d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements

Browse Source 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
This commit is contained in:
defiQUG
2025-12-12 18:01:35 -08:00
parent e01131efaf
commit 9daf1fd378
968 changed files with 160890 additions and 1092 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
infrastructure/.gitignore vendored Normal file
View File

@@ -0,0 +1,46 @@
# Infrastructure Management .gitignore
# Secrets and credentials
*.pem
*.key
*.crt
*.p12
secrets/
credentials/
*.env
.env.local
# Terraform
*.tfstate
*.tfstate.*
.terraform/
.terraform.lock.hcl
terraform.tfvars
# Ansible
*.retry
.vault_pass
ansible_vault_pass
# Python
__pycache__/
*.py[cod]
*$py.class
*.so
.Python
venv/
env/
ENV/
# Output files
*.log
*.json.bak
inventory-output/
discovery-output/
# Temporary files
*.tmp
*.temp
.DS_Store
Thumbs.db

148
infrastructure/IMPLEMENTATION_STATUS.md Normal file
View File

@@ -0,0 +1,148 @@
# Infrastructure Management Implementation Status
## Overview
This document tracks the implementation status of infrastructure management components for Sankofa Phoenix.
## Completed Components
### ✅ Directory Structure
- Created comprehensive infrastructure management directory structure
- Organized components by infrastructure type (Proxmox, Omada, Network, Monitoring, Inventory)
### ✅ Documentation
- **Main README** (`infrastructure/README.md`) - Comprehensive overview
- **Proxmox Management** (`infrastructure/proxmox/README.md`) - Proxmox VE management guide
- **Omada Management** (`infrastructure/omada/README.md`) - TP-Link Omada management guide
- **Network Management** (`infrastructure/network/README.md`) - Network infrastructure guide
- **Monitoring** (`infrastructure/monitoring/README.md`) - Monitoring and observability guide
- **Inventory** (`infrastructure/inventory/README.md`) - Infrastructure inventory guide
- **Quick Start** (`infrastructure/QUICK_START.md`) - Quick reference guide
### ✅ TP-Link Omada Integration
- **API Client** (`infrastructure/omada/api/omada_client.py`) - Python client library
- **API Documentation** (`infrastructure/omada/api/README.md`) - API usage guide
- **Setup Script** (`infrastructure/omada/scripts/setup-controller.sh`) - Controller setup
- **Discovery Script** (`infrastructure/omada/scripts/discover-aps.sh`) - Access point discovery
### ✅ Proxmox Management
- **Health Check Script** (`infrastructure/proxmox/scripts/cluster-health.sh`) - Cluster health monitoring
- Enhanced documentation for Proxmox management
- Integration with existing Crossplane provider
### ✅ Infrastructure Inventory
- **Database Schema** (`infrastructure/inventory/database/schema.sql`) - PostgreSQL schema
- **Discovery Script** (`infrastructure/inventory/discovery/discover-all.sh`) - Multi-component discovery
### ✅ Project Integration
- Updated main README with infrastructure management references
- Created `.gitignore` for infrastructure directory
## Pending/Planned Components
### 🔄 Terraform Modules
- [ ] Proxmox Terraform modules
- [ ] Omada Terraform provider/modules
- [ ] Network infrastructure Terraform modules
### 🔄 Ansible Roles
- [ ] Proxmox Ansible roles
- [ ] Omada Ansible roles
- [ ] Network configuration Ansible roles
### 🔄 Monitoring Exporters
- [ ] Omada Prometheus exporter
- [ ] Network SNMP exporter
- [ ] Custom Grafana dashboards
### 🔄 Additional Scripts
- [ ] Proxmox backup/restore scripts
- [ ] Omada SSID management scripts
- [ ] Network VLAN management scripts
- [ ] Infrastructure provisioning scripts
### 🔄 API Integration
- [ ] Go client for Omada API
- [ ] Unified infrastructure API
- [ ] Portal integration endpoints
### 🔄 Advanced Features
- [ ] Configuration drift detection
- [ ] Automated remediation
- [ ] Infrastructure as Code templates
- [ ] Multi-site coordination
## Integration Points
### Existing Components
-**Crossplane Provider** (`crossplane-provider-proxmox/`) - Already integrated
-**GitOps** (`gitops/infrastructure/`) - Infrastructure definitions
-**Scripts** (`scripts/`) - Deployment and setup scripts
-**Cloudflare** (`cloudflare/`) - Network connectivity
### Planned Integrations
- [ ] Portal UI integration
- [ ] API Gateway integration
- [ ] Monitoring stack integration
- [ ] Inventory database deployment
## Next Steps
1. **Implement Terraform Modules**
- Create Proxmox Terraform modules
- Create Omada Terraform provider/modules
- Test infrastructure provisioning
2. **Build Ansible Roles**
- Create reusable Ansible roles
- Test multi-site deployment
- Document playbook usage
3. **Deploy Monitoring**
- Build custom exporters
- Create Grafana dashboards
- Configure alerting rules
4. **Enhance API Clients**
- Complete Go client for Omada
- Add error handling and retry logic
- Create unified API interface
5. **Portal Integration**
- Add infrastructure management UI
- Integrate with existing Portal components
- Create infrastructure dashboards
## Usage Examples
### Proxmox Management
```bash
cd infrastructure/proxmox
./scripts/cluster-health.sh --site us-east-1
```
### Omada Management
```bash
cd infrastructure/omada
export OMADA_CONTROLLER=omada.sankofa.nexus
export OMADA_PASSWORD=your-password
./scripts/setup-controller.sh
```
### Infrastructure Discovery
```bash
cd infrastructure/inventory
export SITE=us-east-1
./discovery/discover-all.sh
```
## Related Documentation
- [Infrastructure Management README](./README.md)
- [Quick Start Guide](./QUICK_START.md)
- [Proxmox Management](./proxmox/README.md)
- [Omada Management](./omada/README.md)
- [Network Management](./network/README.md)
- [Monitoring](./monitoring/README.md)
- [Inventory](./inventory/README.md)

131
infrastructure/QUICK_START.md Normal file
View File

@@ -0,0 +1,131 @@
# Infrastructure Management Quick Start
Quick reference guide for managing infrastructure in Sankofa Phoenix.
## Quick Commands
### Proxmox Management
```bash
# Check cluster health
cd infrastructure/proxmox
./scripts/cluster-health.sh --site us-east-1
# Setup Proxmox site
cd ../../scripts
./setup-proxmox-agents.sh --site us-east-1 --node pve1
```
### Omada Management
```bash
# Setup Omada Controller
cd infrastructure/omada
export OMADA_CONTROLLER=omada.sankofa.nexus
export OMADA_PASSWORD=your-password
./scripts/setup-controller.sh
# Discover access points
./scripts/discover-aps.sh --site us-east-1
```
### Infrastructure Discovery
```bash
# Discover all infrastructure for a site
cd infrastructure/inventory
export SITE=us-east-1
./discovery/discover-all.sh
```
### Using the Omada API Client
```python
from infrastructure.omada.api.omada_client import OmadaController
# Initialize and authenticate
controller = OmadaController(
host="omada.sankofa.nexus",
username="admin",
password="secure-password"
)
controller.login()
# Get sites and access points
sites = controller.get_sites()
aps = controller.get_access_points(sites[0]["id"])
controller.logout()
```
## Configuration
### Environment Variables
```bash
# Proxmox
export PROXMOX_API_URL=https://pve1.sankofa.nexus:8006
export PROXMOX_API_TOKEN=root@pam!token-name=abc123
# Omada
export OMADA_CONTROLLER=omada.sankofa.nexus
export OMADA_ADMIN=admin
export OMADA_PASSWORD=secure-password
# Site
export SITE=us-east-1
```
## Integration Points
### Crossplane Provider
The Proxmox Crossplane provider is located at:
- `crossplane-provider-proxmox/`
Use Kubernetes manifests to manage Proxmox resources:
```yaml
apiVersion: proxmox.sankofa.nexus/v1alpha1
kind: ProxmoxVM
metadata:
name: web-server-01
spec:
forProvider:
node: pve1
name: web-server-01
cpu: 4
memory: 8Gi
disk: 100Gi
site: us-east-1
```
### GitOps
Infrastructure definitions are in:
- `gitops/infrastructure/`
### Portal Integration
The Portal UI provides infrastructure management at:
- `/infrastructure` - Infrastructure overview
- `/infrastructure/proxmox` - Proxmox management
- `/infrastructure/omada` - Omada management
## Next Steps
1. **Configure Sites**: Set up site-specific configurations
2. **Deploy Monitoring**: Install Prometheus exporters
3. **Setup Inventory**: Initialize inventory database
4. **Configure Alerts**: Set up alerting rules
5. **Integrate with Portal**: Connect infrastructure management to Portal UI
## Related Documentation
- [Infrastructure Management README](./README.md)
- [Proxmox Management](./proxmox/README.md)
- [Omada Management](./omada/README.md)
- [Network Management](./network/README.md)
- [Monitoring](./monitoring/README.md)
- [Inventory](./inventory/README.md)

180
infrastructure/README.md Normal file
View File

@@ -0,0 +1,180 @@
# Infrastructure Management
Comprehensive infrastructure management for Sankofa Phoenix, including Proxmox VE, TP-Link Omada, network equipment, and other infrastructure components.
## Overview
This directory contains all infrastructure management components for the Sankofa Phoenix platform, enabling unified management of:
- **Proxmox VE**: Virtualization and compute infrastructure
- **TP-Link Omada**: Network controller and access point management
- **Network Infrastructure**: Switches, routers, VLANs, and network topology
- **Monitoring**: Infrastructure monitoring, exporters, and dashboards
- **Inventory**: Infrastructure discovery, tracking, and inventory management
## Architecture
```
infrastructure/
├── proxmox/ # Proxmox VE management
│ ├── api/ # Proxmox API clients and utilities
│ ├── terraform/ # Terraform modules for Proxmox
│ ├── ansible/ # Ansible roles and playbooks
│ └── scripts/ # Proxmox management scripts
├── omada/ # TP-Link Omada management
│ ├── api/ # Omada API client library
│ ├── terraform/ # Terraform provider/modules
│ ├── ansible/ # Ansible roles for Omada
│ └── scripts/ # Omada management scripts
├── network/ # Network infrastructure
│ ├── switches/ # Switch configuration management
│ ├── routers/ # Router configuration management
│ └── vlans/ # VLAN management and tracking
├── monitoring/ # Infrastructure monitoring
│ ├── exporters/ # Custom Prometheus exporters
│ └── dashboards/ # Grafana dashboards
└── inventory/ # Infrastructure inventory
├── discovery/ # Auto-discovery scripts
└── database/ # Inventory database schema
```
## Components
### Proxmox VE Management
The Proxmox management components integrate with the existing Crossplane provider (`crossplane-provider-proxmox/`) and provide additional tooling for:
- Cluster management and monitoring
- Storage pool management
- Network bridge configuration
- Backup and restore operations
- Multi-site coordination
**See**: [Proxmox Management](./proxmox/README.md)
### TP-Link Omada Management
TP-Link Omada integration provides centralized management of:
- Omada Controller configuration
- Access point provisioning and management
- Network policies and SSID management
- Client device tracking
- Network analytics and monitoring
**See**: [Omada Management](./omada/README.md)
### Network Infrastructure
Network management components handle:
- Switch configuration (VLANs, ports, trunking)
- Router configuration (routing tables, BGP, OSPF)
- Network topology discovery
- Network policy enforcement
**See**: [Network Management](./network/README.md)
### Monitoring
Infrastructure monitoring includes:
- Custom Prometheus exporters for infrastructure components
- Grafana dashboards for visualization
- Alerting rules for infrastructure health
- Performance metrics collection
**See**: [Monitoring](./monitoring/README.md)
### Inventory
Infrastructure inventory system provides:
- Auto-discovery of infrastructure components
- Centralized inventory database
- Asset tracking and lifecycle management
- Configuration drift detection
**See**: [Inventory](./inventory/README.md)
## Integration with Sankofa Phoenix
All infrastructure management components integrate with the Sankofa Phoenix control plane:
- **Crossplane**: Infrastructure as Code via Crossplane providers
- **ArgoCD**: GitOps deployment of infrastructure configurations
- **Kubernetes**: Infrastructure management running on Kubernetes
- **API Gateway**: Unified API for infrastructure operations
- **Portal**: Web UI for infrastructure management
## Usage
### Quick Start
```bash
# Setup Proxmox management
cd infrastructure/proxmox
./scripts/setup-cluster.sh --site us-east-1
# Setup Omada management
cd infrastructure/omada
./scripts/setup-controller.sh --controller omada.sankofa.nexus
# Discover infrastructure
cd infrastructure/inventory
./discovery/discover-all.sh
```
### Ansible Deployment
```bash
# Deploy infrastructure management to all sites
cd infrastructure
ansible-playbook -i inventory.yml deploy-infrastructure.yml
```
### Terraform
```bash
# Provision infrastructure via Terraform
cd infrastructure/proxmox/terraform
terraform init
terraform plan
terraform apply
```
## Configuration
Infrastructure management components use environment variables and configuration files:
- **Environment Variables**: See `ENV_EXAMPLES.md` in project root
- **Secrets**: Managed via Vault
- **Site Configuration**: Per-site configuration in `gitops/infrastructure/`
## Security
All infrastructure management follows security best practices:
- API authentication via tokens and certificates
- Secrets management via Vault
- Network isolation via Cloudflare Tunnels
- RBAC for all management operations
- Audit logging for all changes
## Contributing
When adding new infrastructure management components:
1. Follow the directory structure conventions
2. Include comprehensive README documentation
3. Provide Ansible roles and Terraform modules
4. Add monitoring exporters and dashboards
5. Update inventory discovery scripts
## Related Documentation
- [System Architecture](../docs/system_architecture.md)
- [Datacenter Architecture](../docs/datacenter_architecture.md)
- [Deployment Plan](../docs/deployment_plan.md)
- [Crossplane Provider](../crossplane-provider-proxmox/README.md)

204
infrastructure/SUMMARY.md Normal file
View File

@@ -0,0 +1,204 @@
# Infrastructure Management - Implementation Summary
## What Was Created
A comprehensive infrastructure management system for Sankofa Phoenix has been established, providing unified management capabilities for Proxmox VE, TP-Link Omada, network infrastructure, monitoring, and inventory.
## Directory Structure
```
infrastructure/
├── README.md # Main infrastructure management overview
├── QUICK_START.md # Quick reference guide
├── IMPLEMENTATION_STATUS.md # Implementation tracking
├── SUMMARY.md # This file
├── .gitignore # Git ignore rules
├── proxmox/ # Proxmox VE Management
│ ├── README.md # Proxmox management guide
│ ├── api/ # API clients (to be implemented)
│ ├── terraform/ # Terraform modules (to be implemented)
│ ├── ansible/ # Ansible roles (to be implemented)
│ └── scripts/ # Management scripts
│ └── cluster-health.sh # Cluster health check script
├── omada/ # TP-Link Omada Management
│ ├── README.md # Omada management guide
│ ├── api/ # API client library
│ │ ├── README.md # API usage documentation
│ │ └── omada_client.py # Python API client
│ ├── terraform/ # Terraform modules (to be implemented)
│ ├── ansible/ # Ansible roles (to be implemented)
│ └── scripts/ # Management scripts
│ ├── setup-controller.sh # Controller setup script
│ └── discover-aps.sh # Access point discovery
├── network/ # Network Infrastructure
│ ├── README.md # Network management guide
│ ├── switches/ # Switch management (to be implemented)
│ ├── routers/ # Router management (to be implemented)
│ └── vlans/ # VLAN management (to be implemented)
├── monitoring/ # Infrastructure Monitoring
│ ├── README.md # Monitoring guide
│ ├── exporters/ # Prometheus exporters (to be implemented)
│ └── dashboards/ # Grafana dashboards (to be implemented)
└── inventory/ # Infrastructure Inventory
├── README.md # Inventory guide
├── discovery/ # Auto-discovery scripts
│ └── discover-all.sh # Multi-component discovery
└── database/ # Inventory database
└── schema.sql # PostgreSQL schema
```
## Key Components
### 1. Proxmox VE Management
- **Documentation**: Comprehensive guide for Proxmox cluster management
- **Scripts**: Cluster health monitoring script
- **Integration**: Works with existing Crossplane provider
- **Status**: ✅ Documentation and basic scripts complete
### 2. TP-Link Omada Management
- **API Client**: Python client library (`omada_client.py`)
- **Documentation**: Complete API usage guide
- **Scripts**: Controller setup and access point discovery
- **Status**: ✅ Core components complete, ready for expansion
### 3. Network Infrastructure
- **Documentation**: Network management guide covering switches, routers, VLANs
- **Structure**: Organized by component type
- **Status**: ✅ Documentation complete, implementation pending
### 4. Monitoring
- **Documentation**: Monitoring and observability guide
- **Structure**: Exporters and dashboards directories
- **Status**: ✅ Documentation complete, exporters pending
### 5. Infrastructure Inventory
- **Database Schema**: PostgreSQL schema for inventory tracking
- **Discovery Scripts**: Multi-component discovery automation
- **Status**: ✅ Core components complete
## Integration with Existing Project
### Existing Components Utilized
-**Crossplane Provider** (`crossplane-provider-proxmox/`) - Referenced and integrated
-**GitOps** (`gitops/infrastructure/`) - Infrastructure definitions
-**Deployment Scripts** (`scripts/`) - Site setup and configuration
-**Cloudflare** (`cloudflare/`) - Network connectivity
### Project Updates
- ✅ Updated main `README.md` with infrastructure management references
- ✅ Created comprehensive documentation structure
- ✅ Established integration patterns
## Usage Examples
### Proxmox Cluster Health Check
```bash
cd infrastructure/proxmox
./scripts/cluster-health.sh --site us-east-1
```
### Omada Controller Setup
```bash
cd infrastructure/omada
export OMADA_CONTROLLER=omada.sankofa.nexus
export OMADA_PASSWORD=your-password
./scripts/setup-controller.sh
```
### Infrastructure Discovery
```bash
cd infrastructure/inventory
export SITE=us-east-1
./discovery/discover-all.sh
```
### Using Omada API Client
```python
from infrastructure.omada.api.omada_client import OmadaController
controller = OmadaController(
host="omada.sankofa.nexus",
username="admin",
password="secure-password"
)
controller.login()
sites = controller.get_sites()
controller.logout()
```
## Next Steps
### Immediate (Ready to Implement)
1. **Terraform Modules**: Create Proxmox and Omada Terraform modules
2. **Ansible Roles**: Build reusable Ansible roles for infrastructure
3. **Monitoring Exporters**: Build Prometheus exporters for Omada and network devices
4. **Additional Scripts**: Expand script library for common operations
### Short-term
1. **Go API Client**: Create Go client for Omada API
2. **Portal Integration**: Add infrastructure management to Portal UI
3. **Unified API**: Create unified infrastructure management API
4. **Grafana Dashboards**: Build infrastructure monitoring dashboards
### Long-term
1. **Configuration Drift Detection**: Automated drift detection and remediation
2. **Multi-site Coordination**: Cross-site infrastructure management
3. **Infrastructure as Code**: Complete IaC templates and workflows
4. **Advanced Analytics**: Infrastructure performance and capacity analytics
## Documentation
All documentation is located in the `infrastructure/` directory:
- **[README.md](./README.md)** - Main infrastructure management overview
- **[QUICK_START.md](./QUICK_START.md)** - Quick reference guide
- **[IMPLEMENTATION_STATUS.md](./IMPLEMENTATION_STATUS.md)** - Implementation tracking
- Component-specific READMEs in each subdirectory
## Files Created
### Documentation (9 files)
- `infrastructure/README.md`
- `infrastructure/QUICK_START.md`
- `infrastructure/IMPLEMENTATION_STATUS.md`
- `infrastructure/SUMMARY.md`
- `infrastructure/proxmox/README.md`
- `infrastructure/omada/README.md`
- `infrastructure/omada/api/README.md`
- `infrastructure/network/README.md`
- `infrastructure/monitoring/README.md`
- `infrastructure/inventory/README.md`
### Scripts (4 files)
- `infrastructure/proxmox/scripts/cluster-health.sh`
- `infrastructure/omada/scripts/setup-controller.sh`
- `infrastructure/omada/scripts/discover-aps.sh`
- `infrastructure/inventory/discovery/discover-all.sh`
### Code (2 files)
- `infrastructure/omada/api/omada_client.py`
- `infrastructure/inventory/database/schema.sql`
### Configuration (1 file)
- `infrastructure/.gitignore`
**Total: 16 files created**
## Conclusion
The infrastructure management system for Sankofa Phoenix is now established with:
**Comprehensive Documentation** - Guides for all infrastructure components
**Core Scripts** - Essential management and discovery scripts
**API Client** - Python client for TP-Link Omada
**Database Schema** - Inventory tracking schema
**Integration Points** - Clear integration with existing components
**Extensible Structure** - Ready for Terraform, Ansible, and monitoring components
The foundation is complete and ready for expansion with Terraform modules, Ansible roles, monitoring exporters, and Portal integration.

222
infrastructure/inventory/README.md Normal file
View File

@@ -0,0 +1,222 @@
# Infrastructure Inventory
Centralized inventory and discovery system for all infrastructure components in Sankofa Phoenix.
## Overview
The infrastructure inventory system provides:
- Auto-discovery of infrastructure components
- Centralized inventory database
- Asset tracking and lifecycle management
- Configuration drift detection
- Change history and audit trails
## Components
### Discovery (`discovery/`)
Auto-discovery scripts for:
- Proxmox clusters and nodes
- Network devices (switches, routers)
- Omada controllers and access points
- Storage systems
- Other infrastructure components
### Database (`database/`)
Inventory database schema and management:
- PostgreSQL schema for inventory
- Migration scripts
- Query utilities
- Backup/restore procedures
## Discovery
### Auto-Discovery
```bash
# Discover all infrastructure
./discovery/discover-all.sh --site us-east-1
# Discover Proxmox infrastructure
./discovery/discover-proxmox.sh --site us-east-1
# Discover network infrastructure
./discovery/discover-network.sh --site us-east-1
# Discover Omada infrastructure
./discovery/discover-omada.sh --controller omada.sankofa.nexus
```
### Scheduled Discovery
Discovery can be scheduled via cron or Kubernetes CronJob:
```yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: infrastructure-discovery
spec:
schedule: "0 */6 * * *" # Every 6 hours
jobTemplate:
spec:
template:
spec:
containers:
- name: discovery
image: infrastructure-discovery:latest
command: ["./discovery/discover-all.sh"]
```
## Database Schema
### Tables
- **sites**: Physical sites/locations
- **nodes**: Compute nodes (Proxmox, Kubernetes)
- **vms**: Virtual machines
- **network_devices**: Switches, routers, access points
- **storage_pools**: Storage systems
- **networks**: Network segments and VLANs
- **inventory_history**: Change history
### Schema Location
See `database/schema.sql` for complete database schema.
## Usage
### Query Inventory
```bash
# List all sites
./database/query.sh "SELECT * FROM sites"
# List nodes for a site
./database/query.sh "SELECT * FROM nodes WHERE site_id = 'us-east-1'"
# Get VM inventory
./database/query.sh "SELECT * FROM vms WHERE site_id = 'us-east-1'"
```
### Update Inventory
```bash
# Update node information
./database/update-node.sh \
--node pve1 \
--site us-east-1 \
--status online \
--cpu 32 \
--memory 128GB
```
### Configuration Drift Detection
```bash
# Detect configuration drift
./discovery/detect-drift.sh --site us-east-1
# Compare with expected configuration
./discovery/compare-config.sh \
--site us-east-1 \
--expected expected-config.yaml
```
## Integration
### API Integration
The inventory system provides a REST API for integration:
```bash
# Get site inventory
curl https://api.sankofa.nexus/inventory/sites/us-east-1
# Get node details
curl https://api.sankofa.nexus/inventory/nodes/pve1
# Update inventory
curl -X POST https://api.sankofa.nexus/inventory/nodes \
-H "Content-Type: application/json" \
-d '{"name": "pve1", "site": "us-east-1", ...}'
```
### Portal Integration
The inventory is accessible via the Portal UI:
- Infrastructure explorer
- Asset management
- Configuration comparison
- Change history
## Configuration
### Discovery Configuration
```yaml
discovery:
sites:
- id: us-east-1
proxmox:
endpoints:
- https://pve1.sankofa.nexus:8006
- https://pve2.sankofa.nexus:8006
network:
snmp_community: public
devices:
- 10.1.0.1 # switch-01
- 10.1.0.254 # router-01
omada:
controller: omada.sankofa.nexus
site_id: us-east-1
```
### Database Configuration
```yaml
database:
host: postgres.inventory.svc.cluster.local
port: 5432
database: infrastructure
username: inventory
password: ${DB_PASSWORD}
ssl_mode: require
```
## Backup and Recovery
### Backup Inventory
```bash
# Backup inventory database
./database/backup.sh --output inventory-backup-$(date +%Y%m%d).sql
```
### Restore Inventory
```bash
# Restore inventory database
./database/restore.sh --backup inventory-backup-20240101.sql
```
## Reporting
### Generate Reports
```bash
# Generate inventory report
./database/report.sh --site us-east-1 --format html
# Generate asset report
./database/asset-report.sh --format csv
```
## Related Documentation
- [Proxmox Management](../proxmox/README.md)
- [Omada Management](../omada/README.md)
- [Network Management](../network/README.md)
- [Infrastructure Management](../README.md)

133
infrastructure/inventory/database/schema.sql Normal file
View File

@@ -0,0 +1,133 @@
-- Infrastructure Inventory Database Schema
-- PostgreSQL schema for tracking infrastructure components
-- Sites table
CREATE TABLE IF NOT EXISTS sites (
id VARCHAR(50) PRIMARY KEY,
name VARCHAR(255) NOT NULL,
location VARCHAR(255),
timezone VARCHAR(50) DEFAULT 'UTC',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Nodes table (Proxmox, Kubernetes, etc.)
CREATE TABLE IF NOT EXISTS nodes (
id VARCHAR(50) PRIMARY KEY,
site_id VARCHAR(50) REFERENCES sites(id) ON DELETE CASCADE,
name VARCHAR(255) NOT NULL,
type VARCHAR(50) NOT NULL, -- 'proxmox', 'kubernetes', etc.
ip_address INET,
status VARCHAR(20) DEFAULT 'unknown', -- 'online', 'offline', 'maintenance'
cpu_cores INTEGER,
memory_gb INTEGER,
storage_gb INTEGER,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Virtual machines table
CREATE TABLE IF NOT EXISTS vms (
id VARCHAR(50) PRIMARY KEY,
node_id VARCHAR(50) REFERENCES nodes(id) ON DELETE CASCADE,
site_id VARCHAR(50) REFERENCES sites(id) ON DELETE CASCADE,
name VARCHAR(255) NOT NULL,
vmid INTEGER,
status VARCHAR(20) DEFAULT 'unknown',
cpu_cores INTEGER,
memory_gb INTEGER,
disk_gb INTEGER,
ip_address INET,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Network devices table
CREATE TABLE IF NOT EXISTS network_devices (
id VARCHAR(50) PRIMARY KEY,
site_id VARCHAR(50) REFERENCES sites(id) ON DELETE CASCADE,
name VARCHAR(255) NOT NULL,
type VARCHAR(50) NOT NULL, -- 'switch', 'router', 'access_point', 'gateway'
model VARCHAR(255),
ip_address INET,
mac_address MACADDR,
status VARCHAR(20) DEFAULT 'unknown',
firmware_version VARCHAR(50),
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Storage pools table
CREATE TABLE IF NOT EXISTS storage_pools (
id VARCHAR(50) PRIMARY KEY,
site_id VARCHAR(50) REFERENCES sites(id) ON DELETE CASCADE,
name VARCHAR(255) NOT NULL,
type VARCHAR(50) NOT NULL, -- 'local', 'ceph', 'nfs', etc.
total_gb BIGINT,
used_gb BIGINT,
available_gb BIGINT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Networks/VLANs table
CREATE TABLE IF NOT EXISTS networks (
id VARCHAR(50) PRIMARY KEY,
site_id VARCHAR(50) REFERENCES sites(id) ON DELETE CASCADE,
name VARCHAR(255) NOT NULL,
vlan_id INTEGER,
subnet CIDR,
gateway INET,
description TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Inventory history table (for change tracking)
CREATE TABLE IF NOT EXISTS inventory_history (
id SERIAL PRIMARY KEY,
table_name VARCHAR(50) NOT NULL,
record_id VARCHAR(50) NOT NULL,
action VARCHAR(20) NOT NULL, -- 'create', 'update', 'delete'
changes JSONB,
changed_by VARCHAR(255),
changed_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Indexes
CREATE INDEX IF NOT EXISTS idx_nodes_site_id ON nodes(site_id);
CREATE INDEX IF NOT EXISTS idx_vms_node_id ON vms(node_id);
CREATE INDEX IF NOT EXISTS idx_vms_site_id ON vms(site_id);
CREATE INDEX IF NOT EXISTS idx_network_devices_site_id ON network_devices(site_id);
CREATE INDEX IF NOT EXISTS idx_storage_pools_site_id ON storage_pools(site_id);
CREATE INDEX IF NOT EXISTS idx_networks_site_id ON networks(site_id);
CREATE INDEX IF NOT EXISTS idx_inventory_history_record ON inventory_history(table_name, record_id);
-- Function to update updated_at timestamp
CREATE OR REPLACE FUNCTION update_updated_at_column()
RETURNS TRIGGER AS $$
BEGIN
NEW.updated_at = CURRENT_TIMESTAMP;
RETURN NEW;
END;
$$ language 'plpgsql';
-- Triggers for updated_at
CREATE TRIGGER update_sites_updated_at BEFORE UPDATE ON sites
FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
CREATE TRIGGER update_nodes_updated_at BEFORE UPDATE ON nodes
FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
CREATE TRIGGER update_vms_updated_at BEFORE UPDATE ON vms
FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
CREATE TRIGGER update_network_devices_updated_at BEFORE UPDATE ON network_devices
FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
CREATE TRIGGER update_storage_pools_updated_at BEFORE UPDATE ON storage_pools
FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
CREATE TRIGGER update_networks_updated_at BEFORE UPDATE ON networks
FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();

97
infrastructure/inventory/discovery/discover-all.sh Executable file
View File

@@ -0,0 +1,97 @@
#!/bin/bash
set -euo pipefail
# Infrastructure Discovery Script
# Discovers all infrastructure components for a site
SITE="${SITE:-}"
OUTPUT_DIR="${OUTPUT_DIR:-/tmp/infrastructure-inventory}"
log() {
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" >&2
}
error() {
log "ERROR: $*"
exit 1
}
check_prerequisites() {
if [ -z "${SITE}" ]; then
error "SITE environment variable is required"
fi
mkdir -p "${OUTPUT_DIR}"
}
discover_proxmox() {
log "Discovering Proxmox infrastructure..."
# Check if discovery script exists
if [ -f "../../proxmox/scripts/discover-cluster.sh" ]; then
../../proxmox/scripts/discover-cluster.sh --site "${SITE}" > "${OUTPUT_DIR}/proxmox-${SITE}.json" 2>&1 || log " ⚠️ Proxmox discovery failed"
else
log " ⚠️ Proxmox discovery script not found"
fi
}
discover_omada() {
log "Discovering Omada infrastructure..."
if [ -f "../../omada/scripts/discover-aps.sh" ]; then
../../omada/scripts/discover-aps.sh --site "${SITE}" > "${OUTPUT_DIR}/omada-${SITE}.json" 2>&1 || log " ⚠️ Omada discovery failed"
else
log " ⚠️ Omada discovery script not found"
fi
}
discover_network() {
log "Discovering network infrastructure..."
# Network discovery would use SNMP or other protocols
log " ⚠️ Network discovery not yet implemented"
}
generate_inventory() {
log "Generating inventory report..."
REPORT_FILE="${OUTPUT_DIR}/inventory-${SITE}-$(date +%Y%m%d-%H%M%S).json"
cat > "${REPORT_FILE}" <<EOF
{
"site": "${SITE}",
"discovery_date": "$(date -Iseconds)",
"components": {
"proxmox": {
"file": "proxmox-${SITE}.json",
"status": "$([ -f "${OUTPUT_DIR}/proxmox-${SITE}.json" ] && echo "discovered" || echo "failed")"
},
"omada": {
"file": "omada-${SITE}.json",
"status": "$([ -f "${OUTPUT_DIR}/omada-${SITE}.json" ] && echo "discovered" || echo "failed")"
},
"network": {
"status": "not_implemented"
}
}
}
EOF
log "Inventory report generated: ${REPORT_FILE}"
cat "${REPORT_FILE}"
}
main() {
log "Starting infrastructure discovery for site: ${SITE}"
check_prerequisites
discover_proxmox
discover_omada
discover_network
generate_inventory
log "Discovery completed! Results in: ${OUTPUT_DIR}"
}
main "$@"

240
infrastructure/monitoring/README.md Normal file
View File

@@ -0,0 +1,240 @@
# Infrastructure Monitoring
Comprehensive monitoring solutions for all infrastructure components in Sankofa Phoenix.
## Overview
This directory contains monitoring components including custom Prometheus exporters, Grafana dashboards, and alerting rules for infrastructure monitoring.
## Components
### Exporters (`exporters/`)
Custom Prometheus exporters for:
- Proxmox VE metrics
- TP-Link Omada metrics
- Network switch/router metrics
- Infrastructure health checks
### Dashboards (`dashboards/`)
Grafana dashboards for:
- Infrastructure overview
- Proxmox cluster health
- Network performance
- Omada controller status
- Site-level monitoring
## Exporters
### Proxmox Exporter
The Proxmox exporter (`pve_exporter`) provides metrics for:
- VM status and resource usage
- Node health and performance
- Storage pool utilization
- Network interface statistics
- Cluster status
**Installation:**
```bash
pip install pve_exporter
```
**Configuration:**
```yaml
exporter:
listen_address: 0.0.0.0:9221
proxmox:
endpoint: https://pve1.sankofa.nexus:8006
username: monitoring@pam
password: ${PROXMOX_PASSWORD}
```
### Omada Exporter
Custom exporter for TP-Link Omada Controller metrics:
- Access point status
- Client device counts
- Network throughput
- Controller health
**See**: `exporters/omada_exporter/` for implementation
### Network Exporter
SNMP-based exporter for network devices:
- Switch port statistics
- Router interface metrics
- VLAN utilization
- Network topology changes
**See**: `exporters/network_exporter/` for implementation
## Dashboards
### Infrastructure Overview
Comprehensive dashboard showing:
- All sites status
- Resource utilization
- Health scores
- Alert summary
**Location**: `dashboards/infrastructure-overview.json`
### Proxmox Cluster
Dashboard for Proxmox clusters:
- Cluster health
- Node performance
- VM resource usage
- Storage utilization
**Location**: `dashboards/proxmox-cluster.json`
### Network Performance
Network performance dashboard:
- Bandwidth utilization
- Latency metrics
- Error rates
- Top talkers
**Location**: `dashboards/network-performance.json`
### Omada Controller
Omada-specific dashboard:
- Controller status
- Access point health
- Client statistics
- Network policies
**Location**: `dashboards/omada-controller.json`
## Installation
### Deploy Exporters
```bash
# Deploy all exporters
kubectl apply -f exporters/manifests/
# Or deploy individually
kubectl apply -f exporters/manifests/proxmox-exporter.yaml
kubectl apply -f exporters/manifests/omada-exporter.yaml
```
### Import Dashboards
```bash
# Import all dashboards to Grafana
./scripts/import-dashboards.sh
# Or import individually
grafana-cli admin import-dashboard dashboards/infrastructure-overview.json
```
## Configuration
### Prometheus Scrape Configuration
```yaml
scrape_configs:
- job_name: 'proxmox'
static_configs:
- targets:
- 'pve-exporter.monitoring.svc.cluster.local:9221'
- job_name: 'omada'
static_configs:
- targets:
- 'omada-exporter.monitoring.svc.cluster.local:9222'
- job_name: 'network'
static_configs:
- targets:
- 'network-exporter.monitoring.svc.cluster.local:9223'
```
### Alerting Rules
Alert rules are defined in `exporters/alert-rules/`:
- `proxmox-alerts.yaml`: Proxmox cluster alerts
- `omada-alerts.yaml`: Omada controller alerts
- `network-alerts.yaml`: Network infrastructure alerts
## Metrics
### Proxmox Metrics
- `pve_node_status`: Node status (0=offline, 1=online)
- `pve_vm_status`: VM status
- `pve_storage_used_bytes`: Storage usage
- `pve_network_rx_bytes`: Network receive bytes
- `pve_network_tx_bytes`: Network transmit bytes
### Omada Metrics
- `omada_ap_status`: Access point status
- `omada_clients_total`: Total client count
- `omada_throughput_bytes`: Network throughput
- `omada_controller_status`: Controller health
### Network Metrics
- `network_port_status`: Switch port status
- `network_port_rx_bytes`: Port receive bytes
- `network_port_tx_bytes`: Port transmit bytes
- `network_vlan_utilization`: VLAN utilization
## Alerts
### Critical Alerts
- Proxmox cluster node down
- Omada controller unreachable
- Network switch offline
- High resource utilization (>90%)
### Warning Alerts
- High resource utilization (>80%)
- Network latency spikes
- Access point offline
- Storage pool >80% full
## Troubleshooting
### Exporter Issues
```bash
# Check exporter status
kubectl get pods -n monitoring -l app=proxmox-exporter
# View exporter logs
kubectl logs -n monitoring -l app=proxmox-exporter
# Test exporter endpoint
curl http://proxmox-exporter.monitoring.svc.cluster.local:9221/metrics
```
### Dashboard Issues
```bash
# Verify dashboard import
grafana-cli admin ls-dashboard
# Check dashboard data sources
# In Grafana UI: Configuration > Data Sources
```
## Related Documentation
- [Proxmox Management](../proxmox/README.md)
- [Omada Management](../omada/README.md)
- [Network Management](../network/README.md)
- [Infrastructure Management](../README.md)

85
infrastructure/monitoring/dashboards/proxmox-cluster.json Normal file
View File

@@ -0,0 +1,85 @@
{
"dashboard": {
"title": "Proxmox Cluster Overview",
"tags": ["proxmox", "infrastructure"],
"timezone": "browser",
"schemaVersion": 16,
"version": 1,
"refresh": "30s",
"panels": [
{
"id": 1,
"title": "Cluster Nodes Status",
"type": "stat",
"targets": [
{
"expr": "up{job=\"pve_exporter\"}",
"legendFormat": "{{instance}}"
}
],
"gridPos": {"h": 4, "w": 6, "x": 0, "y": 0}
},
{
"id": 2,
"title": "Total VMs",
"type": "stat",
"targets": [
{
"expr": "count(pve_vm_info)",
"legendFormat": "VMs"
}
],
"gridPos": {"h": 4, "w": 6, "x": 6, "y": 0}
},
{
"id": 3,
"title": "Running VMs",
"type": "stat",
"targets": [
{
"expr": "count(pve_vm_info{status=\"running\"})",
"legendFormat": "Running"
}
],
"gridPos": {"h": 4, "w": 6, "x": 12, "y": 0}
},
{
"id": 4,
"title": "CPU Usage by Node",
"type": "graph",
"targets": [
{
"expr": "pve_node_cpu_usage",
"legendFormat": "{{node}}"
}
],
"gridPos": {"h": 8, "w": 12, "x": 0, "y": 4}
},
{
"id": 5,
"title": "Memory Usage by Node",
"type": "graph",
"targets": [
{
"expr": "pve_node_memory_usage",
"legendFormat": "{{node}}"
}
],
"gridPos": {"h": 8, "w": 12, "x": 12, "y": 4}
},
{
"id": 6,
"title": "Storage Usage",
"type": "graph",
"targets": [
{
"expr": "pve_storage_usage",
"legendFormat": "{{storage}}"
}
],
"gridPos": {"h": 8, "w": 24, "x": 0, "y": 12}
}
]
}
}

131
infrastructure/monitoring/dashboards/proxmox-node.json Normal file
View File

@@ -0,0 +1,131 @@
{
"dashboard": {
"title": "Proxmox Node Details",
"tags": ["proxmox", "node", "infrastructure"],
"timezone": "browser",
"schemaVersion": 16,
"version": 1,
"refresh": "30s",
"panels": [
{
"id": 1,
"title": "Node Status",
"type": "stat",
"targets": [
{
"expr": "up{job=\"pve_exporter\",instance=~\"$node\"}",
"legendFormat": "{{instance}}"
}
],
"gridPos": {"h": 4, "w": 6, "x": 0, "y": 0}
},
{
"id": 2,
"title": "CPU Usage",
"type": "gauge",
"targets": [
{
"expr": "pve_node_cpu_usage{node=~\"$node\"}",
"legendFormat": "{{node}}"
}
],
"gridPos": {"h": 4, "w": 6, "x": 6, "y": 0}
},
{
"id": 3,
"title": "Memory Usage",
"type": "gauge",
"targets": [
{
"expr": "pve_node_memory_usage{node=~\"$node\"}",
"legendFormat": "{{node}}"
}
],
"gridPos": {"h": 4, "w": 6, "x": 12, "y": 0}
},
{
"id": 4,
"title": "CPU Usage Over Time",
"type": "graph",
"targets": [
{
"expr": "pve_node_cpu_usage{node=~\"$node\"}",
"legendFormat": "{{node}}"
}
],
"gridPos": {"h": 8, "w": 12, "x": 0, "y": 4}
},
{
"id": 5,
"title": "Memory Usage Over Time",
"type": "graph",
"targets": [
{
"expr": "pve_node_memory_usage{node=~\"$node\"}",
"legendFormat": "{{node}}"
}
],
"gridPos": {"h": 8, "w": 12, "x": 12, "y": 4}
},
{
"id": 6,
"title": "Storage Usage by Pool",
"type": "graph",
"targets": [
{
"expr": "pve_storage_usage{node=~\"$node\"}",
"legendFormat": "{{storage}}"
}
],
"gridPos": {"h": 8, "w": 12, "x": 0, "y": 12}
},
{
"id": 7,
"title": "Network I/O",
"type": "graph",
"targets": [
{
"expr": "pve_node_net_in{node=~\"$node\"}",
"legendFormat": "{{node}} - In"
},
{
"expr": "pve_node_net_out{node=~\"$node\"}",
"legendFormat": "{{node}} - Out"
}
],
"gridPos": {"h": 8, "w": 12, "x": 12, "y": 12}
},
{
"id": 8,
"title": "Disk I/O",
"type": "graph",
"targets": [
{
"expr": "pve_node_disk_read{node=~\"$node\"}",
"legendFormat": "{{node}} - Read"
},
{
"expr": "pve_node_disk_write{node=~\"$node\"}",
"legendFormat": "{{node}} - Write"
}
],
"gridPos": {"h": 8, "w": 24, "x": 0, "y": 20}
}
],
"templating": {
"list": [
{
"name": "node",
"type": "query",
"query": "label_values(pve_node_info, node)",
"current": {
"text": "All",
"value": "$__all"
},
"options": []
}
]
}
}
}

82
infrastructure/monitoring/dashboards/proxmox-vms.json Normal file
View File

@@ -0,0 +1,82 @@
{
"dashboard": {
"title": "Proxmox VMs",
"tags": ["proxmox", "vms"],
"timezone": "browser",
"schemaVersion": 16,
"version": 1,
"refresh": "30s",
"panels": [
{
"id": 1,
"title": "VM CPU Usage",
"type": "graph",
"targets": [
{
"expr": "pve_vm_cpu_usage",
"legendFormat": "{{name}} ({{vmid}})"
}
],
"gridPos": {"h": 8, "w": 12, "x": 0, "y": 0}
},
{
"id": 2,
"title": "VM Memory Usage",
"type": "graph",
"targets": [
{
"expr": "pve_vm_memory_usage",
"legendFormat": "{{name}} ({{vmid}})"
}
],
"gridPos": {"h": 8, "w": 12, "x": 12, "y": 0}
},
{
"id": 3,
"title": "VM Network I/O",
"type": "graph",
"targets": [
{
"expr": "pve_vm_net_in",
"legendFormat": "{{name}} - In"
},
{
"expr": "pve_vm_net_out",
"legendFormat": "{{name}} - Out"
}
],
"gridPos": {"h": 8, "w": 12, "x": 0, "y": 8}
},
{
"id": 4,
"title": "VM Disk I/O",
"type": "graph",
"targets": [
{
"expr": "pve_vm_disk_read",
"legendFormat": "{{name}} - Read"
},
{
"expr": "pve_vm_disk_write",
"legendFormat": "{{name}} - Write"
}
],
"gridPos": {"h": 8, "w": 12, "x": 12, "y": 8}
},
{
"id": 5,
"title": "VM Status",
"type": "table",
"targets": [
{
"expr": "pve_vm_info",
"format": "table",
"instant": true
}
],
"gridPos": {"h": 8, "w": 24, "x": 0, "y": 16}
}
]
}
}

230
infrastructure/network/README.md Normal file
View File

@@ -0,0 +1,230 @@
# Network Infrastructure Management
Comprehensive management tools for network infrastructure including switches, routers, VLANs, and network topology.
## Overview
This directory contains management components for network infrastructure across Sankofa Phoenix sites, including:
- **Switches**: Configuration management for network switches
- **Routers**: Router configuration and routing protocol management
- **VLANs**: VLAN configuration and tracking
- **Topology**: Network topology discovery and visualization
## Components
### Switches (`switches/`)
Switch management tools for:
- VLAN configuration
- Port configuration
- Trunk/LAG setup
- STP configuration
- Port security
- SNMP monitoring
### Routers (`routers/`)
Router management tools for:
- Routing table management
- BGP/OSPF configuration
- Firewall rules
- NAT configuration
- VPN tunnels
- Interface configuration
### VLANs (`vlans/`)
VLAN management for:
- VLAN creation and deletion
- VLAN assignment to ports
- VLAN trunking
- Inter-VLAN routing
- VLAN tracking across sites
## Usage
### Switch Configuration
```bash
# Configure switch VLAN
./switches/configure-vlan.sh \
--switch switch-01 \
--vlan 100 \
--name "Employee-Network" \
--ports "1-24"
# Configure trunk port
./switches/configure-trunk.sh \
--switch switch-01 \
--port 25 \
--vlans "100,200,300"
```
### Router Configuration
```bash
# Configure BGP
./routers/configure-bgp.sh \
--router router-01 \
--asn 65001 \
--neighbor 10.0.0.1 \
--remote-asn 65000
# Configure OSPF
./routers/configure-ospf.sh \
--router router-01 \
--area 0 \
--network 10.1.0.0/24
```
### VLAN Management
```bash
# Create VLAN
./vlans/create-vlan.sh \
--vlan 100 \
--name "Employee-Network" \
--description "Employee network segment"
# Assign VLAN to switch port
./vlans/assign-vlan.sh \
--switch switch-01 \
--port 10 \
--vlan 100
```
## Network Topology
### Discovery
```bash
# Discover network topology
./discover-topology.sh --site us-east-1
# Export topology
./export-topology.sh --format graphviz --output topology.dot
```
### Visualization
Network topology can be visualized using:
- Graphviz
- D3.js
- React Flow (in Portal)
## Integration with Omada
Network management integrates with TP-Link Omada for:
- Unified network policy management
- Centralized VLAN configuration
- Network analytics
See [Omada Management](../omada/README.md) for details.
## Configuration
### Switch Configuration
```yaml
switches:
- name: switch-01
model: TP-Link T1600G
ip: 10.1.0.1
vlans:
- id: 100
name: Employee-Network
ports: [1-24]
- id: 200
name: Guest-Network
ports: [25-48]
trunks:
- port: 49
vlans: [100, 200, 300]
```
### Router Configuration
```yaml
routers:
- name: router-01
model: TP-Link ER7206
ip: 10.1.0.254
bgp:
asn: 65001
neighbors:
- ip: 10.0.0.1
asn: 65000
ospf:
area: 0
networks:
- 10.1.0.0/24
- 10.2.0.0/24
```
### VLAN Configuration
```yaml
vlans:
- id: 100
name: Employee-Network
description: Employee network segment
subnet: 10.1.100.0/24
gateway: 10.1.100.1
dhcp: true
switches:
- switch-01: [1-24]
- switch-02: [1-24]
- id: 200
name: Guest-Network
description: Guest network segment
subnet: 10.1.200.0/24
gateway: 10.1.200.1
dhcp: true
isolation: true
```
## Monitoring
Network monitoring includes:
- SNMP monitoring for switches and routers
- Flow monitoring (NetFlow/sFlow)
- Network performance metrics
- Topology change detection
See [Monitoring](../monitoring/README.md) for details.
## Security
- Network segmentation via VLANs
- Port security on switches
- Firewall rules on routers
- Network access control
- Regular security audits
## Troubleshooting
### Common Issues
**Switch connectivity:**
```bash
./switches/test-connectivity.sh --switch switch-01
```
**VLAN issues:**
```bash
./vlans/diagnose-vlan.sh --vlan 100
```
**Routing problems:**
```bash
./routers/diagnose-routing.sh --router router-01
```
## Related Documentation
- [Omada Management](../omada/README.md)
- [System Architecture](../../docs/system_architecture.md)
- [Infrastructure Management](../README.md)

144
infrastructure/network/network-policies.yaml Normal file
View File

@@ -0,0 +1,144 @@
# Network Policies for DoD/MilSpec Compliance
#
# Implements network segmentation per:
# - NIST SP 800-53: SC-7 (Boundary Protection)
# - NIST SP 800-171: 3.13.1 (Network Segmentation)
#
# Zero Trust network architecture with micro-segmentation
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-default
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
# Deny all traffic by default (whitelist approach)
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: sankofa-api
policyTypes:
- Ingress
- Egress
ingress:
# Allow ingress from ingress controller only
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
- podSelector:
matchLabels:
app: ingress-nginx
ports:
- protocol: TCP
port: 4000
egress:
# Allow egress to database
- to:
- namespaceSelector:
matchLabels:
name: database
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
# Allow egress to Keycloak
- to:
- namespaceSelector:
matchLabels:
name: identity
- podSelector:
matchLabels:
app: keycloak
ports:
- protocol: TCP
port: 8080
# Allow DNS
- to:
- namespaceSelector:
matchLabels:
name: kube-system
- podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-isolate
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
- Egress
ingress:
# Only allow from API namespace
- from:
- namespaceSelector:
matchLabels:
name: default
podSelector:
matchLabels:
app: sankofa-api
ports:
- protocol: TCP
port: 5432
egress:
# Deny all egress (database should not initiate connections)
- {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: classification-based-segmentation
namespace: default
spec:
podSelector:
matchLabels:
classification: classified
policyTypes:
- Ingress
- Egress
ingress:
# Only allow from same classification level or higher
- from:
- podSelector:
matchLabels:
classification: classified
- podSelector:
matchLabels:
classification: secret
- podSelector:
matchLabels:
classification: top-secret
egress:
# Restricted egress for classified data
- to:
- podSelector:
matchLabels:
classification: classified
- podSelector:
matchLabels:
classification: secret
- podSelector:
matchLabels:
classification: top-secret

335
infrastructure/omada/README.md Normal file
View File

@@ -0,0 +1,335 @@
# TP-Link Omada Management
Comprehensive management tools and integrations for TP-Link Omada SDN (Software-Defined Networking) infrastructure.
## Overview
TP-Link Omada provides centralized management of network infrastructure including access points, switches, and gateways. This directory contains management components for integrating Omada into the Sankofa Phoenix infrastructure.
## Components
### API Client (`api/`)
Omada Controller API client library for:
- Controller authentication and session management
- Site and device management
- Access point configuration
- Network policy management
- Client device tracking
- Analytics and monitoring
### Terraform (`terraform/`)
Terraform provider/modules for:
- Omada Controller configuration
- Site provisioning
- Access point deployment
- Network policy as code
- SSID management
### Ansible (`ansible/`)
Ansible roles and playbooks for:
- Omada Controller deployment
- Access point provisioning
- Network policy configuration
- Firmware management
- Configuration backup
### Scripts (`scripts/`)
Management scripts for:
- Controller health checks
- Device discovery
- Configuration backup/restore
- Firmware updates
- Network analytics
## Omada Controller Integration
### Architecture
```
Omada Controller (Centralized)
├── Sites (Physical Locations)
│ ├── Access Points
│ ├── Switches
│ ├── Gateways
│ └── Network Policies
└── Global Settings
├── SSID Templates
├── Network Policies
└── User Groups
```
### Controller Setup
```bash
# Setup Omada Controller
./scripts/setup-controller.sh \
--controller omada.sankofa.nexus \
--admin admin \
--password secure-password
```
### Site Configuration
```bash
# Add a new site
./scripts/add-site.sh \
--site us-east-1 \
--name "US East Datacenter" \
--timezone "America/New_York"
```
## Usage
### Access Point Management
```bash
# Discover access points
./scripts/discover-aps.sh --site us-east-1
# Provision access point
./scripts/provision-ap.sh \
--site us-east-1 \
--ap "AP-01" \
--mac "aa:bb:cc:dd:ee:ff" \
--name "AP-Lobby-01"
# Configure access point
./scripts/configure-ap.sh \
--ap "AP-Lobby-01" \
--radio 2.4GHz \
--channel auto \
--power high
```
### SSID Management
```bash
# Create SSID
./scripts/create-ssid.sh \
--site us-east-1 \
--name "Sankofa-Employee" \
--security wpa3 \
--vlan 100
# Assign SSID to access point
./scripts/assign-ssid.sh \
--ap "AP-Lobby-01" \
--ssid "Sankofa-Employee" \
--radio 2.4GHz,5GHz
```
### Network Policies
```bash
# Create network policy
./scripts/create-policy.sh \
--site us-east-1 \
--name "Guest-Policy" \
--bandwidth-limit 10Mbps \
--vlan 200
# Apply policy to SSID
./scripts/apply-policy.sh \
--ssid "Sankofa-Guest" \
--policy "Guest-Policy"
```
### Ansible Deployment
```bash
# Deploy Omada configuration
cd ansible
ansible-playbook -i inventory.yml omada-deployment.yml \
-e controller=omada.sankofa.nexus \
-e site=us-east-1
```
### Terraform
```bash
# Provision Omada infrastructure
cd terraform
terraform init
terraform plan -var="controller=omada.sankofa.nexus"
terraform apply
```
## API Client Usage
### Python Example
```python
from omada_api import OmadaController
# Connect to controller
controller = OmadaController(
host="omada.sankofa.nexus",
username="admin",
password="secure-password"
)
# Get sites
sites = controller.get_sites()
# Get access points for a site
aps = controller.get_access_points(site_id="us-east-1")
# Configure access point
controller.configure_ap(
ap_id="ap-123",
name="AP-Lobby-01",
radio_config={
"2.4GHz": {"channel": "auto", "power": "high"},
"5GHz": {"channel": "auto", "power": "high"}
}
)
```
### Go Example
```go
package main
import (
"github.com/sankofa/omada-api"
)
func main() {
client := omada.NewClient("omada.sankofa.nexus", "admin", "secure-password")
sites, err := client.GetSites()
if err != nil {
log.Fatal(err)
}
aps, err := client.GetAccessPoints("us-east-1")
if err != nil {
log.Fatal(err)
}
}
```
## Configuration
### Controller Configuration
```yaml
controller:
host: omada.sankofa.nexus
port: 8043
username: admin
password: ${OMADA_PASSWORD}
verify_ssl: true
sites:
- id: us-east-1
name: US East Datacenter
timezone: America/New_York
aps:
- name: AP-Lobby-01
mac: aa:bb:cc:dd:ee:ff
location: Lobby
- name: AP-Office-01
mac: aa:bb:cc:dd:ee:ff
location: Office
```
### Network Policies
```yaml
policies:
- name: Employee-Policy
bandwidth_limit: unlimited
vlan: 100
firewall_rules:
- allow: [80, 443, 22]
- block: [all]
- name: Guest-Policy
bandwidth_limit: 10Mbps
vlan: 200
firewall_rules:
- allow: [80, 443]
- block: [all]
```
## Monitoring
Omada monitoring integrates with Prometheus:
- **omada_exporter**: Prometheus metrics exporter
- **Grafana Dashboards**: Pre-built dashboards for Omada
- **Alerts**: Alert rules for network health
See [Monitoring](../monitoring/README.md) for details.
## Security
- Controller authentication via username/password or API key
- TLS/SSL for all API communications
- Network isolation via VLANs
- Client device authentication
- Regular firmware updates
## Backup and Recovery
### Configuration Backup
```bash
# Backup Omada configuration
./scripts/backup-config.sh \
--controller omada.sankofa.nexus \
--output backup-$(date +%Y%m%d).json
```
### Configuration Restore
```bash
# Restore Omada configuration
./scripts/restore-config.sh \
--controller omada.sankofa.nexus \
--backup backup-20240101.json
```
## Firmware Management
```bash
# Check firmware versions
./scripts/check-firmware.sh --site us-east-1
# Update firmware
./scripts/update-firmware.sh \
--site us-east-1 \
--ap "AP-Lobby-01" \
--firmware firmware-v1.2.3.bin
```
## Troubleshooting
### Common Issues
**Controller connectivity:**
```bash
./scripts/test-controller.sh --controller omada.sankofa.nexus
```
**Access point offline:**
```bash
./scripts/diagnose-ap.sh --ap "AP-Lobby-01"
```
**Network performance:**
```bash
./scripts/analyze-network.sh --site us-east-1
```
## Related Documentation
- [Network Management](../network/README.md)
- [System Architecture](../../docs/system_architecture.md)
- [Infrastructure Management](../README.md)

309
infrastructure/omada/api/README.md Normal file
View File

@@ -0,0 +1,309 @@
# TP-Link Omada API Client
Python and Go client libraries for interacting with the TP-Link Omada Controller API.
## Overview
The Omada API client provides a high-level interface for managing TP-Link Omada SDN infrastructure, including access points, switches, gateways, and network policies.
## Features
- Controller authentication and session management
- Site and device management
- Access point configuration
- Network policy management
- Client device tracking
- Analytics and monitoring
## Installation
### Python
```bash
pip install omada-api
```
### Go
```bash
go get github.com/sankofa/omada-api
```
## Usage
### Python
```python
from omada_api import OmadaController
# Initialize controller
controller = OmadaController(
host="omada.sankofa.nexus",
username="admin",
password="secure-password",
verify_ssl=True
)
# Authenticate
controller.login()
# Get sites
sites = controller.get_sites()
for site in sites:
print(f"Site: {site['name']} (ID: {site['id']})")
# Get access points
aps = controller.get_access_points(site_id="us-east-1")
for ap in aps:
print(f"AP: {ap['name']} - {ap['status']}")
# Configure access point
controller.configure_ap(
ap_id="ap-123",
name="AP-Lobby-01",
radio_config={
"2.4GHz": {
"channel": "auto",
"power": "high",
"bandwidth": "20/40MHz"
},
"5GHz": {
"channel": "auto",
"power": "high",
"bandwidth": "20/40/80MHz"
}
}
)
# Create SSID
controller.create_ssid(
site_id="us-east-1",
name="Sankofa-Employee",
security="wpa3",
password="secure-password",
vlan=100
)
# Logout
controller.logout()
```
### Go
```go
package main
import (
"fmt"
"log"
"github.com/sankofa/omada-api"
)
func main() {
// Initialize controller
client := omada.NewClient(
"omada.sankofa.nexus",
"admin",
"secure-password",
)
// Authenticate
if err := client.Login(); err != nil {
log.Fatal(err)
}
defer client.Logout()
// Get sites
sites, err := client.GetSites()
if err != nil {
log.Fatal(err)
}
for _, site := range sites {
fmt.Printf("Site: %s (ID: %s)\n", site.Name, site.ID)
}
// Get access points
aps, err := client.GetAccessPoints("us-east-1")
if err != nil {
log.Fatal(err)
}
for _, ap := range aps {
fmt.Printf("AP: %s - %s\n", ap.Name, ap.Status)
}
}
```
## API Reference
### Authentication
```python
# Login
controller.login()
# Check authentication status
is_authenticated = controller.is_authenticated()
# Logout
controller.logout()
```
### Sites
```python
# Get all sites
sites = controller.get_sites()
# Get site by ID
site = controller.get_site(site_id="us-east-1")
# Create site
site = controller.create_site(
name="US East Datacenter",
timezone="America/New_York"
)
# Update site
controller.update_site(
site_id="us-east-1",
name="US East Datacenter - Updated"
)
# Delete site
controller.delete_site(site_id="us-east-1")
```
### Access Points
```python
# Get all access points for a site
aps = controller.get_access_points(site_id="us-east-1")
# Get access point by ID
ap = controller.get_access_point(ap_id="ap-123")
# Configure access point
controller.configure_ap(
ap_id="ap-123",
name="AP-Lobby-01",
location="Lobby",
radio_config={
"2.4GHz": {"channel": "auto", "power": "high"},
"5GHz": {"channel": "auto", "power": "high"}
}
)
# Reboot access point
controller.reboot_ap(ap_id="ap-123")
# Update firmware
controller.update_firmware(ap_id="ap-123", firmware_url="...")
```
### SSIDs
```python
# Get all SSIDs for a site
ssids = controller.get_ssids(site_id="us-east-1")
# Create SSID
ssid = controller.create_ssid(
site_id="us-east-1",
name="Sankofa-Employee",
security="wpa3",
password="secure-password",
vlan=100,
radios=["2.4GHz", "5GHz"]
)
# Update SSID
controller.update_ssid(
ssid_id="ssid-123",
name="Sankofa-Employee-Updated"
)
# Delete SSID
controller.delete_ssid(ssid_id="ssid-123")
```
### Network Policies
```python
# Get network policies
policies = controller.get_policies(site_id="us-east-1")
# Create policy
policy = controller.create_policy(
site_id="us-east-1",
name="Guest-Policy",
bandwidth_limit=10, # Mbps
vlan=200,
firewall_rules=[
{"action": "allow", "ports": [80, 443]},
{"action": "block", "ports": "all"}
]
)
# Apply policy to SSID
controller.apply_policy(ssid_id="ssid-123", policy_id="policy-123")
```
### Clients
```python
# Get client devices
clients = controller.get_clients(site_id="us-east-1")
# Get client by MAC
client = controller.get_client(mac="aa:bb:cc:dd:ee:ff")
# Block client
controller.block_client(mac="aa:bb:cc:dd:ee:ff")
# Unblock client
controller.unblock_client(mac="aa:bb:cc:dd:ee:ff")
```
## Error Handling
```python
from omada_api import OmadaError, AuthenticationError
try:
controller.login()
except AuthenticationError as e:
print(f"Authentication failed: {e}")
except OmadaError as e:
print(f"Omada API error: {e}")
```
## Configuration
### Environment Variables
```bash
export OMADA_HOST=omada.sankofa.nexus
export OMADA_USERNAME=admin
export OMADA_PASSWORD=secure-password
export OMADA_VERIFY_SSL=true
```
### Configuration File
```yaml
omada:
host: omada.sankofa.nexus
port: 8043
username: admin
password: ${OMADA_PASSWORD}
verify_ssl: true
timeout: 30
```
## Related Documentation
- [Omada Management](../README.md)
- [Infrastructure Management](../../README.md)

373
infrastructure/omada/api/omada_client.py Normal file
View File

@@ -0,0 +1,373 @@
#!/usr/bin/env python3
"""
TP-Link Omada Controller API Client
A Python client library for interacting with the TP-Link Omada Controller API.
"""
import requests
import json
from typing import Dict, List, Optional, Any
from urllib.parse import urljoin
class OmadaError(Exception):
"""Base exception for Omada API errors"""
pass
class AuthenticationError(OmadaError):
"""Authentication failed"""
pass
class OmadaController:
"""TP-Link Omada Controller API Client"""
def __init__(
self,
host: str,
username: str,
password: str,
port: int = 8043,
verify_ssl: bool = True,
timeout: int = 30
):
"""
Initialize Omada Controller client
Args:
host: Omada Controller hostname or IP
username: Controller username
password: Controller password
port: Controller port (default: 8043)
verify_ssl: Verify SSL certificates (default: True)
timeout: Request timeout in seconds (default: 30)
"""
self.base_url = f"https://{host}:{port}"
self.username = username
self.password = password
self.verify_ssl = verify_ssl
self.timeout = timeout
self.session = requests.Session()
self.session.verify = verify_ssl
self.token = None
self.authenticated = False
def _request(
self,
method: str,
endpoint: str,
data: Optional[Dict] = None,
params: Optional[Dict] = None
) -> Dict[str, Any]:
"""
Make API request
Args:
method: HTTP method (GET, POST, PUT, DELETE)
endpoint: API endpoint
data: Request body data
params: Query parameters
Returns:
API response as dictionary
Raises:
OmadaError: If API request fails
"""
url = urljoin(self.base_url, endpoint)
headers = {
"Content-Type": "application/json",
"Accept": "application/json"
}
if self.token:
headers["Authorization"] = f"Bearer {self.token}"
try:
response = self.session.request(
method=method,
url=url,
headers=headers,
json=data,
params=params,
timeout=self.timeout
)
response.raise_for_status()
return response.json()
except requests.exceptions.HTTPError as e:
if e.response.status_code == 401:
raise AuthenticationError("Authentication failed") from e
raise OmadaError(f"API request failed: {e}") from e
except requests.exceptions.RequestException as e:
raise OmadaError(f"Request failed: {e}") from e
def login(self) -> bool:
"""
Authenticate with Omada Controller
Returns:
True if authentication successful
Raises:
AuthenticationError: If authentication fails
"""
endpoint = "/api/v2/login"
data = {
"username": self.username,
"password": self.password
}
try:
response = self._request("POST", endpoint, data=data)
self.token = response.get("token")
self.authenticated = True
return True
except OmadaError as e:
self.authenticated = False
raise AuthenticationError(f"Login failed: {e}") from e
def logout(self) -> None:
"""Logout from Omada Controller"""
if self.authenticated:
endpoint = "/api/v2/logout"
try:
self._request("POST", endpoint)
except OmadaError:
pass # Ignore errors on logout
finally:
self.token = None
self.authenticated = False
def is_authenticated(self) -> bool:
"""Check if authenticated"""
return self.authenticated
def get_sites(self) -> List[Dict[str, Any]]:
"""
Get all sites
Returns:
List of site dictionaries
"""
endpoint = "/api/v2/sites"
response = self._request("GET", endpoint)
return response.get("data", [])
def get_site(self, site_id: str) -> Dict[str, Any]:
"""
Get site by ID
Args:
site_id: Site ID
Returns:
Site dictionary
"""
endpoint = f"/api/v2/sites/{site_id}"
response = self._request("GET", endpoint)
return response.get("data", {})
def create_site(
self,
name: str,
timezone: str = "UTC",
description: Optional[str] = None
) -> Dict[str, Any]:
"""
Create a new site
Args:
name: Site name
timezone: Timezone (e.g., "America/New_York")
description: Site description
Returns:
Created site dictionary
"""
endpoint = "/api/v2/sites"
data = {
"name": name,
"timezone": timezone
}
if description:
data["description"] = description
response = self._request("POST", endpoint, data=data)
return response.get("data", {})
def get_access_points(self, site_id: str) -> List[Dict[str, Any]]:
"""
Get all access points for a site
Args:
site_id: Site ID
Returns:
List of access point dictionaries
"""
endpoint = f"/api/v2/sites/{site_id}/access-points"
response = self._request("GET", endpoint)
return response.get("data", [])
def get_access_point(self, ap_id: str) -> Dict[str, Any]:
"""
Get access point by ID
Args:
ap_id: Access point ID
Returns:
Access point dictionary
"""
endpoint = f"/api/v2/access-points/{ap_id}"
response = self._request("GET", endpoint)
return response.get("data", {})
def configure_ap(
self,
ap_id: str,
name: Optional[str] = None,
location: Optional[str] = None,
radio_config: Optional[Dict] = None
) -> Dict[str, Any]:
"""
Configure access point
Args:
ap_id: Access point ID
name: Access point name
location: Physical location
radio_config: Radio configuration
Returns:
Updated access point dictionary
"""
endpoint = f"/api/v2/access-points/{ap_id}"
data = {}
if name:
data["name"] = name
if location:
data["location"] = location
if radio_config:
data["radio_config"] = radio_config
response = self._request("PUT", endpoint, data=data)
return response.get("data", {})
def get_ssids(self, site_id: str) -> List[Dict[str, Any]]:
"""
Get all SSIDs for a site
Args:
site_id: Site ID
Returns:
List of SSID dictionaries
"""
endpoint = f"/api/v2/sites/{site_id}/ssids"
response = self._request("GET", endpoint)
return response.get("data", [])
def create_ssid(
self,
site_id: str,
name: str,
security: str = "wpa3",
password: Optional[str] = None,
vlan: Optional[int] = None,
radios: Optional[List[str]] = None
) -> Dict[str, Any]:
"""
Create SSID
Args:
site_id: Site ID
name: SSID name
security: Security type (open, wpa2, wpa3)
password: WPA password (required for wpa2/wpa3)
vlan: VLAN ID
radios: List of radios (["2.4GHz", "5GHz"])
Returns:
Created SSID dictionary
"""
endpoint = f"/api/v2/sites/{site_id}/ssids"
data = {
"name": name,
"security": security
}
if password:
data["password"] = password
if vlan:
data["vlan"] = vlan
if radios:
data["radios"] = radios
response = self._request("POST", endpoint, data=data)
return response.get("data", {})
def get_clients(self, site_id: str) -> List[Dict[str, Any]]:
"""
Get all client devices for a site
Args:
site_id: Site ID
Returns:
List of client dictionaries
"""
endpoint = f"/api/v2/sites/{site_id}/clients"
response = self._request("GET", endpoint)
return response.get("data", [])
def get_client(self, mac: str) -> Dict[str, Any]:
"""
Get client device by MAC address
Args:
mac: MAC address
Returns:
Client dictionary
"""
endpoint = f"/api/v2/clients/{mac}"
response = self._request("GET", endpoint)
return response.get("data", {})
# Example usage
if __name__ == "__main__":
# Initialize controller
controller = OmadaController(
host="omada.sankofa.nexus",
username="admin",
password="secure-password"
)
try:
# Authenticate
controller.login()
print("Authenticated successfully")
# Get sites
sites = controller.get_sites()
print(f"Found {len(sites)} sites")
# Get access points for first site
if sites:
site_id = sites[0]["id"]
aps = controller.get_access_points(site_id)
print(f"Found {len(aps)} access points")
# Logout
controller.logout()
print("Logged out")
except AuthenticationError as e:
print(f"Authentication failed: {e}")
except OmadaError as e:
print(f"Error: {e}")

74
infrastructure/omada/scripts/discover-aps.sh Executable file
View File

@@ -0,0 +1,74 @@
#!/bin/bash
set -euo pipefail
# Discover Access Points Script
CONTROLLER="${OMADA_CONTROLLER:-}"
ADMIN_USER="${OMADA_ADMIN:-admin}"
ADMIN_PASSWORD="${OMADA_PASSWORD:-}"
SITE_ID="${SITE_ID:-}"
log() {
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" >&2
}
error() {
log "ERROR: $*"
exit 1
}
check_prerequisites() {
if [ -z "${CONTROLLER}" ]; then
error "OMADA_CONTROLLER environment variable is required"
fi
if [ -z "${ADMIN_PASSWORD}" ]; then
error "OMADA_PASSWORD environment variable is required"
fi
}
authenticate() {
log "Authenticating with Omada Controller..."
TOKEN_RESPONSE=$(curl -k -s -X POST "https://${CONTROLLER}:8043/api/v2/login" \
-H "Content-Type: application/json" \
-d "{\"username\":\"${ADMIN_USER}\",\"password\":\"${ADMIN_PASSWORD}\"}")
TOKEN=$(echo "${TOKEN_RESPONSE}" | grep -o '"token":"[^"]*' | cut -d'"' -f4)
if [ -z "${TOKEN}" ]; then
error "Authentication failed"
fi
echo "${TOKEN}"
}
discover_aps() {
TOKEN=$1
if [ -n "${SITE_ID}" ]; then
ENDPOINT="/api/v2/sites/${SITE_ID}/access-points"
else
ENDPOINT="/api/v2/access-points"
fi
log "Discovering access points..."
RESPONSE=$(curl -k -s -X GET "https://${CONTROLLER}:8043${ENDPOINT}" \
-H "Authorization: Bearer ${TOKEN}")
echo "${RESPONSE}" | python3 -m json.tool 2>/dev/null || echo "${RESPONSE}"
}
main() {
log "Starting access point discovery..."
check_prerequisites
TOKEN=$(authenticate)
discover_aps "${TOKEN}"
log "Discovery completed!"
}
main "$@"

110
infrastructure/omada/scripts/setup-controller.sh Executable file
View File

@@ -0,0 +1,110 @@
#!/bin/bash
set -euo pipefail
# TP-Link Omada Controller Setup Script
CONTROLLER="${OMADA_CONTROLLER:-}"
ADMIN_USER="${OMADA_ADMIN:-admin}"
ADMIN_PASSWORD="${OMADA_PASSWORD:-}"
SITE_NAME="${SITE_NAME:-}"
log() {
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" >&2
}
error() {
log "ERROR: $*"
exit 1
}
check_prerequisites() {
if [ -z "${CONTROLLER}" ]; then
error "OMADA_CONTROLLER environment variable is required"
fi
if [ -z "${ADMIN_PASSWORD}" ]; then
error "OMADA_PASSWORD environment variable is required"
fi
if ! command -v curl &> /dev/null; then
error "curl is required but not installed"
fi
}
test_controller_connectivity() {
log "Testing connectivity to Omada Controller at ${CONTROLLER}..."
if curl -k -s --connect-timeout 5 "https://${CONTROLLER}:8043" > /dev/null; then
log "Controller is reachable"
return 0
else
error "Cannot reach controller at ${CONTROLLER}:8043"
fi
}
verify_authentication() {
log "Verifying authentication..."
RESPONSE=$(curl -k -s -X POST "https://${CONTROLLER}:8043/api/v2/login" \
-H "Content-Type: application/json" \
-d "{\"username\":\"${ADMIN_USER}\",\"password\":\"${ADMIN_PASSWORD}\"}")
if echo "${RESPONSE}" | grep -q "token"; then
log "Authentication successful"
return 0
else
error "Authentication failed. Please check credentials."
fi
}
create_site() {
if [ -z "${SITE_NAME}" ]; then
log "SITE_NAME not provided, skipping site creation"
return 0
fi
log "Creating site: ${SITE_NAME}..."
# Get authentication token
TOKEN_RESPONSE=$(curl -k -s -X POST "https://${CONTROLLER}:8043/api/v2/login" \
-H "Content-Type: application/json" \
-d "{\"username\":\"${ADMIN_USER}\",\"password\":\"${ADMIN_PASSWORD}\"}")
TOKEN=$(echo "${TOKEN_RESPONSE}" | grep -o '"token":"[^"]*' | cut -d'"' -f4)
if [ -z "${TOKEN}" ]; then
error "Failed to get authentication token"
fi
# Create site
SITE_RESPONSE=$(curl -k -s -X POST "https://${CONTROLLER}:8043/api/v2/sites" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d "{\"name\":\"${SITE_NAME}\",\"timezone\":\"UTC\"}")
if echo "${SITE_RESPONSE}" | grep -q "id"; then
SITE_ID=$(echo "${SITE_RESPONSE}" | grep -o '"id":"[^"]*' | cut -d'"' -f4)
log "Site created successfully with ID: ${SITE_ID}"
else
log "Warning: Site creation may have failed or site already exists"
fi
}
main() {
log "Starting Omada Controller setup..."
check_prerequisites
test_controller_connectivity
verify_authentication
create_site
log "Omada Controller setup completed!"
log ""
log "Next steps:"
log "1. Configure access points: ./provision-ap.sh"
log "2. Create SSIDs: ./create-ssid.sh"
log "3. Set up network policies: ./create-policy.sh"
}
main "$@"

229
infrastructure/proxmox/README.md Normal file
View File

@@ -0,0 +1,229 @@
# Proxmox VE Management
Comprehensive management tools and integrations for Proxmox VE virtualization infrastructure.
## Overview
This directory contains management components for Proxmox VE clusters deployed across Sankofa Phoenix edge sites. It complements the existing Crossplane provider (`crossplane-provider-proxmox/`) with additional tooling for operations, monitoring, and automation.
## Components
### API Client (`api/`)
Proxmox API client utilities and helpers for:
- Cluster operations
- Storage management
- Network configuration
- Backup operations
- Node management
### Terraform (`terraform/`)
Terraform modules for:
- Proxmox cluster provisioning
- Storage pool configuration
- Network bridge setup
- Resource pool management
### Ansible (`ansible/`)
Ansible roles and playbooks for:
- Cluster deployment
- Node configuration
- Storage setup
- Network configuration
- Monitoring agent installation
### Scripts (`scripts/`)
Management scripts for:
- Cluster health checks
- Backup automation
- Disaster recovery
- Performance tuning
- Maintenance operations
## Integration with Crossplane Provider
The Proxmox management components work alongside the Crossplane provider:
- **Crossplane Provider**: Declarative VM management via Kubernetes
- **Management Tools**: Operational tasks, monitoring, and automation
- **API Client**: Direct Proxmox API access for advanced operations
## Usage
### Cluster Setup
```bash
# Setup a new Proxmox cluster
./scripts/setup-cluster.sh \
--site us-east-1 \
--nodes pve1,pve2,pve3 \
--storage local-lvm \
--network vmbr0
```
### Storage Management
```bash
# Add storage pool
./scripts/add-storage.sh \
--pool ceph-storage \
--type ceph \
--nodes pve1,pve2,pve3
```
### Network Configuration
```bash
# Configure network bridge
./scripts/configure-network.sh \
--bridge vmbr1 \
--vlan 100 \
--nodes pve1,pve2,pve3
```
### Ansible Deployment
```bash
# Deploy Proxmox configuration
cd ansible
ansible-playbook -i inventory.yml site-deployment.yml \
-e site=us-east-1 \
-e nodes="pve1,pve2,pve3"
```
### Terraform
```bash
# Provision Proxmox infrastructure
cd terraform
terraform init
terraform plan -var="site=us-east-1"
terraform apply
```
## Configuration
### Site Configuration
Each Proxmox site requires configuration:
```yaml
site: us-east-1
nodes:
- name: pve1
ip: 10.1.0.10
role: master
- name: pve2
ip: 10.1.0.11
role: worker
- name: pve3
ip: 10.1.0.12
role: worker
storage:
pools:
- name: local-lvm
type: lvm
- name: ceph-storage
type: ceph
networks:
bridges:
- name: vmbr0
type: bridge
vlan: untagged
- name: vmbr1
type: bridge
vlan: 100
```
### API Authentication
Proxmox API authentication via tokens:
```bash
# Create API token
export PROXMOX_API_URL=https://pve1.sankofa.nexus:8006
export PROXMOX_API_TOKEN=root@pam!token-name=abc123def456
```
## Monitoring
Proxmox monitoring integrates with the Prometheus stack:
- **pve_exporter**: Prometheus metrics exporter
- **Grafana Dashboards**: Pre-built dashboards for Proxmox
- **Alerts**: Alert rules for cluster health
See [Monitoring](../monitoring/README.md) for details.
## Backup and Recovery
### Automated Backups
```bash
# Configure backup schedule
./scripts/configure-backups.sh \
--schedule "0 2 * * *" \
--retention 30 \
--storage backup-storage
```
### Disaster Recovery
```bash
# Restore from backup
./scripts/restore-backup.sh \
--backup backup-20240101 \
--target pve1
```
## Multi-Site Management
For managing multiple Proxmox sites:
```bash
# List all sites
./scripts/list-sites.sh
# Get site status
./scripts/site-status.sh --site us-east-1
# Sync configuration across sites
./scripts/sync-config.sh --sites us-east-1,eu-west-1
```
## Security
- API tokens with least privilege
- TLS/SSL for all API communications
- Network isolation via VLANs
- Regular security updates
- Audit logging
## Troubleshooting
### Common Issues
**Cluster split-brain:**
```bash
./scripts/fix-split-brain.sh --site us-east-1
```
**Storage issues:**
```bash
./scripts/diagnose-storage.sh --pool local-lvm
```
**Network connectivity:**
```bash
./scripts/test-network.sh --node pve1
```
## Related Documentation
- [Crossplane Provider](../../crossplane-provider-proxmox/README.md)
- [System Architecture](../../docs/system_architecture.md)
- [Deployment Scripts](../../scripts/README.md)

135
infrastructure/proxmox/scripts/cluster-health.sh Executable file
View File

@@ -0,0 +1,135 @@
#!/bin/bash
set -euo pipefail
# Proxmox Cluster Health Check Script
SITE="${SITE:-}"
NODE="${NODE:-}"
log() {
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" >&2
}
error() {
log "ERROR: $*"
exit 1
}
check_node() {
local node=$1
log "Checking node: ${node}..."
if ! command -v pvesh &> /dev/null; then
error "pvesh not found. This script must be run on a Proxmox node."
fi
# Check node status
STATUS=$(pvesh get /nodes/${node}/status --output-format json 2>/dev/null || echo "{}")
if [ -z "${STATUS}" ] || [ "${STATUS}" = "{}" ]; then
log " ❌ Node ${node} is unreachable"
return 1
fi
# Parse status
UPTIME=$(echo "${STATUS}" | grep -o '"uptime":[0-9]*' | cut -d':' -f2)
CPU=$(echo "${STATUS}" | grep -o '"cpu":[0-9.]*' | cut -d':' -f2)
MEMORY_TOTAL=$(echo "${STATUS}" | grep -o '"memory_total":[0-9]*' | cut -d':' -f2)
MEMORY_USED=$(echo "${STATUS}" | grep -o '"memory_used":[0-9]*' | cut -d':' -f2)
if [ -n "${UPTIME}" ]; then
log " ✅ Node ${node} is online"
log " Uptime: ${UPTIME} seconds"
log " CPU: ${CPU}%"
if [ -n "${MEMORY_TOTAL}" ] && [ -n "${MEMORY_USED}" ]; then
MEMORY_PERCENT=$((MEMORY_USED * 100 / MEMORY_TOTAL))
log " Memory: ${MEMORY_PERCENT}% used (${MEMORY_USED}/${MEMORY_TOTAL} bytes)"
fi
return 0
else
log " ❌ Node ${node} status unknown"
return 1
fi
}
check_cluster() {
log "Checking cluster status..."
# Get cluster nodes
NODES=$(pvesh get /nodes --output-format json 2>/dev/null | grep -o '"node":"[^"]*' | cut -d'"' -f4 || echo "")
if [ -z "${NODES}" ]; then
error "Cannot retrieve cluster nodes"
fi
log "Found nodes: ${NODES}"
local all_healthy=true
for node in ${NODES}; do
if ! check_node "${node}"; then
all_healthy=false
fi
done
if [ "${all_healthy}" = "true" ]; then
log "✅ All nodes are healthy"
return 0
else
log "❌ Some nodes are unhealthy"
return 1
fi
}
check_storage() {
log "Checking storage pools..."
STORAGE=$(pvesh get /storage --output-format json 2>/dev/null || echo "[]")
if [ -z "${STORAGE}" ] || [ "${STORAGE}" = "[]" ]; then
log " ⚠️ No storage pools found"
return 0
fi
# Parse storage (simplified)
log " Storage pools configured"
return 0
}
check_vms() {
log "Checking virtual machines..."
# Get all VMs
VMS=$(pvesh get /nodes --output-format json 2>/dev/null | grep -o '"vmid":[0-9]*' | cut -d':' -f2 | sort -u || echo "")
if [ -z "${VMS}" ]; then
log " No VMs found"
return 0
fi
VM_COUNT=$(echo "${VMS}" | wc -l)
log " Found ${VM_COUNT} virtual machines"
return 0
}
main() {
log "Starting Proxmox cluster health check..."
if [ -n "${NODE}" ]; then
check_node "${NODE}"
elif [ -n "${SITE}" ]; then
log "Checking site: ${SITE}"
check_cluster
check_storage
check_vms
else
check_cluster
check_storage
check_vms
fi
log "Health check completed!"
}
main "$@"