From 48ada6fa03c2d696ad6cdc517564dcfa76a0c420 Mon Sep 17 00:00:00 2001
From: Maxim Romanko <mromanko@list.ru>
Date: Fri, 23 May 2025 22:26:40 +0300
Subject: [PATCH] Updated README file

---
 README.md           | 83 +++++++++++++++++++++++++--------------------
 terraform/LICENSE   | 15 --------
 terraform/README.md | 52 ----------------------------
 terraform/main.tf   |  4 +--
 4 files changed, 48 insertions(+), 106 deletions(-)
 delete mode 100644 terraform/LICENSE
 delete mode 100644 terraform/README.md

diff --git a/README.md b/README.md
index fea3837..8e6d177 100644
--- a/README.md
+++ b/README.md
@@ -1,52 +1,61 @@
-# Conftest
+# Security as Code for Automated Deployment k3s in Proxmox environment
 
-[![Go Report Card](https://goreportcard.com/badge/open-policy-agent/opa)](https://goreportcard.com/report/open-policy-agent/conftest) [![Netlify](https://api.netlify.com/api/v1/badges/2d928746-3380-4123-b0eb-1fd74ba390db/deploy-status)](https://app.netlify.com/sites/vibrant-villani-65041c/deploys)
+## 📘 Описание
 
-Conftest helps you write tests against structured configuration data. Using Conftest you can
-write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code,
-Serverless configs or any other config files.
+Этот проект предоставляет автоматизированный и безопасный способ развертывания кластера [K3s](https://k3s.io/) в среде [Proxmox VE](https://www.proxmox.com/en/proxmox-ve). Используются подходы **Security as Code**, чтобы обеспечить безопасную конфигурацию инфраструктуры на всех этапах — от создания виртуальных машин до установки кластерных компонентов и настройки сетевого взаимодействия.
 
-Conftest uses the Rego language from [Open Policy Agent](https://www.openpolicyagent.org/) for writing
-the assertions. You can read more about Rego in [How do I write policies](https://www.openpolicyagent.org/docs/how-do-i-write-policies.html)
-in the Open Policy Agent documentation.
+## 🔧 Возможности
 
-Here's a quick example. Save the following as `policy/deployment.rego`:
+* 📦 Полная автоматизация развертывания K3s-кластера
+* 🔐 Реализация лучших практик безопасности (SSH, firewall, user hardening и пр.)
+* 📜 IaC (Infrastructure as Code) с использованием Ansible, Terraform и Bash
 
-```rego
-package main
+## 📁 Структура проекта
 
-deny[msg] {
-  input.kind == "Deployment"
-  not input.spec.template.spec.securityContext.runAsNonRoot
-
-  msg := "Containers must not run as root"
-}
-
-deny[msg] {
-  input.kind == "Deployment"
-  not input.spec.selector.matchLabels.app
-
-  msg := "Containers must provide app label for pod selectors"
-}
+```
+├── ansible/                # Ansible playbooks для настройки VM и K3s
+├── terraform/              # Terraform модули для создания VM в Proxmox
+└── README.md
 ```
 
-Assuming you have a Kubernetes deployment in `deployment.yaml` you can run Conftest like so:
+## ⚙️ Требования
 
-```console
-$ conftest test deployment.yaml
-FAIL - deployment.yaml - Containers must not run as root
-FAIL - deployment.yaml - Containers must provide app label for pod selectors
+* Proxmox VE 7.x+
+* Terraform 1.0+
+* Ansible 2.10+
+* Bash (Linux/macOS)
+* Доступ к Proxmox через API
+* SSH-ключ для доступа к виртуальным машинам
 
-2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions
+## 🚀 Установка
+
+1. **Склонируйте репозиторий:**
+
+```bash
+git clone https://git.vadzik-iot.ru/vadzik/sac_project.git
+cd k3s-proxmox-sec
 ```
 
-Conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration files in a variety of different formats. See the [documentation](https://www.conftest.dev/) for [installation instructions](https://www.conftest.dev/install/) and
-more details about the features.
+2. **Настройте переменные окружения и secrets (Terraform/Ansible):**
 
-## Want to contribute to Conftest?
 
-* See [DEVELOPMENT.md](DEVELOPMENT.md) to build and test Conftest itself.
-* See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.
+3. **Создайте виртуальные машины через Terraform:**
 
-For discussions and questions join us on the [Open Policy Agent Slack](https://slack.openpolicyagent.org/)
-in the `#opa-conftest` channel.
+```bash
+cd terraform
+terraform init
+terraform apply
+```
+
+4. **Запустите Ansible-плейбук для настройки K3s и обеспечения безопасности:**
+
+```bash
+cd ../ansible
+ansible-playbook site.yml -i inventory.ini
+```
+
+## 🔐 Безопасность
+
+* Минимизация прав пользователей
+* Только доступ по SSH-ключу (пароли отключены)
+* Проверка хэшей и сертификатов при установке
diff --git a/terraform/LICENSE b/terraform/LICENSE
deleted file mode 100644
index 079b383..0000000
--- a/terraform/LICENSE
+++ /dev/null
@@ -1,15 +0,0 @@
-   Conftest - Write tests against your config files
-
-   Copyright (C) 2019 Gareth Rushgrove
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       https://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/terraform/README.md b/terraform/README.md
deleted file mode 100644
index fea3837..0000000
--- a/terraform/README.md
+++ /dev/null
@@ -1,52 +0,0 @@
-# Conftest
-
-[![Go Report Card](https://goreportcard.com/badge/open-policy-agent/opa)](https://goreportcard.com/report/open-policy-agent/conftest) [![Netlify](https://api.netlify.com/api/v1/badges/2d928746-3380-4123-b0eb-1fd74ba390db/deploy-status)](https://app.netlify.com/sites/vibrant-villani-65041c/deploys)
-
-Conftest helps you write tests against structured configuration data. Using Conftest you can
-write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code,
-Serverless configs or any other config files.
-
-Conftest uses the Rego language from [Open Policy Agent](https://www.openpolicyagent.org/) for writing
-the assertions. You can read more about Rego in [How do I write policies](https://www.openpolicyagent.org/docs/how-do-i-write-policies.html)
-in the Open Policy Agent documentation.
-
-Here's a quick example. Save the following as `policy/deployment.rego`:
-
-```rego
-package main
-
-deny[msg] {
-  input.kind == "Deployment"
-  not input.spec.template.spec.securityContext.runAsNonRoot
-
-  msg := "Containers must not run as root"
-}
-
-deny[msg] {
-  input.kind == "Deployment"
-  not input.spec.selector.matchLabels.app
-
-  msg := "Containers must provide app label for pod selectors"
-}
-```
-
-Assuming you have a Kubernetes deployment in `deployment.yaml` you can run Conftest like so:
-
-```console
-$ conftest test deployment.yaml
-FAIL - deployment.yaml - Containers must not run as root
-FAIL - deployment.yaml - Containers must provide app label for pod selectors
-
-2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions
-```
-
-Conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration files in a variety of different formats. See the [documentation](https://www.conftest.dev/) for [installation instructions](https://www.conftest.dev/install/) and
-more details about the features.
-
-## Want to contribute to Conftest?
-
-* See [DEVELOPMENT.md](DEVELOPMENT.md) to build and test Conftest itself.
-* See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.
-
-For discussions and questions join us on the [Open Policy Agent Slack](https://slack.openpolicyagent.org/)
-in the `#opa-conftest` channel.
diff --git a/terraform/main.tf b/terraform/main.tf
index ad36e69..65d0ebf 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -17,8 +17,8 @@ resource "proxmox_vm_qemu" "proxmox_vm_master" {
   nameserver = "1.1.1.1 8.8.8.8"
   ipconfig0  = "ip=${var.master_ips[count.index]}/${var.networkrange},gw=${var.gateway}"
   skip_ipv6  = true
-  ciuser     = "root"
-  cipassword = "test_passwd"
+  ciuser     = "debian"
+  cipassword = ""
   sshkeys    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXXnm9Hl4fPCt/Xjd/8E5tKY+edtM/BvdMOXpx40oWG iac@proxmox.vadzik-iot.ru"
 
   # Most cloud-init images require a serial device for their display