|
|
Unattended-Upgrade::Automatic-Reboot "false";
|
|
|
|
|
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
|
|
|
|
EOF
|
|
|
|
|
systemctl enable unattended-upgrades
|
|
|
|
|
systemctl start unattended-upgrades
|
|
|
|
|
echo "Automatic security updates configured"
|
|
|
|
|
|
|
|
|
|
# Configure NTP (Chrony)
|
|
|
|
|
- |
|
|
|
|
|
echo "Configuring NTP (Chrony)..."
|
|
|
|
|
systemctl enable chrony
|
|
|
|
|
systemctl restart chrony
|
|
|
|
|
sleep 3
|
|
|
|
|
if systemctl is-active --quiet chrony; then
|
|
|
|
|
echo "NTP (Chrony) is running"
|
|
|
|
|
chronyc tracking | head -1 || true
|
|
|
|
|
else
|
|
|
|
|
echo "WARNING: NTP (Chrony) may not be running"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# SSH hardening
|
|
|
|
|
- |
|
|
|
|
|
echo "Hardening SSH configuration..."
|
|
|
|
|
if ! grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then
|
|
|
|
|
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
|
|
|
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
|
|
|
fi
|
|
|
|
|
if ! grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config; then
|
|
|
|
|
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
|
|
|
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
|
|
|
fi
|
|
|
|
|
if ! grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config; then
|
|
|
|
|
sed -i 's/^#PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
|
|
|
|
|
fi
|
|
|
|
|
systemctl restart sshd
|
|
|
|
|
echo "SSH hardening completed"
|
|
|
|
|
|
|
|
|
|
# Write files for security configuration
|
|
|
|
|
write_files:
|
|
|
|
|
- path: /etc/apt/apt.conf.d/20auto-upgrades
|
|
|
|
|
content: |
|
|
|
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
|
|
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
|
|
|
|
APT::Periodic::AutocleanInterval "7";
|
|
|
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
|
|
|
permissions: '0644'
|
|
|
|
|
owner: root:root
|
|
|
|
|
|
|
|
|
|
# Final message
|
|
|
|
|
final_message: |
|
|
|
|
|
==========================================
|
|
|
|
|
System Boot Completed Successfully!
|
|
|
|
|
==========================================
|
|
|
|
|
|
|
|
|
|
Services Status:
|
|
|
|
|
- QEMU Guest Agent: $(systemctl is-active qemu-guest-agent)
|
|
|
|
|
- NTP (Chrony): $(systemctl is-active chrony)
|
|
|
|
|
- Automatic Security Updates: $(systemctl is-active unattended-upgrades)
|
|
|
|
|
- BIND9 DNS Server: $(systemctl is-active named)
|
|
|
|
|
|
|
|
|
|
System Information:
|
|
|
|
|
- Hostname: $(hostname)
|
|
|
|
|
- IP Address: $(hostname -I | awk '{print $1}')
|
|
|
|
|
- Time: $(date)
|
|
|
|
|
|
|
|
|
|
Packages Installed:
|
|
|
|
|
- qemu-guest-agent, curl, wget, net-tools
|
|
|
|
|
- chrony (NTP), unattended-upgrades (Security)
|
|
|
|
|
- bind9, bind9utils, dnsutils
|
|
|
|
|
|
|
|
|
|
Security Configuration:
|
|
|
|
|
- SSH: Root login disabled, Password auth disabled
|
|
|
|
|
- Automatic security updates: Enabled
|
|
|
|
|
- NTP synchronization: Enabled
|
|
|
|
|
- UFW firewall: Enabled
|
|
|
|
|
|
|
|
|
|
Next Steps:
|
|
|
|
|
1. Verify all services are running
|
|
|
|
|
2. Check cloud-init logs: /var/log/cloud-init-output.log
|
|
|
|
|
3. Configure DNS zones in /etc/bind/named.conf.local
|
|
|
|
|
4. Test SSH access
|
|
|
|
|
==========================================
|
|
|
|
|
providerConfigRef:
|
|
|
|
|
name: proxmox-provider-config
|
|
|
|
|
|
