d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7cd7022f6e0d6ff4232c47cbf4c19cfbc704e102
Sankofa/examples/production/nginx-proxy-vm.yaml
defiQUG 9daf1fd378 Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
2025-12-12 18:01:35 -08:00

289 lines
11 KiB
YAML
Raw Blame History

apiVersion: proxmox.sankofa.nexus/v1alpha1
kind: ProxmoxVM
metadata:
name: nginx-proxy-vm
namespace: default
labels:
tenant.sankofa.nexus/id: "infrastructure"
environment: "production"
app: "nginx-proxy"
role: "infrastructure"
component: "proxy"
spec:
forProvider:
node: "ml110-01"
name: "nginx-proxy-vm"
cpu: 2
memory: "4Gi"
disk: "20Gi"
storage: "local-lvm"
network: "vmbr0"
image: "local:iso/ubuntu-22.04-cloud.img"
site: "site-1"
userData: |
#cloud-config
# Package management
package_update: true
package_upgrade: true
# Required packages
packages:
- qemu-guest-agent
- curl
- wget
- net-tools
- apt-transport-https
- ca-certificates
- gnupg
- lsb-release
- chrony
- unattended-upgrades
- apt-listchanges
# Nginx-specific packages
- nginx
- certbot
- python3-certbot-nginx
- ufw
# Time synchronization (NTP)
ntp:
enabled: true
ntp_client: chrony
servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
# User configuration
users:
- name: admin
groups: sudo
shell: /bin/bash
sudo: ALL=(ALL) NOPASSWD:ALL
lock_passwd: false
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbGtLMmN6px4J2QUYk0BjnNT2wytgiTLSDzL+AwhE6qQWbL+h8AeFET2CHeEf09m5KYLAbHkYTq5aUleuXsluPer9A5moPD1UfdSVLpyyIv8OvKU4mnabk4z31yenPD7Wn1hKd3WoZs2ZflFIvzXaVGBoQXFlWztWLO1fh6CXmppf731FMcTMr4x7uxd8dkG4B400a1xWFx7H4e/u33KDUApqimTrwPTfooRLuyyKV7FWpopSvbSl0ANkZsuyrjbQRR3uD66iQaI60sZArTjhjwnJz+VCOnmJhlGmfMMwov4SOemt+Ut3x0Z6CwagjvxbpGf4hoI9coYD89IFzYwXVUyB9CyvlxEyPTX3v8QwIEZtWWPDStAHTkwZ80z+LU/pvP12Su32D4Wu+ziDkONVpxh1Qh6tV+jvuA9oSKno9jLa4FO0ZTs4bPkww8AbglH3h+dV7zd7qtwwW1oeSw5GHaOq/NetfpvPVuYkOe0IxVvlODZ/d6vAjCBZ0fRgtsEuZvmCVrxwGzZEHWLeAF9G/XD+wpaA5OonceeuhF6K4H12TC3AH6ycUPIBdYOeD2askutLprLmukj8xAC5mRW4ehCnXmwjABrhLSJb7A326q6t8EO2+3u12vvMQt7xKi+aY0+wGZXSvHfiabp93OMuf3WL80A8+5NaRtby44fY6bw== defi@defi-oracle.io
# Boot commands - executed in order
runcmd:
# Verify packages are installed
- |
echo "=========================================="
echo "Verifying required packages are installed..."
echo "=========================================="
for pkg in qemu-guest-agent curl wget net-tools chrony unattended-upgrades; do
if ! dpkg -l | grep -q "^ii.*$pkg"; then
echo "ERROR: Package $pkg is not installed"
exit 1
fi
echo "✅ Package $pkg is installed"
done
echo "All required packages verified"
# Verify qemu-guest-agent package details
- |
echo "=========================================="
echo "Checking qemu-guest-agent package details..."
echo "=========================================="
if dpkg -l | grep -q "^ii.*qemu-guest-agent"; then
echo "✅ qemu-guest-agent package IS installed"
dpkg -l | grep qemu-guest-agent
else
echo "❌ qemu-guest-agent package is NOT installed"
echo "Attempting to install..."
apt-get update
apt-get install -y qemu-guest-agent
fi
# Enable and start QEMU Guest Agent
- |
echo "=========================================="
echo "Enabling and starting QEMU Guest Agent..."
echo "=========================================="
systemctl enable qemu-guest-agent
systemctl start qemu-guest-agent
echo "QEMU Guest Agent enabled and started"
# Verify guest agent service is running
- |
echo "=========================================="
echo "Verifying QEMU Guest Agent service status..."
echo "=========================================="
for i in {1..30}; do
if systemctl is-active --quiet qemu-guest-agent; then
echo "✅ QEMU Guest Agent service IS running"
systemctl status qemu-guest-agent --no-pager -l
exit 0
fi
echo "Waiting for QEMU Guest Agent to start... ($i/30)"
sleep 1
done
echo "⚠️ WARNING: QEMU Guest Agent may not have started properly"
systemctl status qemu-guest-agent --no-pager -l || true
echo "Attempting to restart..."
systemctl restart qemu-guest-agent
sleep 3
if systemctl is-active --quiet qemu-guest-agent; then
echo "✅ QEMU Guest Agent started after restart"
else
echo "❌ QEMU Guest Agent failed to start"
fi
# Configure and start Nginx
- systemctl enable nginx
- systemctl start nginx
# Configure UFW firewall
- ufw allow 80/tcp
- ufw allow 443/tcp
- ufw allow 22/tcp
- ufw --force enable
# Verify Nginx is running
- |
if systemctl is-active --quiet nginx; then
echo "Nginx is running"
systemctl status nginx --no-pager
else
echo "WARNING: Nginx may not have started properly"
systemctl status nginx --no-pager || true
fi
# Configure automatic security updates
- |
echo "Configuring automatic security updates..."
cat > /etc/apt/apt.conf.d/50unattended-upgrades <<'EOF'
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
EOF
systemctl enable unattended-upgrades
systemctl start unattended-upgrades
echo "Automatic security updates configured"
# Configure NTP (Chrony)
- |
echo "Configuring NTP (Chrony)..."
systemctl enable chrony
systemctl restart chrony
sleep 3
if systemctl is-active --quiet chrony; then
echo "NTP (Chrony) is running"
chronyc tracking | head -1 || true
else
echo "WARNING: NTP (Chrony) may not be running"
fi
# SSH hardening
- |
echo "Hardening SSH configuration..."
if ! grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
fi
if ! grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config; then
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
fi
if ! grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config; then
sed -i 's/^#PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
fi
systemctl restart sshd
echo "SSH hardening completed"
write_files:
- path: /etc/nginx/nginx.conf
content: |
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# SSL Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
# Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss;
# Include server configurations
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
- path: /etc/apt/apt.conf.d/20auto-upgrades
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
permissions: '0644'
owner: root:root
# Final message
final_message: |
==========================================
System Boot Completed Successfully!
==========================================
Services Status:
- QEMU Guest Agent: $(systemctl is-active qemu-guest-agent)
- NTP (Chrony): $(systemctl is-active chrony)
- Automatic Security Updates: $(systemctl is-active unattended-upgrades)
- Nginx: $(systemctl is-active nginx)
System Information:
- Hostname: $(hostname)
- IP Address: $(hostname -I | awk '{print $1}')
- Time: $(date)
Packages Installed:
- qemu-guest-agent, curl, wget, net-tools
- chrony (NTP), unattended-upgrades (Security)
- nginx, certbot, python3-certbot-nginx, ufw
Security Configuration:
- SSH: Root login disabled, Password auth disabled
- Automatic security updates: Enabled
- NTP synchronization: Enabled
- UFW firewall: Enabled
Next Steps:
1. Verify all services are running
2. Check cloud-init logs: /var/log/cloud-init-output.log
3. Configure Nginx virtual hosts
4. Test SSL certificate generation with Certbot
==========================================
providerConfigRef:
name: proxmox-provider-config
Reference in New Issue View Git Blame Copy Permalink