feat: initial commit

docs/PLAN.md

@@ -0,0 +1,48 @@
+# Wazuh on Proxmox - Plan
+
+## Goal
+Provision one VM on local Proxmox using Terraform and install Wazuh all-in-one
+automatically.
+
+## Current Assets
+- Ready single-VM Proxmox Terraform baseline in `sources/iac-test/main.tf`.
+- Ready multi-VM reference in `sources/multi-vm-iac/main.tf`.
+- Known working Proxmox params from existing code:
+  - endpoint `https://10.0.50.110:8006/`
+  - node `rbmk2`
+  - template VM ID `169`
+  - bridge `vmbr0`
+  - cloud-init user `devops`
+
+## Selected Base
+Use `iac-test` as base because target is one VM for Wazuh.
+
+## Work Plan
+1. Create clean Terraform project structure from single-VM base:
+   - `main.tf`, `variables.tf`, `outputs.tf`, `versions.tf`
+   - `terraform.tfvars.example`
+2. Parameterize all environment-specific values:
+   - Proxmox endpoint/token file path/node/template/datastore/bridge
+   - VM name, CPU, RAM, disk, IP, gateway, SSH key, SSH port
+3. Add cloud-init/user-data provisioning for Wazuh:
+   - OS packages and prerequisites
+   - run `wazuh-install.sh -a`
+   - ensure services are enabled and started
+4. Add post-deploy validation outputs:
+   - VM IP
+   - dashboard URL
+   - quick health commands
+5. Add runbook (`README.md`) with exact operator commands:
+   - `terraform init`
+   - `terraform plan -var-file=...`
+   - `terraform apply -var-file=...`
+   - access + agent enrollment steps
+6. Optional hardening pass:
+   - split Wazuh install from VM creation (null_resource/ansible)
+   - add destroy safeguards and tags
+
+## Open Inputs Needed Before Apply
+- Final static IP for Wazuh VM in LAN.
+- Whether to keep default Wazuh ports (443, 1514, 1515) exposed as-is.
+- Template `169` confirmation (cloud-init enabled and qemu-guest-agent present).
+

docs/RUNBOOK_WAZUH_RBMK.md

@@ -0,0 +1,201 @@
+# Wazuh Lab Runbook (RBMK2, VMID/IP reuse)
+
+## Scope
+- Rebuild VM `104` on `rbmk2`
+- Keep IP `10.1.50.125/24`
+- Use Ubuntu 22.04 template `9000`
+- Install Wazuh all-in-one
+
+## 1) Create Ubuntu template on RBMK2
+Run on: `root@rbmk2`
+
+```bash
+qm status 9000 || true
+wget -O /var/lib/vz/template/iso/jammy-server-cloudimg-amd64.img https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img
+qm create 9000 --name ubuntu2204-template-rbmk2 --memory 4096 --cores 2 --net0 virtio,bridge=vmbr0,firewall=1
+qm importdisk 9000 /var/lib/vz/template/iso/jammy-server-cloudimg-amd64.img local-lvm
+qm set 9000 --scsihw virtio-scsi-single --scsi0 local-lvm:vm-9000-disk-0
+qm set 9000 --ide2 local-lvm:cloudinit
+qm set 9000 --boot order=scsi0
+qm set 9000 --agent enabled=1
+qm template 9000
+qm resize 9000 scsi0 60G
+qm config 9000 | egrep '^(name|template|ostype|agent|boot|scsihw|scsi0|ide2|net0):'
+```
+
+Expected:
+- `template: 1`
+- `ide2: ...cloudinit`
+- `scsi0 ... size=60G`
+
+## 2) Prepare Terraform
+Run on: local laptop  
+Path: `/home/nikola/codex-cli/projects/wazuh-proxmox-iac/terraform`
+
+```bash
+cd /home/nikola/codex-cli/projects/wazuh-proxmox-iac/terraform
+mkdir -p .secrets
+cp terraform.tfvars.example terraform.tfvars
+nano terraform.tfvars
+nano .secrets/api_token
+chmod 600 .secrets/api_token
+terraform init
+terraform fmt -recursive
+terraform validate
+terraform plan -out tfplan
+```
+
+Set in `terraform.tfvars`:
+- `proxmox_template_vm_id = 9000`
+- `vm_id = 104`
+- `vm_ipv4_cidr = "10.1.50.125/24"`
+- `vm_ssh_public_key = "<your pub key>"`
+
+Expected:
+- `Success! The configuration is valid.`
+- plan shows `+ create` for `vm_id = 104`
+
+## 3) Replace old VM 104
+Run on: `root@rbmk2`
+
+```bash
+qm stop 104 || true
+qm destroy 104 --purge 1 --destroy-unreferenced-disks 1
+```
+
+Expected:
+- old test VM removed
+
+## 4) Apply Terraform
+Run on: local laptop  
+Path: `/home/nikola/codex-cli/projects/wazuh-proxmox-iac/terraform`
+
+```bash
+terraform apply tfplan
+terraform output
+```
+
+Expected:
+- `Apply complete!`
+- outputs include:
+  - `ssh devops@10.1.50.125 -p42315`
+  - `https://10.1.50.125`
+
+## 5) Fix guest agent if apply waits
+Symptom:
+- long `Still creating...`
+- on rbmk2: `qm agent 104 ping` => `QEMU guest agent is not running`
+
+Run on: VM `10.1.50.125` (ssh `-p22` or `-p42315`)
+
+```bash
+sudo apt-get update
+sudo apt-get install -y qemu-guest-agent
+sudo systemctl start qemu-guest-agent
+sudo systemctl status qemu-guest-agent --no-pager
+```
+
+Verify on `rbmk2`:
+
+```bash
+qm agent 104 ping
+```
+
+Expected:
+- agent running; apply completes
+
+## 6) Apply company SSH baseline
+Run on: local laptop  
+Path: `/home/nikola/codex-cli/projects/wazuh-proxmox-iac/terraform`
+
+```bash
+chmod +x scripts/company-bootstrap-ubuntu.sh scripts/install-wazuh-aio.sh scripts/verify-wazuh.sh
+scp -P22 scripts/company-bootstrap-ubuntu.sh devops@10.1.50.125:/tmp/
+ssh devops@10.1.50.125 -p22 "sudo bash /tmp/company-bootstrap-ubuntu.sh devops 42315 \"$(cat ~/.ssh/id_ed25519.pub)\""
+ssh devops@10.1.50.125 -p42315 "sudo sshd -T | egrep '^(port|permitrootlogin|passwordauthentication|pubkeyauthentication)'"
+```
+
+Expected:
+- `port 42315`
+- `permitrootlogin no`
+- `passwordauthentication no`
+- `pubkeyauthentication yes`
+
+## 7) Install Wazuh
+Run on: local laptop  
+Path: `/home/nikola/codex-cli/projects/wazuh-proxmox-iac/terraform`
+
+```bash
+scp -P42315 scripts/install-wazuh-aio.sh devops@10.1.50.125:/tmp/
+ssh devops@10.1.50.125 -p42315 "sudo bash /tmp/install-wazuh-aio.sh"
+./scripts/verify-wazuh.sh 10.1.50.125
+ssh devops@10.1.50.125 -p42315 "sudo systemctl status wazuh-indexer wazuh-manager wazuh-dashboard filebeat --no-pager"
+```
+
+Expected:
+- Installer summary with dashboard URL and admin password
+- `verify-wazuh.sh` checks pass
+- all 4 services `active (running)`
+
+## Common issues and fixes
+1. `can't clone to non-shared storage 'local-lvm'`
+- Cause: cross-node clone to non-shared storage.
+- Fix: create template directly on `rbmk2`.
+
+2. `unable to find configuration file for VM 129 on node 'rbmk2'`
+- Cause: source VM exists on another node.
+- Fix: run actions on the correct source node or avoid cross-node clone.
+
+3. SSH host key changed warning
+- Fix:
+```bash
+ssh-keygen -f ~/.ssh/known_hosts -R '[10.1.50.125]:42315'
+```
+
+4. `QEMU guest agent is not running`
+- Fix: install/start `qemu-guest-agent` inside VM, then retry/check.
+
+5. Thin pool warnings during import/resize
+- Cause: local-lvm oversubscription warning.
+- Fix: monitor storage free space before new clones and log growth.
+
+## Post-install hardening checklist (Wazuh lab)
+Run on: VM `10.1.50.125` (`ssh devops@10.1.50.125 -p42315`)
+
+1. Rotate default admin password
+- In dashboard: `https://10.1.50.125` -> change `admin` password immediately.
+
+2. Restrict API exposure (if not needed externally)
+```bash
+sudo ss -tulpen | egrep '(:443|:1514|:1515|:55000)'
+```
+- confirm only required ports are listening.
+
+3. Enable host firewall baseline
+```bash
+sudo apt-get install -y ufw
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+sudo ufw allow 42315/tcp
+sudo ufw allow 443/tcp
+sudo ufw allow 1514/tcp
+sudo ufw allow 1515/tcp
+sudo ufw allow 55000/tcp
+sudo ufw --force enable
+sudo ufw status verbose
+```
+- keep only Wazuh + SSH management ports open.
+
+4. Verify services are enabled and healthy
+```bash
+sudo systemctl is-active wazuh-indexer wazuh-manager wazuh-dashboard filebeat
+sudo systemctl is-enabled wazuh-indexer wazuh-manager wazuh-dashboard filebeat
+```
+- all should be active/enabled.
+
+5. Backup install artifacts and credentials file
+```bash
+sudo ls -l /root/wazuh-install-files.tar /var/log/wazuh-install.log
+```
+- copy to a secure internal vault/location.
+