apiVersion: proxmox.sankofa.nexus/v1alpha1 kind: ProxmoxVM metadata: name: phoenix-devops-runner namespace: default labels: tenant.sankofa.nexus/id: "infrastructure" environment: "production" app: "phoenix" component: "devops" role: "runner" spec: forProvider: node: "ml110-01" name: "phoenix-devops-runner" cpu: 8 memory: "16Gi" disk: "200Gi" storage: "local-lvm" network: "vmbr0" image: "local:iso/ubuntu-22.04-cloud.img" site: "site-1" userData: | #cloud-config # Package management package_update: true package_upgrade: true # Time synchronization (NTP) ntp: enabled: true ntp_client: chrony servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org # Required packages packages: - qemu-guest-agent - curl - wget - net-tools - apt-transport-https - ca-certificates - gnupg - lsb-release - chrony - unattended-upgrades - apt-listchanges # DevOps tools - git - docker.io - docker-compose - build-essential - nodejs - npm - python3 - python3-pip - golang-go - jq - ufw # User configuration users: - name: admin groups: sudo, docker shell: /bin/bash sudo: ALL=(ALL) NOPASSWD:ALL lock_passwd: false ssh_authorized_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbGtLMmN6px4J2QUYk0BjnNT2wytgiTLSDzL+AwhE6qQWbL+h8AeFET2CHeEf09m5KYLAbHkYTq5aUleuXsluPer9A5moPD1UfdSVLpyyIv8OvKU4mnabk4z31yenPD7Wn1hKd3WoZs2ZflFIvzXaVGBoQXFlWztWLO1fh6CXmppf731FMcTMr4x7uxd8dkG4B400a1xWFx7H4e/u33KDUApqimTrwPTfooRLuyyKV7FWpopSvbSl0ANkZsuyrjbQRR3uD66iQaI60sZArTjhjwnJz+VCOnmJhlGmfMMwov4SOemt+Ut3x0Z6CwagjvxbpGf4hoI9coYD89IFzYwXVUyB9CyvlxEyPTX3v8QwIEZtWWPDStAHTkwZ80z+LU/pvP12Su32D4Wu+ziDkONVpxh1Qh6tV+jvuA9oSKno9jLa4FO0ZTs4bPkww8AbglH3h+dV7zd7qtwwW1oeSw5GHaOq/NetfpvPVuYkOe0IxVvlODZ/d6vAjCBZ0fRgtsEuZvmCVrxwGzZEHWLeAF9G/XD+wpaA5OonceeuhF6K4H12TC3AH6ycUPIBdYOeD2askutLprLmukj8xAC5mRW4ehCnXmwjABrhLSJb7A326q6t8EO2+3u12vvMQt7xKi+aY0+wGZXSvHfiabp93OMuf3WL80A8+5NaRtby44fY6bw== defi@defi-oracle.io # Boot commands - executed in order runcmd: # Verify packages are installed - | echo "==========================================" echo "Verifying required packages are installed..." echo "==========================================" for pkg in qemu-guest-agent curl wget net-tools chrony unattended-upgrades; do if ! dpkg -l | grep -q "^ii.*$pkg"; then echo "ERROR: Package $pkg is not installed" exit 1 fi echo "✅ Package $pkg is installed" done echo "All required packages verified" # Verify qemu-guest-agent package details - | echo "==========================================" echo "Checking qemu-guest-agent package details..." echo "==========================================" if dpkg -l | grep -q "^ii.*qemu-guest-agent"; then echo "✅ qemu-guest-agent package IS installed" dpkg -l | grep qemu-guest-agent else echo "❌ qemu-guest-agent package is NOT installed" echo "Attempting to install..." apt-get update apt-get install -y qemu-guest-agent fi # Enable and start QEMU Guest Agent - | echo "==========================================" echo "Enabling and starting QEMU Guest Agent..." echo "==========================================" systemctl enable qemu-guest-agent systemctl start qemu-guest-agent echo "QEMU Guest Agent enabled and started" # Verify guest agent service is running - | echo "==========================================" echo "Verifying QEMU Guest Agent service status..." echo "==========================================" for i in {1..30}; do if systemctl is-active --quiet qemu-guest-agent; then echo "✅ QEMU Guest Agent service IS running" systemctl status qemu-guest-agent --no-pager -l exit 0 fi echo "Waiting for QEMU Guest Agent to start... ($i/30)" sleep 1 done echo "⚠️ WARNING: QEMU Guest Agent may not have started properly" systemctl status qemu-guest-agent --no-pager -l || true echo "Attempting to restart..." systemctl restart qemu-guest-agent sleep 3 if systemctl is-active --quiet qemu-guest-agent; then echo "✅ QEMU Guest Agent started after restart" else echo "❌ QEMU Guest Agent failed to start" fi # Configure Docker - systemctl enable docker - systemctl start docker # Install kubectl - | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl rm kubectl # Install Helm - | curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash # Create CI/CD directories - mkdir -p /opt/ci-cd/workspace - mkdir -p /opt/ci-cd/artifacts - mkdir -p /opt/ci-cd/cache - chown -R admin:admin /opt/ci-cd # Configure UFW firewall - ufw allow 22/tcp # SSH - ufw allow 8080/tcp # Jenkins (if using) - ufw allow 8090/tcp # GitLab Runner (if using) - ufw --force enable # Verify tools - | echo "Verifying installed tools..." echo "Docker: $(docker --version)" echo "Git: $(git --version)" echo "Node.js: $(node --version)" echo "Python: $(python3 --version)" echo "Go: $(go version)" echo "kubectl: $(kubectl version --client --short)" echo "Helm: $(helm version --short)" echo "jq: $(jq --version)" # Configure automatic security updates - | echo "Configuring automatic security updates..." cat > /etc/apt/apt.conf.d/50unattended-upgrades <<'EOF' Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; "${distro_id}ESMApps:${distro_codename}-apps-security"; "${distro_id}ESM:${distro_codename}-infra-security"; }; Unattended-Upgrade::AutoFixInterruptedDpkg "true"; Unattended-Upgrade::MinimalSteps "true"; Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Automatic-Reboot "false"; Unattended-Upgrade::Automatic-Reboot-Time "02:00"; EOF systemctl enable unattended-upgrades systemctl start unattended-upgrades echo "Automatic security updates configured" # Configure NTP (Chrony) - | echo "Configuring NTP (Chrony)..." systemctl enable chrony systemctl restart chrony sleep 3 if systemctl is-active --quiet chrony; then echo "NTP (Chrony) is running" chronyc tracking | head -1 || true else echo "WARNING: NTP (Chrony) may not be running" fi # SSH hardening - | echo "Hardening SSH configuration..." if ! grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config fi if ! grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config; then sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config fi if ! grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config; then sed -i 's/^#PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config fi systemctl restart sshd echo "SSH hardening completed # Write files for security configuration write_files: - path: /etc/apt/apt.conf.d/20auto-upgrades content: | APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; permissions: '0644' owner: root:root # Final message final_message: | ========================================== providerConfigRef: name: proxmox-provider-config