9daf1fd378
- Add comprehensive database migrations (001-024) for schema evolution - Enhance API schema with expanded type definitions and resolvers - Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth - Implement new services: AI optimization, billing, blockchain, compliance, marketplace - Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage) - Update Crossplane provider with enhanced VM management capabilities - Add comprehensive test suite for API endpoints and services - Update frontend components with improved GraphQL subscriptions and real-time updates - Enhance security configurations and headers (CSP, CORS, etc.) - Update documentation and configuration files - Add new CI/CD workflows and validation scripts - Implement design system improvements and UI enhancements
116 lines
4.4 KiB
Plaintext
116 lines
4.4 KiB
Plaintext
# Complete Enhancement Template
|
|
# Copy these sections into each VM YAML file
|
|
|
|
# 1. Add to packages list (after lsb-release):
|
|
- chrony
|
|
- unattended-upgrades
|
|
- apt-listchanges
|
|
|
|
# 2. Add NTP configuration (after package_upgrade: true):
|
|
# Time synchronization (NTP)
|
|
ntp:
|
|
enabled: true
|
|
ntp_client: chrony
|
|
servers:
|
|
- 0.pool.ntp.org
|
|
- 1.pool.ntp.org
|
|
- 2.pool.ntp.org
|
|
- 3.pool.ntp.org
|
|
|
|
# 3. Update package verification (replace the for loop):
|
|
for pkg in qemu-guest-agent curl wget net-tools chrony unattended-upgrades; do
|
|
|
|
# 4. Add before final_message (after guest agent verification):
|
|
# Configure automatic security updates
|
|
- |
|
|
echo "Configuring automatic security updates..."
|
|
cat > /etc/apt/apt.conf.d/50unattended-upgrades <<'EOF'
|
|
Unattended-Upgrade::Allowed-Origins {
|
|
"${distro_id}:${distro_codename}-security";
|
|
"${distro_id}ESMApps:${distro_codename}-apps-security";
|
|
"${distro_id}ESM:${distro_codename}-infra-security";
|
|
};
|
|
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
|
Unattended-Upgrade::MinimalSteps "true";
|
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
|
Unattended-Upgrade::Automatic-Reboot "false";
|
|
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
|
EOF
|
|
systemctl enable unattended-upgrades
|
|
systemctl start unattended-upgrades
|
|
echo "Automatic security updates configured"
|
|
|
|
# Configure NTP (Chrony)
|
|
- |
|
|
echo "Configuring NTP (Chrony)..."
|
|
systemctl enable chrony
|
|
systemctl restart chrony
|
|
sleep 3
|
|
if systemctl is-active --quiet chrony; then
|
|
echo "NTP (Chrony) is running"
|
|
chronyc tracking | head -1 || true
|
|
else
|
|
echo "WARNING: NTP (Chrony) may not be running"
|
|
fi
|
|
|
|
# SSH hardening
|
|
- |
|
|
echo "Hardening SSH configuration..."
|
|
if ! grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then
|
|
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
fi
|
|
if ! grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config; then
|
|
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
fi
|
|
if ! grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config; then
|
|
sed -i 's/^#PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
|
|
fi
|
|
systemctl restart sshd
|
|
echo "SSH hardening completed"
|
|
|
|
# Write files for security configuration
|
|
write_files:
|
|
- path: /etc/apt/apt.conf.d/20auto-upgrades
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
permissions: '0644'
|
|
owner: root:root
|
|
|
|
# Final message
|
|
final_message: |
|
|
==========================================
|
|
System Boot Completed Successfully!
|
|
==========================================
|
|
|
|
Services Status:
|
|
- QEMU Guest Agent: $(systemctl is-active qemu-guest-agent)
|
|
- NTP (Chrony): $(systemctl is-active chrony)
|
|
- Automatic Security Updates: $(systemctl is-active unattended-upgrades)
|
|
|
|
System Information:
|
|
- Hostname: $(hostname)
|
|
- IP Address: $(hostname -I | awk '{print $1}')
|
|
- Time: $(date)
|
|
|
|
Packages Installed:
|
|
- qemu-guest-agent, curl, wget, net-tools
|
|
- chrony (NTP), unattended-upgrades (Security)
|
|
|
|
Security Configuration:
|
|
- SSH: Root login disabled, Password auth disabled
|
|
- Automatic security updates: Enabled
|
|
- NTP synchronization: Enabled
|
|
|
|
Next Steps:
|
|
1. Verify all services are running
|
|
2. Check cloud-init logs: /var/log/cloud-init-output.log
|
|
3. Test SSH access
|
|
==========================================
|
|
|