Initial commit: loc_az_hci (smom-dbis-138 excluded via .gitignore)

Co-authored-by: Cursor <cursoragent@cursor.com>

scripts/security/configure-firewall-rules.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+source ~/.bashrc
+# Configure Firewall Rules for Proxmox Hosts
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+
+# Load environment variables
+if [ -f "$PROJECT_ROOT/.env" ]; then
+    set -a
+    source <(grep -v '^#' "$PROJECT_ROOT/.env" | grep -v '^$' | sed 's/#.*$//' | grep '=')
+    set +a
+fi
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+log_info() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+log_warn() {
+    echo -e "${YELLOW}[WARN]${NC} $1"
+}
+
+log_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+SSH_KEY="${SSH_KEY:-$HOME/.ssh/id_ed25519_proxmox}"
+PROXMOX_HOSTS=("192.168.1.206" "192.168.1.49")  # ML110 and R630
+
+main() {
+    log_info "Configuring Firewall Rules for Proxmox Hosts"
+    echo ""
+
+    for host in "${PROXMOX_HOSTS[@]}"; do
+        log_info "Configuring firewall on $host..."
+        
+        # Check if we can connect
+        if ! ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "root@${host}" "pveversion" &>/dev/null; then
+            log_warn "Cannot connect to $host. Skipping..."
+            continue
+        fi
+
+        # Enable firewall if not already enabled
+        log_info "Enabling firewall..."
+        ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "root@${host}" <<'EOF'
+set -e
+
+# Enable firewall
+pve-firewall enable || true
+
+# Create security group for cluster communication
+pve-firewall security-group add cluster-comm --comment "Cluster communication"
+pve-firewall security-group rule add cluster-comm --action ACCEPT --proto tcp --dport 8006 --comment "Proxmox Web UI"
+pve-firewall security-group rule add cluster-comm --action ACCEPT --proto tcp --dport 22 --comment "SSH"
+pve-firewall security-group rule add cluster-comm --action ACCEPT --proto udp --dport 5404:5412 --comment "Corosync cluster"
+pve-firewall security-group rule add cluster-comm --action ACCEPT --proto tcp --dport 3128 --comment "SPICE proxy"
+pve-firewall security-group rule add cluster-comm --action ACCEPT --proto tcp --dport 111 --comment "RPC"
+pve-firewall security-group rule add cluster-comm --action ACCEPT --proto tcp --dport 2049 --comment "NFS"
+pve-firewall security-group rule add cluster-comm --action ACCEPT --proto tcp --dport 5900:5999 --comment "VNC"
+pve-firewall security-group rule add cluster-comm --action ACCEPT --proto tcp --dport 60000:60050 --comment "Migration"
+
+# Create security group for VM services
+pve-firewall security-group add vm-services --comment "VM service ports"
+pve-firewall security-group rule add vm-services --action ACCEPT --proto tcp --dport 3000 --comment "Gitea/Grafana"
+pve-firewall security-group rule add vm-services --action ACCEPT --proto tcp --dport 9090 --comment "Prometheus"
+pve-firewall security-group rule add vm-services --action ACCEPT --proto tcp --dport 6443 --comment "K3s API"
+pve-firewall security-group rule add vm-services --action ACCEPT --proto tcp --dport 10250 --comment "Kubelet"
+
+# Configure datacenter firewall options
+pve-firewall options set enable 1
+pve-firewall options set log_level_in 6  # Log dropped packets
+pve-firewall options set log_level_out 6
+
+# Allow cluster communication between nodes
+pve-firewall cluster add-rule cluster-comm --action ACCEPT --source 192.168.1.0/24 --comment "Allow cluster subnet"
+
+echo "Firewall configured successfully"
+EOF
+
+        log_info "✓ Firewall configured on $host"
+        echo ""
+    done
+
+    log_info "Firewall configuration complete!"
+    echo ""
+    log_warn "Review firewall rules:"
+    log_info "  - Check rules: pve-firewall status"
+    log_info "  - View security groups: pve-firewall security-group list"
+    log_info "  - Test connectivity after applying rules"
+    echo ""
+    log_info "Default rules allow:"
+    log_info "  - Cluster communication (ports 5404-5412 UDP)"
+    log_info "  - Proxmox Web UI (port 8006)"
+    log_info "  - SSH (port 22)"
+    log_info "  - VM services (ports 3000, 9090, 6443, 10250)"
+    log_info "  - Migration ports (60000-60050)"
+}
+
+main "$@"
+

scripts/security/setup-proxmox-rbac.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+source ~/.bashrc
+# Setup Proxmox RBAC (Role-Based Access Control)
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+
+# Load environment variables
+if [ -f "$PROJECT_ROOT/.env" ]; then
+    set -a
+    source <(grep -v '^#' "$PROJECT_ROOT/.env" | grep -v '^$' | sed 's/#.*$//' | grep '=')
+    set +a
+fi
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+log_info() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+log_warn() {
+    echo -e "${YELLOW}[WARN]${NC} $1"
+}
+
+log_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+SSH_KEY="${SSH_KEY:-$HOME/.ssh/id_ed25519_proxmox}"
+PROXMOX_HOSTS=("192.168.1.206" "192.168.1.49")  # ML110 and R630
+
+main() {
+    log_info "Setting up Proxmox RBAC"
+    echo ""
+
+    for host in "${PROXMOX_HOSTS[@]}"; do
+        log_info "Configuring RBAC on $host..."
+        
+        # Check if we can connect
+        if ! ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "root@${host}" "pveversion" &>/dev/null; then
+            log_warn "Cannot connect to $host. Skipping..."
+            continue
+        fi
+
+        # Create roles
+        log_info "Creating custom roles..."
+        ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "root@${host}" <<'EOF'
+set -e
+
+# Create VM Operator role (can manage VMs but not hosts)
+pveum role add VMOperator --privs "VM.Allocate VM.Audit VM.Clone VM.Config.CDROM VM.Config.CPU VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Monitor VM.PowerMgmt Datastore.Allocate Datastore.Audit"
+
+# Create VM Viewer role (read-only access to VMs)
+pveum role add VMViewer --privs "VM.Audit VM.Monitor Datastore.Audit"
+
+# Create Storage Operator role (can manage storage)
+pveum role add StorageOperator --privs "Datastore.Allocate Datastore.Audit Datastore.AllocateSpace Datastore.AllocateTemplate"
+
+# Create Network Operator role (can manage networks)
+pveum role add NetworkOperator --privs "SDN.Use SDN.Audit Network.Allocate Network.Audit"
+
+echo "Roles created successfully"
+EOF
+
+        log_info "✓ RBAC roles created on $host"
+        echo ""
+    done
+
+    log_info "RBAC setup complete!"
+    echo ""
+    log_warn "Manual steps required:"
+    log_info "1. Create users via Web UI: Datacenter → Permissions → Users → Add"
+    log_info "2. Assign roles to users: Datacenter → Permissions → User → Edit → Roles"
+    log_info "3. Create API tokens for automation:"
+    log_info "   - Datacenter → Permissions → API Tokens → Add"
+    log_info "   - Store tokens securely in .env file"
+    echo ""
+    log_info "Available roles:"
+    log_info "  - VMOperator: Full VM management"
+    log_info "  - VMViewer: Read-only VM access"
+    log_info "  - StorageOperator: Storage management"
+    log_info "  - NetworkOperator: Network management"
+}
+
+main "$@"
+