feat: initial commit

terraform/.gitignore

@@ -0,0 +1,8 @@
+.terraform/
+.secrets/
+terraform.tfstate
+terraform.tfstate.*
+terraform.tfvars
+crash.log
+crash.*.log
+

terraform/.terraform.lock.hcl

@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/bpg/proxmox" {
+  version     = "0.68.0"
+  constraints = "0.68.0"
+  hashes = [
+    "h1:4Q+bUZoRz7o2ij/oPS3SsAy1D2CDdIMasegk+ll7oho=",
+    "zh:012f3fce033a7921335576edba0f2d2dad7dcaec2e5ed3b68ced692845131656",
+    "zh:1853ddbaef049b14e738bf8531a2c8e45d9ac409676a7f7f997d40ae794db783",
+    "zh:2a284f49f95bfe022f8b5bfed6ae56df5577f590ff26ae12322767f23e3b6c50",
+    "zh:491a7d5a3cf47fc3016213ca047fcf20288200901f5c0195314c32925fcd36c0",
+    "zh:4a198ab0b40b02a35955156d9a195c76a22f92d4078195ce94316b793d0d58d4",
+    "zh:63f0e62c5805b48893f9a106ed11e628f1a3bc3d34360a2bb31a88cfcc2051dd",
+    "zh:64cdc6a3bdd56e2285a2d65a17d87ee284fcdbbe69246baed4aeaf465a955007",
+    "zh:6721eaaa4998795c0caed3225aa2bc8ff796a6de86114431194b9770f98e2600",
+    "zh:79ef8a813d1b3d5ef69f2a00a3160fde9ca65c541db42c998c69db6dea66558f",
+    "zh:96aa2d4a6cdac17dcccbb76a1ef0afc15052c3f13fa3bb0f3f44b385272405d4",
+    "zh:9e1e18b04f228d671e1653294828021e672dab6635a309e72b2da4ba3b9f07e9",
+    "zh:a91b69c6df914f8f0504d0f0d25af6a870b79befe6ae11d39a1bd8b879871084",
+    "zh:bc618ee4f85b8c5db0e1494d207d2a6170ca08dad5ce9844866550a94dd56bea",
+    "zh:ea85f7e5dbbe768e2e15e0cafacee1c94e319d04c1835db1984a6ce79674c8e4",
+    "zh:f26e0763dbe6a6b2195c94b44696f2110f7f55433dc142839be16b9697fa5597",
+  ]
+}

terraform/README.md

@@ -0,0 +1,109 @@
+# Wazuh Proxmox Lab (Single VM, reuse VMID/IP)
+
+Run from:
+
+`/home/nikola/codex-cli/projects/wazuh-proxmox-iac/terraform`
+
+Target:
+- VMID `104`
+- IP `10.1.50.125/24`
+- Node `rbmk2`
+- OS source: Ubuntu 22.04 cloud-init template
+- SSH policy target: user `devops`, port `42315`, key-only auth
+
+## 0) One-time on Proxmox: Ubuntu 22.04 template
+
+You need one Ubuntu 22.04 cloud-init template in Proxmox first.
+After that, Terraform does the rest.
+
+Example on Proxmox node (adjust storage/bridge if needed):
+
+```bash
+wget https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img -O /tmp/jammy.img
+qm create 9000 --name ubuntu-2204-cloudinit --memory 2048 --cores 2 --net0 virtio,bridge=vmbr0
+qm importdisk 9000 /tmp/jammy.img local-lvm
+qm set 9000 --scsihw virtio-scsi-single --scsi0 local-lvm:vm-9000-disk-0
+qm set 9000 --ide2 local-lvm:cloudinit
+qm set 9000 --boot c --bootdisk scsi0
+qm set 9000 --serial0 socket --vga serial0
+qm template 9000
+```
+
+- pravi Ubuntu 22.04 template VMID `9000`
+
+## 1) Obrisi postojeci test VM 104 (ako nista ne radi na njemu)
+
+On Proxmox node:
+
+```bash
+qm stop 104 || true
+qm destroy 104 --purge 1 --destroy-unreferenced-disks 1
+```
+
+- gasi i brise stari VM 104
+
+## 2) Priprema Terraform fajlova
+
+```bash
+cd /home/nikola/codex-cli/projects/wazuh-proxmox-iac/terraform
+mkdir -p .secrets
+cp terraform.tfvars.example terraform.tfvars
+```
+
+- ulaz u projekat + vars + secret folder
+
+```bash
+nano terraform.tfvars
+```
+
+- proveri `vm_id=104`, `vm_ipv4_cidr=10.1.50.125/24`, `proxmox_template_vm_id=9000`
+
+```bash
+nano .secrets/api_token
+chmod 600 .secrets/api_token
+```
+
+- upisi Proxmox API token
+
+## 3) Podizanje novog Ubuntu VM-a na isto mesto
+
+```bash
+terraform init
+terraform fmt -recursive
+terraform validate
+terraform plan -out tfplan
+terraform apply tfplan
+terraform output
+```
+
+- kreira novi VM 104 sa istim IP
+- ovaj Terraform ne pokrece Docker/workload automatski; podize clean Ubuntu VM.
+- kontrola resursa je kroz `vm_cpu_cores` i `vm_memory_mb` u `terraform.tfvars`.
+
+## 4) Instalacija Wazuh na novom VM-u
+
+```bash
+chmod +x scripts/company-bootstrap-ubuntu.sh scripts/install-wazuh-aio.sh scripts/verify-wazuh.sh
+# ako SSH na 22 nije dostupan, zameni -P22/-p22 sa -P42315/-p42315
+scp -P22 scripts/company-bootstrap-ubuntu.sh devops@10.1.50.125:/tmp/
+ssh devops@10.1.50.125 -p22 "sudo bash /tmp/company-bootstrap-ubuntu.sh devops 42315 \"$(cat ~/.ssh/id_ed25519.pub)\""
+ssh devops@10.1.50.125 -p42315 "echo ssh baseline ok"
+scp -P42315 scripts/install-wazuh-aio.sh devops@10.1.50.125:/tmp/
+ssh devops@10.1.50.125 -p42315 "sudo bash /tmp/install-wazuh-aio.sh"
+```
+
+- primeni company SSH baseline pa instaliraj Wazuh
+
+## 5) Verifikacija
+
+```bash
+./scripts/verify-wazuh.sh 10.1.50.125
+```
+
+- provera dashboard + portovi 1514/1515
+
+## Key pravilo (preporuka)
+
+- Ne bake-uj licni SSH key u template.
+- Key ubacuj po VM-u kroz Terraform `vm_ssh_public_key` i/ili bootstrap skriptu.
+- Template neka ostane genericki, bez personalnih kljuceva.

terraform/main.tf

@@ -0,0 +1,51 @@
+provider "proxmox" {
+  endpoint  = var.proxmox_endpoint
+  insecure  = var.proxmox_insecure
+  api_token = trimspace(file(var.proxmox_api_token_file))
+}
+
+resource "proxmox_virtual_environment_vm" "wazuh" {
+  name      = var.vm_name
+  vm_id     = var.vm_id
+  node_name = var.proxmox_node_name
+
+  clone {
+    vm_id        = var.proxmox_template_vm_id
+    full         = true
+    datastore_id = var.proxmox_datastore_id
+  }
+
+  cpu {
+    sockets = var.vm_cpu_sockets
+    cores   = var.vm_cpu_cores
+  }
+
+  memory {
+    dedicated = var.vm_memory_mb
+  }
+
+  network_device {
+    model  = "virtio"
+    bridge = var.proxmox_bridge
+  }
+
+  initialization {
+    datastore_id = var.proxmox_datastore_id
+
+    user_account {
+      username = var.vm_ssh_username
+      keys     = [var.vm_ssh_public_key]
+    }
+
+    ip_config {
+      ipv4 {
+        address = var.vm_ipv4_cidr
+        gateway = var.vm_gateway
+      }
+    }
+  }
+
+  agent {
+    enabled = true
+  }
+}

terraform/outputs.tf

@@ -0,0 +1,19 @@
+locals {
+  vm_ip = split("/", var.vm_ipv4_cidr)[0]
+}
+
+output "vm_name" {
+  value = proxmox_virtual_environment_vm.wazuh.name
+}
+
+output "vm_ip" {
+  value = local.vm_ip
+}
+
+output "ssh_command" {
+  value = "ssh ${var.vm_ssh_username}@${local.vm_ip} -p${var.vm_ssh_port}"
+}
+
+output "wazuh_dashboard_url" {
+  value = "https://${local.vm_ip}"
+}

terraform/scripts/company-bootstrap-ubuntu.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "${EUID}" -ne 0 ]]; then
+  echo "Run as root (sudo)." >&2
+  exit 1
+fi
+
+SSH_USER="${1:-devops}"
+SSH_PORT="${2:-42315}"
+SSH_PUBKEY="${3:-}"
+
+if [[ -z "${SSH_PUBKEY}" ]]; then
+  echo "Usage: $0 <ssh_user> <ssh_port> <ssh_public_key>" >&2
+  exit 1
+fi
+
+if ! id -u "${SSH_USER}" >/dev/null 2>&1; then
+  useradd -m -s /bin/bash "${SSH_USER}"
+fi
+
+usermod -aG sudo "${SSH_USER}"
+
+install -d -m 700 -o "${SSH_USER}" -g "${SSH_USER}" "/home/${SSH_USER}/.ssh"
+touch "/home/${SSH_USER}/.ssh/authorized_keys"
+chown "${SSH_USER}:${SSH_USER}" "/home/${SSH_USER}/.ssh/authorized_keys"
+chmod 600 "/home/${SSH_USER}/.ssh/authorized_keys"
+
+if ! grep -Fqx "${SSH_PUBKEY}" "/home/${SSH_USER}/.ssh/authorized_keys"; then
+  echo "${SSH_PUBKEY}" >>"/home/${SSH_USER}/.ssh/authorized_keys"
+fi
+
+cat >/etc/ssh/sshd_config.d/99-company.conf <<EOF
+Port ${SSH_PORT}
+PermitRootLogin no
+PasswordAuthentication no
+PubkeyAuthentication yes
+ChallengeResponseAuthentication no
+UsePAM yes
+EOF
+
+sshd -t
+systemctl restart ssh || systemctl restart sshd
+
+echo "Company baseline applied:"
+echo "- user: ${SSH_USER}"
+echo "- ssh port: ${SSH_PORT}"
+echo "- root login: disabled"
+echo "- password auth: disabled"
+

terraform/scripts/install-wazuh-aio.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "${EUID}" -ne 0 ]]; then
+  echo "Run as root (sudo)." >&2
+  exit 1
+fi
+
+echo "[1/4] System update and tools"
+apt-get update -y
+apt-get install -y curl tar
+
+echo "[2/4] Download Wazuh installer"
+cd /root
+curl -sSLO https://packages.wazuh.com/4.14/wazuh-install.sh
+chmod +x wazuh-install.sh
+
+echo "[3/4] Install Wazuh all-in-one"
+bash ./wazuh-install.sh -a
+
+echo "[4/4] Installation finished"
+echo "Open: https://$(hostname -I | awk '{print $1}')"
+echo "Installer output contains generated admin credentials."
+

terraform/scripts/verify-wazuh.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+TARGET_IP="${1:-}"
+
+if [[ -z "${TARGET_IP}" ]]; then
+  echo "Usage: $0 <wazuh-vm-ip>" >&2
+  exit 1
+fi
+
+echo "[1/3] Dashboard HTTPS check"
+curl -kI "https://${TARGET_IP}" | head -n 1
+
+echo "[2/3] Enrollment port check"
+nc -zv "${TARGET_IP}" 1515
+
+echo "[3/3] Agent events port check"
+nc -zv "${TARGET_IP}" 1514
+

terraform/terraform.tfvars.example

@@ -0,0 +1,20 @@
+proxmox_endpoint       = "https://10.0.50.110:8006/"
+proxmox_insecure       = true
+proxmox_api_token_file = ".secrets/api_token"
+proxmox_node_name      = "rbmk2"
+# Set this to Ubuntu 22.04 cloud-init template VMID.
+proxmox_template_vm_id = 9000
+proxmox_datastore_id   = "local-lvm"
+proxmox_bridge         = "vmbr0"
+
+vm_name        = "terraform-testvm-1"
+vm_id          = 104
+vm_cpu_sockets = 1
+vm_cpu_cores   = 4
+vm_memory_mb   = 8192
+vm_ipv4_cidr   = "10.1.50.125/24"
+vm_gateway     = "10.1.50.1"
+vm_ssh_username = "devops"
+vm_ssh_port     = 42315
+
+vm_ssh_public_key = "ssh-ed25519 AAAA... your-key-comment"

terraform/variables.tf

@@ -0,0 +1,100 @@
+variable "proxmox_endpoint" {
+  description = "Proxmox API endpoint."
+  type        = string
+  default     = "https://10.0.50.110:8006/"
+}
+
+variable "proxmox_insecure" {
+  description = "Allow insecure TLS for Proxmox API."
+  type        = bool
+  default     = true
+}
+
+variable "proxmox_api_token_file" {
+  description = "Path to file containing Proxmox API token."
+  type        = string
+  default     = ".secrets/api_token"
+}
+
+variable "proxmox_node_name" {
+  description = "Proxmox node where VM will be created."
+  type        = string
+  default     = "rbmk2"
+}
+
+variable "proxmox_template_vm_id" {
+  description = "Template VM ID used for clone."
+  type        = number
+  default     = 169
+}
+
+variable "proxmox_datastore_id" {
+  description = "Datastore used for clone and cloud-init."
+  type        = string
+  default     = "local-lvm"
+}
+
+variable "proxmox_bridge" {
+  description = "Proxmox bridge name."
+  type        = string
+  default     = "vmbr0"
+}
+
+variable "vm_name" {
+  description = "Wazuh VM name."
+  type        = string
+  default     = "terraform-testvm-1"
+}
+
+variable "vm_id" {
+  description = "Proxmox VMID for the Wazuh VM."
+  type        = number
+  default     = 104
+}
+
+variable "vm_cpu_sockets" {
+  description = "VM CPU sockets."
+  type        = number
+  default     = 1
+}
+
+variable "vm_cpu_cores" {
+  description = "VM CPU cores."
+  type        = number
+  default     = 4
+}
+
+variable "vm_memory_mb" {
+  description = "VM memory in MB."
+  type        = number
+  default     = 8192
+}
+
+variable "vm_ipv4_cidr" {
+  description = "VM IPv4 address in CIDR format."
+  type        = string
+  default     = "10.1.50.125/24"
+}
+
+variable "vm_gateway" {
+  description = "VM default gateway."
+  type        = string
+  default     = "10.1.50.1"
+}
+
+variable "vm_ssh_username" {
+  description = "Cloud-init username for SSH."
+  type        = string
+  default     = "devops"
+}
+
+variable "vm_ssh_port" {
+  description = "SSH port exposed by company policy."
+  type        = number
+  default     = 42315
+}
+
+variable "vm_ssh_public_key" {
+  description = "SSH public key inserted via cloud-init."
+  type        = string
+}

terraform/versions.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = "0.68.0"
+    }
+  }
+}
+