claude/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
129 Commits 6 Branches 0 Tags
Commit Graph

129 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
claude
26d659362f vm-bot: create vm-201
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 4s
Details
1/1 projects applied successfully.
 2026-02-11 21:13:57 +01:00
claude
bd804b2fb1 Merge pull request 'tenant-vm: root login + 4 GB RAM' (#14) from feat/root-login-4gb-ram into main 2026-02-11 21:09:57 +01:00
root
6b818a664e tenant-vm: root login + 4 GB RAM
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
Details
1/1 projects applied successfully.
- Username: user → root (SSH as root directly)
- RAM: 2048 → 4096 MB
- cloud-init: disable_root=false, PermitRootLogin yes
- Removed sudo directive (root doesn't need sudo)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 21:08:50 +01:00
claude
be7b2ec73e Merge pull request 'VM Bot: delete vm-201 (user 223747162)' (#13) from vm/delete-223747162 into main 2026-02-11 21:05:10 +01:00
claude
ee30e7c945 vm-bot: delete vm-201
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 5s
Details
1/1 projects applied successfully.
 2026-02-11 21:04:44 +01:00
claude
cbbe3fecaf Merge pull request 'VM Bot: create vm-201 for user 223747162' (#12) from vm/create-223747162 into main 2026-02-11 21:02:31 +01:00
claude
d2784a9a95 vm-bot: create vm-201
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 6s
Details
1/1 projects applied successfully.
 2026-02-11 21:01:55 +01:00
admin
5cc9744b7f Merge pull request 'feat: VM monitoring infrastructure (node_exporter, FW, specs)' (#11) from feat/vm-monitoring into main 2026-02-11 20:45:01 +01:00
root
e62411e621 feat: VM monitoring + specs update (2048MB/50GB, node_exporter, FW rule)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 4s
Details
1/1 projects applied successfully.
 2026-02-11 20:43:44 +01:00
claude
f0971f623e Merge pull request 'fix: cloud-init password auth + remove test VM' (#9) from fix/cloud-init-password into main
Some checks failed
0/0 projects applied successfully.
PR Checks / tofu-checks (pull_request) Failing after 3s
Details
2026-02-11 20:14:29 +01:00
root
545eafde62 fix: cloud-init password auth + remove test VM
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 3s
Details
1/1 projects applied successfully.
Cloud-init fixes for Ubuntu 24.04:
- Use plain_text_passwd in users section (chpasswd alone doesn't unlock)
- Override 60-cloudimg-settings.conf (disables PasswordAuthentication)
- Restart sshd after config fix

Also:
- Remove test-tenant VM (verified: SSH, internet, host isolation all OK)
- Fix host prerequisites comment (storage needs images content type)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 20:12:05 +01:00
claude
443f5813ec Merge pull request 'feat: tenant VM module for VM-as-a-Service (Step 5.2)' (#8) from feature/tenant-vm-module into main 2026-02-11 20:06:11 +01:00
root
74eeabb354 feat: add tenant VM module for VM-as-a-Service (Step 5.2)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
Details
1/1 projects applied successfully.
Reusable OpenTofu module for creating isolated tenant VMs with:
- Public IP on vmbr1 (bridged, firewall=true)
- Cloud-init: password auth, fail2ban, UFW hardening
- Per-VM Proxmox firewall (IN: SSH+ICMP, OUT: allow, block SMTP)

Includes test-tenant VM (185.47.204.227) for verification.

Changes:
- modules/tenant-vm/ — reusable module (VM + FW + cloud-init)
- environments/production/tenant-vms.tf — tenant VM definitions
- policies/security.rego — require firewall=true on vmbr1
- atlantis.yaml — trigger on module file changes
- main.tf — updated host prerequisites comment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 20:01:38 +01:00
root
f227620b8b fix: update Proxmox endpoint to new IP 185.47.204.226 
Server bare_srv_1 migrated from 217.168.244.244 to 185.47.204.226
(dedicated /28 subnet on VLAN 1742). Old IP is no longer reachable.
Emergency fix — Atlantis cannot function until endpoint is updated.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 19:26:21 +01:00
claude
1e52ac935b Merge pull request 'Manage cloud image via IaC (download_file resource)' (#7) from feature/cloud-image-iac into main
Some checks failed
Drift Detection / detect-drift (push) Failing after 31s
Details
2026-02-11 15:29:45 +01:00
Claude AI
5ff3190bea fix: set overwrite_unmanaged=true to adopt existing cloud image
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 3s
Details
1/1 projects applied successfully.
File was manually downloaded before IaC. overwrite_unmanaged allows
OpenTofu to take ownership of the existing file.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 15:26:38 +01:00
Claude AI
a615ad5be4 fix: use depends_on instead of direct file_id reference
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 3s
Details
0/1 projects applied successfully.
file_id forces VM replacement when changed. Using depends_on +
hardcoded path keeps the image managed by IaC without destroying VM.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 15:24:59 +01:00
Claude AI
12c301e59b refactor: manage cloud image via IaC instead of manual wget
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
Details
0/0 projects policies checked successfully.
- Add proxmox_virtual_environment_download_file for Ubuntu 24.04 cloud image
- VM disk references managed resource instead of hardcoded path
- Document host prerequisites (NAT, sysctl) that can't be in IaC
  (Proxmox API limitation — bpg/proxmox #1454)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 15:23:16 +01:00
claude
8c67bdfbb3 Merge pull request 'feat: First VM — test-vm-01 Ubuntu 24.04 (Step 4.6)' (#6) from feature/test-vm-01 into main 2026-02-11 14:28:23 +01:00
Claude AI
c33bcd2564 fix: disable per-NIC firewall on NAT bridge to fix VM internet
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
Details
1/1 projects applied successfully.
The Proxmox per-NIC firewall (bridge-nf-call-iptables) conflicts with
MASQUERADE NAT routing on vmbr0 (bridge without physical uplink).
Security is maintained via NAT isolation + host-level Proxmox firewall.

Also updates OPA security policy to reflect NAT security model.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 14:24:41 +01:00
Claude AI
1c7258d13a fix: Add SSH config for Proxmox disk operations
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 3s
Details
1/1 projects applied successfully.
bpg/proxmox provider requires SSH access to import cloud images.
SSH key mounted at /secrets/ssh-key in Atlantis container.
 2026-02-11 13:55:55 +01:00
Claude AI
69e2e15017 feat: Add test-vm-01 Ubuntu 24.04 via cloud-init (Step 4.6)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 2s
Details
0/1 projects applied successfully.
- proxmox_virtual_environment_vm: 2 vCPU, 2 GB RAM, 20 GB disk
- Cloud image: ubuntu-24.04-cloudimg-amd64.img (qcow2)
- Network: vmbr0, static IP 10.10.10.100/24, NAT via host
- Cloud-init: SSH key (control VPS), user ubuntu, DNS 8.8.8.8
- Firewall enabled on NIC, tags: test/tofu/ubuntu
 2026-02-11 13:14:07 +01:00
claude
79279f0c23 Merge pull request 'feat: Add bpg/proxmox provider (Step 4.5)' (#5) from feature/proxmox-provider into main
Some checks failed
Drift Detection / detect-drift (push) Failing after 2s
Details
2026-02-11 08:23:21 +01:00
Claude AI
5155f08584 feat: Add bpg/proxmox provider for bare-metal VM management (Step 4.5)
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 4s
Details
1/1 projects applied successfully.
- Enable bpg/proxmox provider (~> 0.90) in production environment
- Add data source to verify Proxmox connectivity (read nodes)
- SOPS-encrypt Proxmox API token (root@pam!tofu)
- Custom Atlantis workflow: decrypt SOPS → inject PROXMOX_VE_API_TOKEN
- Update all OPA policies for bpg resource types:
  - proxmox_vm_qemu → proxmox_virtual_environment_vm
  - proxmox_lxc → proxmox_virtual_environment_container
  - Adjust field paths (cpu[0].cores, memory[0].dedicated, etc.)
  - Firewall check: per-network-device instead of top-level
  - Password check: via after_sensitive for cloud-init
  - Tags: list of strings instead of comma-separated
 2026-02-11 08:17:39 +01:00
root
f26e327de7 Add drift detection workflow (every 6h)
Some checks failed
Drift Detection / detect-drift (push) Failing after 2s
Details
2026-02-09 09:15:11 +01:00
root
42413ac276 Add CI workflow for PR checks 
Workflow runs on pull_request to main:
- tofu fmt -check
- tofu init -backend=false + validate
- conftest verify (policy syntax)
- conftest test (policy against plan)
 2026-02-09 06:48:09 +01:00
root
dc15bb8a68 Add OPA/Conftest policies and SOPS config 
Policies:
- deny_dangerous: block deletion/replace of stateful resources
- security: enforce firewall and SSH key auth on VMs
- cost_control: limit VM cores (16) and RAM (32GB)
- require_tags: warn on missing environment/managed_by tags

SOPS: age public key configured for secrets encryption.
 2026-02-09 06:36:39 +01:00
Claude AI
80c1d6f624 Initial infrastructure repo structure 
- environments/production/main.tf: S3 backend (MinIO), Proxmox provider (commented, ready for bare-metal)
- environments/production/variables.tf: Variable stubs for Proxmox
- atlantis.yaml: Repo-level config (autoplan on .tf changes, require approval)
- .gitignore: Terraform/OpenTofu patterns
- modules/: Empty, ready for reusable modules

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-09 05:39:52 +01:00
claude
78e026a226 Initial commit 2026-02-08 23:32:37 +01:00