9daf1fd378
- Add comprehensive database migrations (001-024) for schema evolution - Enhance API schema with expanded type definitions and resolvers - Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth - Implement new services: AI optimization, billing, blockchain, compliance, marketplace - Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage) - Update Crossplane provider with enhanced VM management capabilities - Add comprehensive test suite for API endpoints and services - Update frontend components with improved GraphQL subscriptions and real-time updates - Enhance security configurations and headers (CSP, CORS, etc.) - Update documentation and configuration files - Add new CI/CD workflows and validation scripts - Implement design system improvements and UI enhancements
325 lines
12 KiB
YAML
325 lines
12 KiB
YAML
apiVersion: proxmox.sankofa.nexus/v1alpha1
|
|
kind: ProxmoxVM
|
|
metadata:
|
|
name: cloudflare-tunnel-vm
|
|
namespace: default
|
|
labels:
|
|
tenant.sankofa.nexus/id: "infrastructure"
|
|
environment: "production"
|
|
app: "cloudflare-tunnel"
|
|
role: "infrastructure"
|
|
component: "tunnel"
|
|
spec:
|
|
forProvider:
|
|
node: "r630-01"
|
|
name: "cloudflare-tunnel-vm"
|
|
cpu: 2
|
|
memory: "4Gi"
|
|
disk: "10Gi"
|
|
storage: "local-lvm"
|
|
network: "vmbr0"
|
|
image: "local:iso/ubuntu-22.04-cloud.img"
|
|
site: "site-2"
|
|
userData: |
|
|
#cloud-config
|
|
# Package management
|
|
package_update: true
|
|
package_upgrade: true
|
|
|
|
# Required packages
|
|
packages:
|
|
- qemu-guest-agent
|
|
- curl
|
|
- wget
|
|
- net-tools
|
|
- apt-transport-https
|
|
- ca-certificates
|
|
- gnupg
|
|
- lsb-release
|
|
- chrony
|
|
- unattended-upgrades
|
|
- apt-listchanges
|
|
# Cloudflare tunnel specific
|
|
- ufw
|
|
|
|
# Time synchronization (NTP)
|
|
ntp:
|
|
enabled: true
|
|
ntp_client: chrony
|
|
servers:
|
|
- 0.pool.ntp.org
|
|
- 1.pool.ntp.org
|
|
- 2.pool.ntp.org
|
|
- 3.pool.ntp.org
|
|
|
|
# User configuration
|
|
users:
|
|
- name: admin
|
|
groups: sudo
|
|
shell: /bin/bash
|
|
sudo: ALL=(ALL) NOPASSWD:ALL
|
|
lock_passwd: false
|
|
ssh_authorized_keys:
|
|
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbGtLMmN6px4J2QUYk0BjnNT2wytgiTLSDzL+AwhE6qQWbL+h8AeFET2CHeEf09m5KYLAbHkYTq5aUleuXsluPer9A5moPD1UfdSVLpyyIv8OvKU4mnabk4z31yenPD7Wn1hKd3WoZs2ZflFIvzXaVGBoQXFlWztWLO1fh6CXmppf731FMcTMr4x7uxd8dkG4B400a1xWFx7H4e/u33KDUApqimTrwPTfooRLuyyKV7FWpopSvbSl0ANkZsuyrjbQRR3uD66iQaI60sZArTjhjwnJz+VCOnmJhlGmfMMwov4SOemt+Ut3x0Z6CwagjvxbpGf4hoI9coYD89IFzYwXVUyB9CyvlxEyPTX3v8QwIEZtWWPDStAHTkwZ80z+LU/pvP12Su32D4Wu+ziDkONVpxh1Qh6tV+jvuA9oSKno9jLa4FO0ZTs4bPkww8AbglH3h+dV7zd7qtwwW1oeSw5GHaOq/NetfpvPVuYkOe0IxVvlODZ/d6vAjCBZ0fRgtsEuZvmCVrxwGzZEHWLeAF9G/XD+wpaA5OonceeuhF6K4H12TC3AH6ycUPIBdYOeD2askutLprLmukj8xAC5mRW4ehCnXmwjABrhLSJb7A326q6t8EO2+3u12vvMQt7xKi+aY0+wGZXSvHfiabp93OMuf3WL80A8+5NaRtby44fY6bw== defi@defi-oracle.io
|
|
|
|
# Boot commands - executed in order
|
|
runcmd:
|
|
# Verify packages are installed
|
|
- |
|
|
echo "=========================================="
|
|
echo "Verifying required packages are installed..."
|
|
echo "=========================================="
|
|
for pkg in qemu-guest-agent curl wget net-tools chrony unattended-upgrades; do
|
|
if ! dpkg -l | grep -q "^ii.*$pkg"; then
|
|
echo "ERROR: Package $pkg is not installed"
|
|
exit 1
|
|
fi
|
|
echo "✅ Package $pkg is installed"
|
|
done
|
|
echo "All required packages verified"
|
|
|
|
# Verify qemu-guest-agent package details
|
|
- |
|
|
echo "=========================================="
|
|
echo "Checking qemu-guest-agent package details..."
|
|
echo "=========================================="
|
|
if dpkg -l | grep -q "^ii.*qemu-guest-agent"; then
|
|
echo "✅ qemu-guest-agent package IS installed"
|
|
dpkg -l | grep qemu-guest-agent
|
|
else
|
|
echo "❌ qemu-guest-agent package is NOT installed"
|
|
echo "Attempting to install..."
|
|
apt-get update
|
|
apt-get install -y qemu-guest-agent
|
|
fi
|
|
|
|
# Enable and start QEMU Guest Agent
|
|
- |
|
|
echo "=========================================="
|
|
echo "Enabling and starting QEMU Guest Agent..."
|
|
echo "=========================================="
|
|
systemctl enable qemu-guest-agent
|
|
systemctl start qemu-guest-agent
|
|
echo "QEMU Guest Agent enabled and started"
|
|
|
|
# Verify guest agent service is running
|
|
- |
|
|
echo "=========================================="
|
|
echo "Verifying QEMU Guest Agent service status..."
|
|
echo "=========================================="
|
|
for i in {1..30}; do
|
|
if systemctl is-active --quiet qemu-guest-agent; then
|
|
echo "✅ QEMU Guest Agent service IS running"
|
|
systemctl status qemu-guest-agent --no-pager -l
|
|
exit 0
|
|
fi
|
|
echo "Waiting for QEMU Guest Agent to start... ($i/30)"
|
|
sleep 1
|
|
done
|
|
echo "⚠️ WARNING: QEMU Guest Agent may not have started properly"
|
|
systemctl status qemu-guest-agent --no-pager -l || true
|
|
echo "Attempting to restart..."
|
|
systemctl restart qemu-guest-agent
|
|
sleep 3
|
|
if systemctl is-active --quiet qemu-guest-agent; then
|
|
echo "✅ QEMU Guest Agent started after restart"
|
|
else
|
|
echo "❌ QEMU Guest Agent failed to start"
|
|
fi
|
|
|
|
# Install cloudflared
|
|
- |
|
|
echo "Installing cloudflared..."
|
|
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o /tmp/cloudflared.deb
|
|
if [ -f /tmp/cloudflared.deb ]; then
|
|
dpkg -i /tmp/cloudflared.deb || apt-get install -f -y
|
|
rm /tmp/cloudflared.deb
|
|
echo "cloudflared installed successfully"
|
|
else
|
|
echo "ERROR: Failed to download cloudflared"
|
|
exit 1
|
|
fi
|
|
|
|
# Verify cloudflared is installed
|
|
- |
|
|
if command -v cloudflared >/dev/null 2>&1; then
|
|
echo "cloudflared is installed: $(cloudflared --version)"
|
|
else
|
|
echo "ERROR: cloudflared is not installed"
|
|
exit 1
|
|
fi
|
|
|
|
# Create cloudflared user
|
|
- |
|
|
if ! id -u cloudflared >/dev/null 2>&1; then
|
|
useradd -r -s /bin/false cloudflared
|
|
echo "cloudflared user created"
|
|
else
|
|
echo "cloudflared user already exists"
|
|
fi
|
|
|
|
# Create directories
|
|
- |
|
|
mkdir -p /etc/cloudflared
|
|
mkdir -p /var/log/cloudflared
|
|
chown cloudflared:cloudflared /var/log/cloudflared
|
|
echo "Cloudflared directories created"
|
|
|
|
# Create systemd service
|
|
- |
|
|
cat > /etc/systemd/system/cloudflared.service <<EOF
|
|
[Unit]
|
|
Description=cloudflared
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=cloudflared
|
|
ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yaml run
|
|
Restart=on-failure
|
|
RestartSec=5s
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
echo "Cloudflared systemd service created"
|
|
|
|
# Reload systemd and enable cloudflared
|
|
- systemctl daemon-reload
|
|
- systemctl enable cloudflared
|
|
|
|
# Configure UFW firewall
|
|
- ufw allow 22/tcp
|
|
- ufw --force enable
|
|
|
|
# Verify cloudflared service is configured
|
|
- |
|
|
if systemctl is-enabled cloudflared >/dev/null 2>&1; then
|
|
echo "cloudflared service is enabled"
|
|
else
|
|
echo "WARNING: cloudflared service may not be enabled"
|
|
fi
|
|
|
|
# Configure automatic security updates
|
|
- |
|
|
echo "Configuring automatic security updates..."
|
|
cat > /etc/apt/apt.conf.d/50unattended-upgrades <<'EOF'
|
|
Unattended-Upgrade::Allowed-Origins {
|
|
"${distro_id}:${distro_codename}-security";
|
|
"${distro_id}ESMApps:${distro_codename}-apps-security";
|
|
"${distro_id}ESM:${distro_codename}-infra-security";
|
|
};
|
|
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
|
Unattended-Upgrade::MinimalSteps "true";
|
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
|
Unattended-Upgrade::Automatic-Reboot "false";
|
|
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
|
EOF
|
|
systemctl enable unattended-upgrades
|
|
systemctl start unattended-upgrades
|
|
echo "Automatic security updates configured"
|
|
|
|
# Configure NTP (Chrony)
|
|
- |
|
|
echo "Configuring NTP (Chrony)..."
|
|
systemctl enable chrony
|
|
systemctl restart chrony
|
|
sleep 3
|
|
if systemctl is-active --quiet chrony; then
|
|
echo "NTP (Chrony) is running"
|
|
chronyc tracking | head -1 || true
|
|
else
|
|
echo "WARNING: NTP (Chrony) may not be running"
|
|
fi
|
|
|
|
# SSH hardening
|
|
- |
|
|
echo "Hardening SSH configuration..."
|
|
if ! grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then
|
|
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
fi
|
|
if ! grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config; then
|
|
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
fi
|
|
if ! grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config; then
|
|
sed -i 's/^#PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
|
|
fi
|
|
systemctl restart sshd
|
|
echo "SSH hardening completed"
|
|
write_files:
|
|
- path: /etc/cloudflared/config.yaml
|
|
content: |
|
|
# Cloudflare Tunnel Configuration
|
|
# This file should be updated with actual tunnel credentials after VM creation
|
|
#
|
|
# To set up the tunnel:
|
|
# 1. Create tunnel in Cloudflare dashboard or via API
|
|
# 2. Download tunnel credentials JSON file
|
|
# 3. Place credentials at: /etc/cloudflared/tunnel-credentials.json
|
|
# 4. Update this config with ingress rules
|
|
#
|
|
# Example configuration:
|
|
# tunnel: your-tunnel-id
|
|
# credentials-file: /etc/cloudflared/tunnel-credentials.json
|
|
#
|
|
# ingress:
|
|
# - hostname: example.sankofa.nexus
|
|
# service: http://localhost:80
|
|
# - service: http_status:404
|
|
|
|
loglevel: info
|
|
logfile: /var/log/cloudflared/tunnel.log
|
|
metrics: 0.0.0.0:9090
|
|
permissions: '0644'
|
|
owner: root:root
|
|
- path: /etc/apt/apt.conf.d/20auto-upgrades
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
permissions: '0644'
|
|
owner: root:root
|
|
|
|
# Final message
|
|
final_message: |
|
|
==========================================
|
|
System Boot Completed Successfully!
|
|
==========================================
|
|
|
|
Services Status:
|
|
- QEMU Guest Agent: $(systemctl is-active qemu-guest-agent)
|
|
- NTP (Chrony): $(systemctl is-active chrony)
|
|
- Automatic Security Updates: $(systemctl is-active unattended-upgrades)
|
|
- Cloudflared: $(systemctl is-enabled cloudflared && echo 'enabled' || echo 'not enabled')
|
|
|
|
System Information:
|
|
- Hostname: $(hostname)
|
|
- IP Address: $(hostname -I | awk '{print $1}')
|
|
- Time: $(date)
|
|
|
|
Packages Installed:
|
|
- qemu-guest-agent, curl, wget, net-tools
|
|
- chrony (NTP), unattended-upgrades (Security)
|
|
- cloudflared, ufw
|
|
|
|
Security Configuration:
|
|
- SSH: Root login disabled, Password auth disabled
|
|
- Automatic security updates: Enabled
|
|
- NTP synchronization: Enabled
|
|
- UFW firewall: Enabled
|
|
|
|
Next Steps:
|
|
1. Verify all services are running
|
|
2. Check cloud-init logs: /var/log/cloud-init-output.log
|
|
3. Configure Cloudflare tunnel credentials
|
|
4. Update /etc/cloudflared/config.yaml with tunnel ID
|
|
5. Start cloudflared service: systemctl start cloudflared
|
|
==========================================
|
|
providerConfigRef:
|
|
name: proxmox-provider-config
|
|
|