claude/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
129 Commits 6 Branches 0 Tags
Commit Graph

4 Commits

Author SHA1 Message Date
root
74eeabb354 feat: add tenant VM module for VM-as-a-Service (Step 5.2)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
Details
1/1 projects applied successfully.
Reusable OpenTofu module for creating isolated tenant VMs with:
- Public IP on vmbr1 (bridged, firewall=true)
- Cloud-init: password auth, fail2ban, UFW hardening
- Per-VM Proxmox firewall (IN: SSH+ICMP, OUT: allow, block SMTP)

Includes test-tenant VM (185.47.204.227) for verification.

Changes:
- modules/tenant-vm/ — reusable module (VM + FW + cloud-init)
- environments/production/tenant-vms.tf — tenant VM definitions
- policies/security.rego — require firewall=true on vmbr1
- atlantis.yaml — trigger on module file changes
- main.tf — updated host prerequisites comment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 20:01:38 +01:00
Claude AI
c33bcd2564 fix: disable per-NIC firewall on NAT bridge to fix VM internet
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
Details
1/1 projects applied successfully.
The Proxmox per-NIC firewall (bridge-nf-call-iptables) conflicts with
MASQUERADE NAT routing on vmbr0 (bridge without physical uplink).
Security is maintained via NAT isolation + host-level Proxmox firewall.

Also updates OPA security policy to reflect NAT security model.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 14:24:41 +01:00
Claude AI
5155f08584 feat: Add bpg/proxmox provider for bare-metal VM management (Step 4.5)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 4s
Details
1/1 projects applied successfully.
- Enable bpg/proxmox provider (~> 0.90) in production environment
- Add data source to verify Proxmox connectivity (read nodes)
- SOPS-encrypt Proxmox API token (root@pam!tofu)
- Custom Atlantis workflow: decrypt SOPS → inject PROXMOX_VE_API_TOKEN
- Update all OPA policies for bpg resource types:
  - proxmox_vm_qemu → proxmox_virtual_environment_vm
  - proxmox_lxc → proxmox_virtual_environment_container
  - Adjust field paths (cpu[0].cores, memory[0].dedicated, etc.)
  - Firewall check: per-network-device instead of top-level
  - Password check: via after_sensitive for cloud-init
  - Tags: list of strings instead of comma-separated
 2026-02-11 08:17:39 +01:00
root
dc15bb8a68 Add OPA/Conftest policies and SOPS config 
Policies:
- deny_dangerous: block deletion/replace of stateful resources
- security: enforce firewall and SSH key auth on VMs
- cost_control: limit VM cores (16) and RAM (32GB)
- require_tags: warn on missing environment/managed_by tags

SOPS: age public key configured for secrets encryption.
 2026-02-09 06:36:39 +01:00