Page Title: VaultMesh Virtualization Layer (BRICK Hypervisor) Summary: The BRICK server runs libvirt/KVM and hosts the core VaultMesh VMs: debian-golden (template), gate-vm (mesh-core-01), and shield-vm (shield-01). Cockpit and VNC provide management and console access, while Tailscale and SSH bring the VMs into the wider mesh. Key Findings: - BRICK is the single hypervisor for core VaultMesh VMs. - debian-golden serves as a reusable golden image to clone new VMs. - gate-vm runs the mesh-stack-migration bundle (GitLab, MinIO, Prometheus, Grafana, Vaultwarden, backup-freshness, etc.). - shield-vm is the Shield/OffSec node and home of the machine-secrets vault and TEM stack. - VM networking uses libvirt NAT (192.168.122.x), with VNC reachable via SSH tunnels. Components: - libvirt daemon (qemu-kvm backend). - QEMU/KVM for hardware-accelerated virtualization. - Cockpit + cockpit-machines for web-based VM management. - VNC servers for graphical consoles. - Tailscale agents (optional/desired) inside VMs. VM Network Layout: | VM | NAT IP | VNC Port | Role | |---------------|------------------|----------|------------------------------------| | debian-golden | 192.168.122.187 | 5900 | Golden image / base template | | gate-vm | 192.168.122.236 | 5901 | mesh-core-01 core stack host | | shield-vm | 192.168.122.73 | 5902 | Shield/OffSec/TEM + machine vault | Workflows / Pipelines: - VM Management: Cockpit → https://brick:9090 → "Virtual Machines". - Console Access: - `ssh brick` - `ssh -L 5901:localhost:5901 brick` - `vnc://localhost:5901` (gate-vm) / `vnc://localhost:5902` (shield-vm). - Image Pipeline: - Update debian-golden → snapshot → clone → new VM (e.g., future lab nodes). - Join to Mesh: - Boot VM → configure SSH → join Tailscale → register in SSH config. Inputs: - libvirt XML definitions for debian-golden, gate-vm, shield-vm. - Debian cloud images / base images. - SSH keys for root/debian users on each VM. - mesh-stack-migration bundle to configure gate-vm. Outputs: - Running core VMs with access via SSH + Tailscale + VNC. - Reproducible VM lifecycle (golden → clone → configure → join mesh). - Isolated environment for Shield/TEM experiments on shield-vm. Security Notes: - VNC ports are not exposed directly; they're reached via SSH tunnel into brick. - Each VM uses its own SSH host keys and per-node authorized_keys. - NAT isolation (192.168.122.x) reduces blast radius from VM compromise. - Installing Tailscale inside gate-vm/shield-vm avoids public exposure. Dependencies: - libvirt, qemu-kvm, Cockpit, cockpit-machines on brick. - SSH and Tailscale inside each VM (where needed). - TigerVNC or similar client on the operator's laptop. Deployment Steps: 1. Start VM via Cockpit or `virsh`. 2. Create SSH tunnel from laptop to brick for VNC. 3. Connect via VNC for first-boot setup if needed. 4. Deploy SSH keys and install Tailscale inside the VM. 5. For gate-vm: deploy `mesh-stack-migration` and start core stack. 6. For shield-vm: deploy Shield/TEM/dual-vault components.