vaultsovereign/test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
53b9d363b4e70709d562daf93bd94f8e14b12027
test/VaultMesh_Catalog_v1/pages/page3-virtualization.md
Vault Sovereign 1583890199 Initial commit - combined iTerm2 scripts 
Contains:
- 1m-brag
- tem
- VaultMesh_Catalog_v1
- VAULTMESH-ETERNAL-PATTERN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 03:58:39 +00:00

65 lines
3.1 KiB
Markdown
Raw Blame History

Page Title: VaultMesh Virtualization Layer (BRICK Hypervisor)
Summary: The BRICK server runs libvirt/KVM and hosts the core VaultMesh VMs: debian-golden (template), gate-vm (mesh-core-01), and shield-vm (shield-01). Cockpit and VNC provide management and console access, while Tailscale and SSH bring the VMs into the wider mesh.
Key Findings:
- BRICK is the single hypervisor for core VaultMesh VMs.
- debian-golden serves as a reusable golden image to clone new VMs.
- gate-vm runs the mesh-stack-migration bundle (GitLab, MinIO, Prometheus, Grafana, Vaultwarden, backup-freshness, etc.).
- shield-vm is the Shield/OffSec node and home of the machine-secrets vault and TEM stack.
- VM networking uses libvirt NAT (192.168.122.x), with VNC reachable via SSH tunnels.
Components:
- libvirt daemon (qemu-kvm backend).
- QEMU/KVM for hardware-accelerated virtualization.
- Cockpit + cockpit-machines for web-based VM management.
- VNC servers for graphical consoles.
- Tailscale agents (optional/desired) inside VMs.
VM Network Layout:
| VM | NAT IP | VNC Port | Role |
|---------------|------------------|----------|------------------------------------|
| debian-golden | 192.168.122.187 | 5900 | Golden image / base template |
| gate-vm | 192.168.122.236 | 5901 | mesh-core-01 core stack host |
| shield-vm | 192.168.122.73 | 5902 | Shield/OffSec/TEM + machine vault |
Workflows / Pipelines:
- VM Management: Cockpit → https://brick:9090 → "Virtual Machines".
- Console Access:
- `ssh brick`
- `ssh -L 5901:localhost:5901 brick`
- `vnc://localhost:5901` (gate-vm) / `vnc://localhost:5902` (shield-vm).
- Image Pipeline:
- Update debian-golden → snapshot → clone → new VM (e.g., future lab nodes).
- Join to Mesh:
- Boot VM → configure SSH → join Tailscale → register in SSH config.
Inputs:
- libvirt XML definitions for debian-golden, gate-vm, shield-vm.
- Debian cloud images / base images.
- SSH keys for root/debian users on each VM.
- mesh-stack-migration bundle to configure gate-vm.
Outputs:
- Running core VMs with access via SSH + Tailscale + VNC.
- Reproducible VM lifecycle (golden → clone → configure → join mesh).
- Isolated environment for Shield/TEM experiments on shield-vm.
Security Notes:
- VNC ports are not exposed directly; they're reached via SSH tunnel into brick.
- Each VM uses its own SSH host keys and per-node authorized_keys.
- NAT isolation (192.168.122.x) reduces blast radius from VM compromise.
- Installing Tailscale inside gate-vm/shield-vm avoids public exposure.
Dependencies:
- libvirt, qemu-kvm, Cockpit, cockpit-machines on brick.
- SSH and Tailscale inside each VM (where needed).
- TigerVNC or similar client on the operator's laptop.
Deployment Steps:
1. Start VM via Cockpit or `virsh`.
2. Create SSH tunnel from laptop to brick for VNC.
3. Connect via VNC for first-boot setup if needed.
4. Deploy SSH keys and install Tailscale inside the VM.
5. For gate-vm: deploy `mesh-stack-migration` and start core stack.
6. For shield-vm: deploy Shield/TEM/dual-vault components.
Reference in New Issue View Git Blame Copy Permalink