ee551e1c0b
- Revised CPU and memory specifications for various VMs, moving high-resource workloads from ML110-01 to R630-01 to balance resource allocation. - Updated deployment YAML files to reflect changes in node assignments, CPU counts, and storage types, transitioning to Ceph storage for improved performance. - Enhanced documentation to clarify resource usage and deployment strategies, ensuring efficient utilization of available hardware.
289 lines
11 KiB
YAML
289 lines
11 KiB
YAML
apiVersion: proxmox.sankofa.nexus/v1alpha1
|
|
kind: ProxmoxVM
|
|
metadata:
|
|
name: phoenix-as4-gateway
|
|
namespace: default
|
|
labels:
|
|
tenant.sankofa.nexus/id: "infrastructure"
|
|
environment: "production"
|
|
app: "phoenix"
|
|
component: "as4-gateway"
|
|
service: "b2b"
|
|
spec:
|
|
forProvider:
|
|
node: "r630-01"
|
|
name: "phoenix-as4-gateway"
|
|
cpu: 4
|
|
memory: "16Gi"
|
|
disk: "500Gi"
|
|
storage: "ceph-fs"
|
|
network: "vmbr0"
|
|
image: "local:iso/ubuntu-22.04-cloud.img"
|
|
site: "site-2"
|
|
userData: |
|
|
#cloud-config
|
|
# Package management
|
|
package_update: true
|
|
package_upgrade: true
|
|
|
|
# Time synchronization (NTP)
|
|
ntp:
|
|
enabled: true
|
|
ntp_client: chrony
|
|
servers:
|
|
- 0.pool.ntp.org
|
|
- 1.pool.ntp.org
|
|
- 2.pool.ntp.org
|
|
- 3.pool.ntp.org
|
|
|
|
|
|
# Required packages
|
|
packages:
|
|
- qemu-guest-agent
|
|
- curl
|
|
- wget
|
|
- net-tools
|
|
- apt-transport-https
|
|
- ca-certificates
|
|
- gnupg
|
|
- lsb-release
|
|
- chrony
|
|
- unattended-upgrades
|
|
- apt-listchanges
|
|
# AS4 gateway packages
|
|
- docker.io
|
|
- docker-compose
|
|
- openjdk-11-jdk
|
|
- openssl
|
|
- xmlsec1
|
|
- libxml2-utils
|
|
- postgresql
|
|
- postgresql-contrib
|
|
- nginx
|
|
- certbot
|
|
- python3-certbot-nginx
|
|
- ufw
|
|
|
|
# User configuration
|
|
users:
|
|
- name: admin
|
|
groups: sudo, docker
|
|
shell: /bin/bash
|
|
sudo: ALL=(ALL) NOPASSWD:ALL
|
|
lock_passwd: false
|
|
ssh_authorized_keys:
|
|
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbGtLMmN6px4J2QUYk0BjnNT2wytgiTLSDzL+AwhE6qQWbL+h8AeFET2CHeEf09m5KYLAbHkYTq5aUleuXsluPer9A5moPD1UfdSVLpyyIv8OvKU4mnabk4z31yenPD7Wn1hKd3WoZs2ZflFIvzXaVGBoQXFlWztWLO1fh6CXmppf731FMcTMr4x7uxd8dkG4B400a1xWFx7H4e/u33KDUApqimTrwPTfooRLuyyKV7FWpopSvbSl0ANkZsuyrjbQRR3uD66iQaI60sZArTjhjwnJz+VCOnmJhlGmfMMwov4SOemt+Ut3x0Z6CwagjvxbpGf4hoI9coYD89IFzYwXVUyB9CyvlxEyPTX3v8QwIEZtWWPDStAHTkwZ80z+LU/pvP12Su32D4Wu+ziDkONVpxh1Qh6tV+jvuA9oSKno9jLa4FO0ZTs4bPkww8AbglH3h+dV7zd7qtwwW1oeSw5GHaOq/NetfpvPVuYkOe0IxVvlODZ/d6vAjCBZ0fRgtsEuZvmCVrxwGzZEHWLeAF9G/XD+wpaA5OonceeuhF6K4H12TC3AH6ycUPIBdYOeD2askutLprLmukj8xAC5mRW4ehCnXmwjABrhLSJb7A326q6t8EO2+3u12vvMQt7xKi+aY0+wGZXSvHfiabp93OMuf3WL80A8+5NaRtby44fY6bw== defi@defi-oracle.io
|
|
|
|
# Boot commands - executed in order
|
|
runcmd:
|
|
# Verify packages are installed
|
|
- |
|
|
echo "=========================================="
|
|
echo "Verifying required packages are installed..."
|
|
echo "=========================================="
|
|
for pkg in qemu-guest-agent curl wget net-tools chrony unattended-upgrades; do
|
|
if ! dpkg -l | grep -q "^ii.*$pkg"; then
|
|
echo "ERROR: Package $pkg is not installed"
|
|
exit 1
|
|
fi
|
|
echo "✅ Package $pkg is installed"
|
|
done
|
|
echo "All required packages verified"
|
|
|
|
# Verify qemu-guest-agent package details
|
|
- |
|
|
echo "=========================================="
|
|
echo "Checking qemu-guest-agent package details..."
|
|
echo "=========================================="
|
|
if dpkg -l | grep -q "^ii.*qemu-guest-agent"; then
|
|
echo "✅ qemu-guest-agent package IS installed"
|
|
dpkg -l | grep qemu-guest-agent
|
|
else
|
|
echo "❌ qemu-guest-agent package is NOT installed"
|
|
echo "Attempting to install..."
|
|
apt-get update
|
|
apt-get install -y qemu-guest-agent
|
|
fi
|
|
|
|
# Enable and start QEMU Guest Agent
|
|
- |
|
|
echo "=========================================="
|
|
echo "Enabling and starting QEMU Guest Agent..."
|
|
echo "=========================================="
|
|
systemctl enable qemu-guest-agent
|
|
systemctl start qemu-guest-agent
|
|
echo "QEMU Guest Agent enabled and started"
|
|
|
|
# Verify guest agent service is running
|
|
- |
|
|
echo "=========================================="
|
|
echo "Verifying QEMU Guest Agent service status..."
|
|
echo "=========================================="
|
|
for i in {1..30}; do
|
|
if systemctl is-active --quiet qemu-guest-agent; then
|
|
echo "✅ QEMU Guest Agent service IS running"
|
|
systemctl status qemu-guest-agent --no-pager -l
|
|
exit 0
|
|
fi
|
|
echo "Waiting for QEMU Guest Agent to start... ($i/30)"
|
|
sleep 1
|
|
done
|
|
echo "⚠️ WARNING: QEMU Guest Agent may not have started properly"
|
|
systemctl status qemu-guest-agent --no-pager -l || true
|
|
echo "Attempting to restart..."
|
|
systemctl restart qemu-guest-agent
|
|
sleep 3
|
|
if systemctl is-active --quiet qemu-guest-agent; then
|
|
echo "✅ QEMU Guest Agent started after restart"
|
|
else
|
|
echo "❌ QEMU Guest Agent failed to start"
|
|
fi
|
|
|
|
# Configure Docker
|
|
- systemctl enable docker
|
|
- systemctl start docker
|
|
|
|
# Configure PostgreSQL
|
|
- systemctl enable postgresql
|
|
- systemctl start postgresql
|
|
|
|
# Create AS4 gateway directories
|
|
- |
|
|
mkdir -p /opt/as4-gateway/{config,data,certificates,logs,archives}
|
|
mkdir -p /opt/as4-gateway/trading-partners
|
|
chown -R admin:admin /opt/as4-gateway
|
|
|
|
# Create PostgreSQL database for AS4 gateway
|
|
- |
|
|
sudo -u postgres psql <<EOF
|
|
CREATE DATABASE as4_gateway;
|
|
CREATE USER as4_user WITH PASSWORD 'CHANGE_ME_ON_FIRST_LOGIN';
|
|
GRANT ALL PRIVILEGES ON DATABASE as4_gateway TO as4_user;
|
|
EOF
|
|
|
|
# Configure Nginx reverse proxy
|
|
- |
|
|
cat > /etc/nginx/sites-available/as4-gateway <<EOF
|
|
server {
|
|
listen 80;
|
|
server_name as4.sankofa.nexus;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade \$http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
}
|
|
}
|
|
EOF
|
|
ln -sf /etc/nginx/sites-available/as4-gateway /etc/nginx/sites-enabled/
|
|
rm -f /etc/nginx/sites-enabled/default
|
|
|
|
# Configure UFW firewall
|
|
- ufw allow 22/tcp # SSH
|
|
- ufw allow 80/tcp # HTTP
|
|
- ufw allow 443/tcp # HTTPS
|
|
- ufw allow 8080/tcp # AS4 Gateway (direct access)
|
|
- ufw --force enable
|
|
|
|
# Enable and start services
|
|
- systemctl enable nginx
|
|
- systemctl restart nginx
|
|
|
|
# Create AS4 gateway configuration template
|
|
- |
|
|
cat > /opt/as4-gateway/config/as4-config-template.xml <<EOF
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<as4-config>
|
|
<server>
|
|
<port>8080</port>
|
|
<keystore>/opt/as4-gateway/certificates/keystore.jks</keystore>
|
|
<truststore>/opt/as4-gateway/certificates/truststore.jks</truststore>
|
|
</server>
|
|
<database>
|
|
<url>jdbc:postgresql://localhost:5432/as4_gateway</url>
|
|
<username>as4_user</username>
|
|
<password>CHANGE_ME_ON_FIRST_LOGIN</password>
|
|
</database>
|
|
<messaging>
|
|
<reliability>true</reliability>
|
|
<security>true</security>
|
|
<signing>true</signing>
|
|
<encryption>true</encryption>
|
|
</messaging>
|
|
</as4-config>
|
|
EOF
|
|
chown admin:admin /opt/as4-gateway/config/as4-config-template.xml
|
|
|
|
# Configure automatic security updates
|
|
- |
|
|
echo "Configuring automatic security updates..."
|
|
cat > /etc/apt/apt.conf.d/50unattended-upgrades <<'EOF'
|
|
Unattended-Upgrade::Allowed-Origins {
|
|
"${distro_id}:${distro_codename}-security";
|
|
"${distro_id}ESMApps:${distro_codename}-apps-security";
|
|
"${distro_id}ESM:${distro_codename}-infra-security";
|
|
};
|
|
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
|
Unattended-Upgrade::MinimalSteps "true";
|
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
|
Unattended-Upgrade::Automatic-Reboot "false";
|
|
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
|
EOF
|
|
systemctl enable unattended-upgrades
|
|
systemctl start unattended-upgrades
|
|
echo "Automatic security updates configured"
|
|
|
|
# Configure NTP (Chrony)
|
|
- |
|
|
echo "Configuring NTP (Chrony)..."
|
|
systemctl enable chrony
|
|
systemctl restart chrony
|
|
sleep 3
|
|
if systemctl is-active --quiet chrony; then
|
|
echo "NTP (Chrony) is running"
|
|
chronyc tracking | head -1 || true
|
|
else
|
|
echo "WARNING: NTP (Chrony) may not be running"
|
|
fi
|
|
|
|
# SSH hardening
|
|
- |
|
|
echo "Hardening SSH configuration..."
|
|
if ! grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then
|
|
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
fi
|
|
if ! grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config; then
|
|
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
fi
|
|
if ! grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config; then
|
|
sed -i 's/^#PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
|
|
fi
|
|
systemctl restart sshd
|
|
echo "SSH hardening completed
|
|
|
|
# Write files for security configuration
|
|
write_files:
|
|
- path: /etc/apt/apt.conf.d/20auto-upgrades
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
permissions: '0644'
|
|
owner: root:root
|
|
|
|
# Final message
|
|
final_message: |
|
|
==========================================
|
|
providerConfigRef:
|
|
name: proxmox-provider-config
|
|
|