1583890199
Contains: - 1m-brag - tem - VaultMesh_Catalog_v1 - VAULTMESH-ETERNAL-PATTERN 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
3.1 KiB
3.1 KiB
Page Title: VaultMesh Virtualization Layer (BRICK Hypervisor) Summary: The BRICK server runs libvirt/KVM and hosts the core VaultMesh VMs: debian-golden (template), gate-vm (mesh-core-01), and shield-vm (shield-01). Cockpit and VNC provide management and console access, while Tailscale and SSH bring the VMs into the wider mesh.
Key Findings:
- BRICK is the single hypervisor for core VaultMesh VMs.
- debian-golden serves as a reusable golden image to clone new VMs.
- gate-vm runs the mesh-stack-migration bundle (GitLab, MinIO, Prometheus, Grafana, Vaultwarden, backup-freshness, etc.).
- shield-vm is the Shield/OffSec node and home of the machine-secrets vault and TEM stack.
- VM networking uses libvirt NAT (192.168.122.x), with VNC reachable via SSH tunnels.
Components:
- libvirt daemon (qemu-kvm backend).
- QEMU/KVM for hardware-accelerated virtualization.
- Cockpit + cockpit-machines for web-based VM management.
- VNC servers for graphical consoles.
- Tailscale agents (optional/desired) inside VMs.
VM Network Layout:
| VM | NAT IP | VNC Port | Role |
|---|---|---|---|
| debian-golden | 192.168.122.187 | 5900 | Golden image / base template |
| gate-vm | 192.168.122.236 | 5901 | mesh-core-01 core stack host |
| shield-vm | 192.168.122.73 | 5902 | Shield/OffSec/TEM + machine vault |
Workflows / Pipelines:
- VM Management: Cockpit → https://brick:9090 → "Virtual Machines".
- Console Access:
ssh brickssh -L 5901:localhost:5901 brickvnc://localhost:5901(gate-vm) /vnc://localhost:5902(shield-vm).
- Image Pipeline:
- Update debian-golden → snapshot → clone → new VM (e.g., future lab nodes).
- Join to Mesh:
- Boot VM → configure SSH → join Tailscale → register in SSH config.
Inputs:
- libvirt XML definitions for debian-golden, gate-vm, shield-vm.
- Debian cloud images / base images.
- SSH keys for root/debian users on each VM.
- mesh-stack-migration bundle to configure gate-vm.
Outputs:
- Running core VMs with access via SSH + Tailscale + VNC.
- Reproducible VM lifecycle (golden → clone → configure → join mesh).
- Isolated environment for Shield/TEM experiments on shield-vm.
Security Notes:
- VNC ports are not exposed directly; they're reached via SSH tunnel into brick.
- Each VM uses its own SSH host keys and per-node authorized_keys.
- NAT isolation (192.168.122.x) reduces blast radius from VM compromise.
- Installing Tailscale inside gate-vm/shield-vm avoids public exposure.
Dependencies:
- libvirt, qemu-kvm, Cockpit, cockpit-machines on brick.
- SSH and Tailscale inside each VM (where needed).
- TigerVNC or similar client on the operator's laptop.
Deployment Steps:
- Start VM via Cockpit or
virsh. - Create SSH tunnel from laptop to brick for VNC.
- Connect via VNC for first-boot setup if needed.
- Deploy SSH keys and install Tailscale inside the VM.
- For gate-vm: deploy
mesh-stack-migrationand start core stack. - For shield-vm: deploy Shield/TEM/dual-vault components.