claude/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
129 Commits 6 Branches 0 Tags
Commit Graph

5 Commits

Author SHA1 Message Date
root
27fc46664f feat: migrate Atlantis from SOPS to OpenBao for Proxmox token
Some checks failed
0/0 projects applied successfully.
AI Review / AI Code Review (pull_request) Successful in 1s
Details
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Details
Security Scan / Security Scan (pull_request) Successful in 11s
Details 
- Replace sops -d --extract with bao kv get -field in workflow
- Remove .sops.yaml and encrypted proxmox.secrets.yaml
- Update .gitleaks.toml comment (remove SOPS reference)
- Proxmox token now fetched from OpenBao secret/infrastructure/proxmox
  via AppRole authentication (atlantis role)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-21 09:07:56 +01:00
Claude AI
74e074ad6e feat: add security scanning pipeline (Phase 8.0)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 3s
Details
Security Scan / Security Scan (pull_request) Failing after 6s
Details 
- Add security-scan.yaml workflow: gitleaks, checkov, trivy IaC scan
- Update atlantis.yaml: add checkov step to plan workflow
- Use standard runner image with tool installation steps
 2026-02-14 16:54:05 +01:00
root
74eeabb354 feat: add tenant VM module for VM-as-a-Service (Step 5.2)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
Details
1/1 projects applied successfully.
Reusable OpenTofu module for creating isolated tenant VMs with:
- Public IP on vmbr1 (bridged, firewall=true)
- Cloud-init: password auth, fail2ban, UFW hardening
- Per-VM Proxmox firewall (IN: SSH+ICMP, OUT: allow, block SMTP)

Includes test-tenant VM (185.47.204.227) for verification.

Changes:
- modules/tenant-vm/ — reusable module (VM + FW + cloud-init)
- environments/production/tenant-vms.tf — tenant VM definitions
- policies/security.rego — require firewall=true on vmbr1
- atlantis.yaml — trigger on module file changes
- main.tf — updated host prerequisites comment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 20:01:38 +01:00
Claude AI
5155f08584 feat: Add bpg/proxmox provider for bare-metal VM management (Step 4.5)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 4s
Details
1/1 projects applied successfully.
- Enable bpg/proxmox provider (~> 0.90) in production environment
- Add data source to verify Proxmox connectivity (read nodes)
- SOPS-encrypt Proxmox API token (root@pam!tofu)
- Custom Atlantis workflow: decrypt SOPS → inject PROXMOX_VE_API_TOKEN
- Update all OPA policies for bpg resource types:
  - proxmox_vm_qemu → proxmox_virtual_environment_vm
  - proxmox_lxc → proxmox_virtual_environment_container
  - Adjust field paths (cpu[0].cores, memory[0].dedicated, etc.)
  - Firewall check: per-network-device instead of top-level
  - Password check: via after_sensitive for cloud-init
  - Tags: list of strings instead of comma-separated
 2026-02-11 08:17:39 +01:00
Claude AI
80c1d6f624 Initial infrastructure repo structure 
- environments/production/main.tf: S3 backend (MinIO), Proxmox provider (commented, ready for bare-metal)
- environments/production/variables.tf: Variable stubs for Proxmox
- atlantis.yaml: Repo-level config (autoplan on .tf changes, require approval)
- .gitignore: Terraform/OpenTofu patterns
- modules/: Empty, ready for reusable modules

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-09 05:39:52 +01:00