5d86a17e21
vm-bot: create vm-201
AI Review / AI Code Review (pull_request) Successful in 4s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Security Scan / Security Scan (pull_request) Successful in 9s
1/1 projects applied successfully.
2026-02-24 09:14:16 +01:00
root
15fdf1337a
chore: decommission vm-202-reportgen
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 7s
1/1 projects planned successfully.
Security Scan / Security Scan (pull_request) Successful in 12s
Report-generator removed from infrastructure.
VM 185.47.204.228 no longer needed — empty PostgreSQL, no workloads.
Terraform will destroy the VM and release resources:
- 4 vCPU / 8GB RAM / 100GB disk on bare_srv_1
- Public IP 185.47.204.228
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 09:47:41 +01:00
root
27fc46664f
feat: migrate Atlantis from SOPS to OpenBao for Proxmox token
...
0/0 projects applied successfully.
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Security Scan / Security Scan (pull_request) Successful in 11s
- Replace sops -d --extract with bao kv get -field in workflow
- Remove .sops.yaml and encrypted proxmox.secrets.yaml
- Update .gitleaks.toml comment (remove SOPS reference)
- Proxmox token now fetched from OpenBao secret/infrastructure/proxmox
via AppRole authentication (atlantis role)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 09:07:56 +01:00
root
56cac80179
Remove MinIO firewall rule (port 9000) from VM 202
...
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 9s
Security Scan / Security Scan (pull_request) Successful in 10s
1/1 projects planned successfully.
MinIO has been removed from the report-generator architecture.
PDFs are now stored directly in PostgreSQL (BYTEA column).
Only PostgreSQL port 5432 remains needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 19:02:18 +01:00
root
011bbf52f4
feat: add VM 202 for report-generator PostgreSQL + MinIO
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Security Scan / Security Scan (pull_request) Successful in 10s
0/0 projects policies checked successfully.
Provision a dedicated VM (VMID 202, 185.47.204.228) with 4 CPU / 8GB RAM / 100GB disk
for hosting PostgreSQL and MinIO — moving stateful workloads out of K8s.
Module changes:
- Add extra_firewall_rules variable to tenant-vm module (dynamic block)
- VM 202 gets additional FW rules: PostgreSQL (5432) and MinIO (9000) from K8s host
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 09:26:53 +01:00
e6d6ecfd2f
vm-bot: delete vm-201
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 9s
1/1 projects applied successfully.
Security Scan / Security Scan (pull_request) Successful in 9s
2026-02-15 13:03:20 +01:00
a8c5d9ed19
vm-bot: delete vm-202
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 11s
Security Scan / Security Scan (pull_request) Successful in 14s
1/1 projects applied successfully.
2026-02-15 13:01:38 +01:00
9240655882
vm-bot: create vm-202
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Security Scan / Security Scan (pull_request) Successful in 10s
1/1 projects applied successfully.
2026-02-15 12:56:22 +01:00
4a48899230
vm-bot: create vm-201
1/1 projects applied successfully.
PR Checks / tofu-checks (pull_request) Failing after 12m16s
2026-02-14 10:34:55 +01:00
e43f4dfc90
K8s security hardening + scaling to half bare_srv_1
...
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects planned successfully.
Security:
- Remove DNAT/FW rules for K8s API (6443) and ArgoCD (30443)
- Access now via SSH tunnel (k8s-tunnel.service on control plane)
- Keep monitoring DNAT (9200-9202) restricted to control plane IP
Scaling:
- k8s-master: 4 CPU, 16GB RAM, 100GB disk
- k8s-worker-01: 6 CPU, 24GB RAM, 450GB disk
- k8s-worker-02: 6 CPU, 24GB RAM, 450GB disk (NEW)
- Total: 16 CPU, 64GB RAM, 1TB disk (half of bare_srv_1)
2026-02-14 09:32:08 +01:00
d78a78004e
Add environments/production/k8s-cluster.tf
PR Checks / tofu-checks (pull_request) Failing after 2s
1/1 projects applied successfully.
2026-02-14 01:12:30 +01:00
Claude AI
2610034b15
Delete admin-vm-01 (VMID 201)
PR Checks / tofu-checks (pull_request) Failing after 4s
1/1 projects applied successfully.
2026-02-13 23:49:45 +01:00
Claude AI
6857f9734f
Add admin-vm-01 for FDE project (4 vCPU, 16GB RAM, 200GB disk)
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-13 19:57:26 +01:00
fd88af09ae
Remove VM 201 (cleanup)
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-13 19:43:20 +01:00
d815d3c8aa
Add VM 201 for FDE project (4 vCPU, 16GB RAM, 200GB disk)
PR Checks / tofu-checks (pull_request) Failing after 4s
1/1 projects applied successfully.
2026-02-13 19:24:55 +01:00
593e322fa8
Remove test-vm-01 (VMID 100)
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-13 18:30:35 +01:00
51639666dc
Remove vm-201-FDE (cleanup all tenant VMs)
PR Checks / tofu-checks (pull_request) Failing after 4s
1/1 projects applied successfully.
2026-02-13 17:25:52 +01:00
Claude
4901612111
Use tenant-vm module for VM 201 (BPG provider)
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-13 17:21:42 +01:00
Claude
0988a72966
Create tenant VM 201 - 4 vCPU, 16GB RAM, 200GB disk, IP 185.47.204.227
PR Checks / tofu-checks (pull_request) Failing after 3s
0/1 projects planned successfully.
2026-02-13 17:20:14 +01:00
894b2acf3e
Remove vm-201 (cleanup after admin bot test)
PR Checks / tofu-checks (pull_request) Failing after 4s
1/1 projects applied successfully.
2026-02-13 14:02:18 +01:00
fa6384b367
[vmbot] provision vm-201 (admin, 4c/16g/200g)
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-13 13:42:10 +01:00
0814a085d1
vm-bot: delete vm-202
PR Checks / tofu-checks (pull_request) Failing after 2s
1/1 projects applied successfully.
2026-02-13 11:19:12 +01:00
1467da206a
test: create vm-202
PR Checks / tofu-checks (pull_request) Failing after 5s
1/1 projects applied successfully.
2026-02-12 23:13:36 +01:00
1c61d5e72e
test: delete vm-202
PR Checks / tofu-checks (pull_request) Failing after 2s
1/1 projects applied successfully.
2026-02-12 23:13:13 +01:00
d2e671b3ed
cleanup: remove ghost vm-203 (never applied)
PR Checks / tofu-checks (pull_request) Failing after 4s
1/1 projects applied successfully.
2026-02-12 20:40:57 +01:00
9976c66682
vm-bot: delete vm-201
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-12 07:30:50 +01:00
1fa1824f17
vm-bot: create vm-203
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-12 07:25:16 +01:00
c9d234e705
vm-bot: create vm-202
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-12 07:23:29 +01:00
9307204ee2
vm-bot: create vm-201
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-12 07:17:18 +01:00
a620e4196e
vm-bot: delete vm-201
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-12 06:40:17 +01:00
13139b203c
vm-bot: create vm-201
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-12 06:35:36 +01:00
4420480382
vm-bot: delete vm-201
PR Checks / tofu-checks (pull_request) Failing after 4s
1/1 projects applied successfully.
2026-02-11 22:45:01 +01:00
689daeb565
vm-bot: create vm-201
PR Checks / tofu-checks (pull_request) Failing after 4s
1/1 projects applied successfully.
2026-02-11 22:42:35 +01:00
b5d9c16ffb
vm-bot: admin delete vm-201
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-11 22:41:22 +01:00
eed1140861
vm-bot: delete vm-202
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-11 21:50:08 +01:00
7def43112e
vm-bot: create vm-202
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-11 21:46:05 +01:00
e70e9c5ba6
vm-bot: create vm-201
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-11 21:32:19 +01:00
b6cafdf49b
vm-bot: admin delete vm-201
PR Checks / tofu-checks (pull_request) Failing after 2s
1/1 projects applied successfully.
2026-02-11 21:23:07 +01:00
26d659362f
vm-bot: create vm-201
PR Checks / tofu-checks (pull_request) Failing after 4s
1/1 projects applied successfully.
2026-02-11 21:13:57 +01:00
ee30e7c945
vm-bot: delete vm-201
PR Checks / tofu-checks (pull_request) Failing after 5s
1/1 projects applied successfully.
2026-02-11 21:04:44 +01:00
d2784a9a95
vm-bot: create vm-201
PR Checks / tofu-checks (pull_request) Failing after 6s
1/1 projects applied successfully.
2026-02-11 21:01:55 +01:00
root
545eafde62
fix: cloud-init password auth + remove test VM
...
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
Cloud-init fixes for Ubuntu 24.04:
- Use plain_text_passwd in users section (chpasswd alone doesn't unlock)
- Override 60-cloudimg-settings.conf (disables PasswordAuthentication)
- Restart sshd after config fix
Also:
- Remove test-tenant VM (verified: SSH, internet, host isolation all OK)
- Fix host prerequisites comment (storage needs images content type)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 20:12:05 +01:00
root
74eeabb354
feat: add tenant VM module for VM-as-a-Service (Step 5.2)
...
PR Checks / tofu-checks (pull_request) Failing after 2s
1/1 projects applied successfully.
Reusable OpenTofu module for creating isolated tenant VMs with:
- Public IP on vmbr1 (bridged, firewall=true)
- Cloud-init: password auth, fail2ban, UFW hardening
- Per-VM Proxmox firewall (IN: SSH+ICMP, OUT: allow, block SMTP)
Includes test-tenant VM (185.47.204.227) for verification.
Changes:
- modules/tenant-vm/ — reusable module (VM + FW + cloud-init)
- environments/production/tenant-vms.tf — tenant VM definitions
- policies/security.rego — require firewall=true on vmbr1
- atlantis.yaml — trigger on module file changes
- main.tf — updated host prerequisites comment
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 20:01:38 +01:00
root
f227620b8b
fix: update Proxmox endpoint to new IP 185.47.204.226
...
Server bare_srv_1 migrated from 217.168.244.244 to 185.47.204.226
(dedicated /28 subnet on VLAN 1742). Old IP is no longer reachable.
Emergency fix — Atlantis cannot function until endpoint is updated.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 19:26:21 +01:00
5ff3190bea
fix: set overwrite_unmanaged=true to adopt existing cloud image
...
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
File was manually downloaded before IaC. overwrite_unmanaged allows
OpenTofu to take ownership of the existing file.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 15:26:38 +01:00
a615ad5be4
fix: use depends_on instead of direct file_id reference
...
PR Checks / tofu-checks (pull_request) Failing after 3s
0/1 projects applied successfully.
file_id forces VM replacement when changed. Using depends_on +
hardcoded path keeps the image managed by IaC without destroying VM.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 15:24:59 +01:00
12c301e59b
refactor: manage cloud image via IaC instead of manual wget
...
PR Checks / tofu-checks (pull_request) Failing after 2s
0/0 projects policies checked successfully.
- Add proxmox_virtual_environment_download_file for Ubuntu 24.04 cloud image
- VM disk references managed resource instead of hardcoded path
- Document host prerequisites (NAT, sysctl) that can't be in IaC
(Proxmox API limitation — bpg/proxmox #1454 )
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 15:23:16 +01:00
c33bcd2564
fix: disable per-NIC firewall on NAT bridge to fix VM internet
...
PR Checks / tofu-checks (pull_request) Failing after 2s
1/1 projects applied successfully.
The Proxmox per-NIC firewall (bridge-nf-call-iptables) conflicts with
MASQUERADE NAT routing on vmbr0 (bridge without physical uplink).
Security is maintained via NAT isolation + host-level Proxmox firewall.
Also updates OPA security policy to reflect NAT security model.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 14:24:41 +01:00
1c7258d13a
fix: Add SSH config for Proxmox disk operations
...
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
bpg/proxmox provider requires SSH access to import cloud images.
SSH key mounted at /secrets/ssh-key in Atlantis container.
2026-02-11 13:55:55 +01:00
69e2e15017
feat: Add test-vm-01 Ubuntu 24.04 via cloud-init (Step 4.6)
...
PR Checks / tofu-checks (pull_request) Failing after 2s
0/1 projects applied successfully.
- proxmox_virtual_environment_vm: 2 vCPU, 2 GB RAM, 20 GB disk
- Cloud image: ubuntu-24.04-cloudimg-amd64.img (qcow2)
- Network: vmbr0, static IP 10.10.10.100/24, NAT via host
- Cloud-init: SSH key (control VPS), user ubuntu, DNS 8.8.8.8
- Firewall enabled on NIC, tags: test/tofu/ubuntu
2026-02-11 13:14:07 +01:00
