claude/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
129 Commits 6 Branches 0 Tags
Commit Graph

15 Commits

Author SHA1 Message Date
claude
d6f32270f0 Merge pull request 'fix: persist gitea hosts entry in cloud-init' (#74) from fix/gitea-hosts-persist into main
Some checks failed
Drift Detection / detect-drift (push) Failing after 1s
Details
2026-02-23 10:35:04 +01:00
root
011bbf52f4 feat: add VM 202 for report-generator PostgreSQL + MinIO
Some checks failed
AI Review / AI Code Review (pull_request) Successful in 1s
Details
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Details
Security Scan / Security Scan (pull_request) Successful in 10s
Details
0/0 projects policies checked successfully.
Provision a dedicated VM (VMID 202, 185.47.204.228) with 4 CPU / 8GB RAM / 100GB disk
for hosting PostgreSQL and MinIO — moving stateful workloads out of K8s.

Module changes:
- Add extra_firewall_rules variable to tenant-vm module (dynamic block)
- VM 202 gets additional FW rules: PostgreSQL (5432) and MinIO (9000) from K8s host

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-20 09:26:53 +01:00
root
9bacf44e76 fix: persist gitea hosts entry + containerd registry mirror in cloud-init
Some checks failed
0/1 projects planned successfully.
AI Review / AI Code Review (pull_request) Successful in 2s
Details
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 11s
Details
Security Scan / Security Scan (pull_request) Successful in 15s
Details 
manage_etc_hosts: true rewrites /etc/hosts on every VM boot, removing
the manually-added gitea entry. This broke image pulls after bare_srv_1
reboot because containerd couldn't resolve the Gitea auth token URL.

Changes:
- Add bootcmd to ensure 10.10.10.1 gitea in /etc/hosts on every boot
- Add containerd registry mirror config in write_files (was only in bootstrap)
- Add registry config_path to containerd config.toml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-16 17:41:19 +01:00
root
8b1e7272e2 feat: add unattended-upgrades to tenant VM cloud-init
Some checks failed
0/1 projects planned successfully.
AI Review / AI Code Review (pull_request) Successful in 1s
Details
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 9s
Details
Security Scan / Security Scan (pull_request) Successful in 9s
Details 
Security patches applied automatically, auto-reboot at 04:00 if needed.
Closes Phase 5.3 TODO.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-16 12:00:36 +01:00
claude
a32b76033f Fix: add lifecycle ignore_changes to prevent VM replacement on cloud-init updates
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 3s
Details
1/1 projects applied successfully.
 2026-02-14 09:35:09 +01:00
claude
988f4b1300 Fix: add conntrack to cloud-init packages (required by kubeadm) 2026-02-14 08:41:22 +01:00
claude
c26947696e Add modules/k8s-node/cloud-init.yaml.tftpl 2026-02-14 01:12:29 +01:00
claude
db711a28b9 Add modules/k8s-node/outputs.tf 2026-02-14 01:12:29 +01:00
claude
35119274ac Add modules/k8s-node/variables.tf 2026-02-14 01:12:28 +01:00
claude
6de60586d6 Add modules/k8s-node/main.tf 2026-02-14 01:12:28 +01:00
claude
643082f9c0 feat: add resource limits (CPU, disk I/O, network) to tenant VMs 2026-02-12 21:59:14 +01:00
root
6b818a664e tenant-vm: root login + 4 GB RAM
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
Details
1/1 projects applied successfully.
- Username: user → root (SSH as root directly)
- RAM: 2048 → 4096 MB
- cloud-init: disable_root=false, PermitRootLogin yes
- Removed sudo directive (root doesn't need sudo)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 21:08:50 +01:00
root
e62411e621 feat: VM monitoring + specs update (2048MB/50GB, node_exporter, FW rule)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 4s
Details
1/1 projects applied successfully.
 2026-02-11 20:43:44 +01:00
root
545eafde62 fix: cloud-init password auth + remove test VM
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 3s
Details
1/1 projects applied successfully.
Cloud-init fixes for Ubuntu 24.04:
- Use plain_text_passwd in users section (chpasswd alone doesn't unlock)
- Override 60-cloudimg-settings.conf (disables PasswordAuthentication)
- Restart sshd after config fix

Also:
- Remove test-tenant VM (verified: SSH, internet, host isolation all OK)
- Fix host prerequisites comment (storage needs images content type)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 20:12:05 +01:00
root
74eeabb354 feat: add tenant VM module for VM-as-a-Service (Step 5.2)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
Details
1/1 projects applied successfully.
Reusable OpenTofu module for creating isolated tenant VMs with:
- Public IP on vmbr1 (bridged, firewall=true)
- Cloud-init: password auth, fail2ban, UFW hardening
- Per-VM Proxmox firewall (IN: SSH+ICMP, OUT: allow, block SMTP)

Includes test-tenant VM (185.47.204.227) for verification.

Changes:
- modules/tenant-vm/ — reusable module (VM + FW + cloud-init)
- environments/production/tenant-vms.tf — tenant VM definitions
- policies/security.rego — require firewall=true on vmbr1
- atlantis.yaml — trigger on module file changes
- main.tf — updated host prerequisites comment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 20:01:38 +01:00