docs(fleet): add PegaProx, iVentoy remastering procedures, update admin cheat sheet

- fleet/admin-cheat-sheet.md: Added PegaProx section, updated MK33/MK34/MK39 statuses to Online (PVE), added iVentoy remastering notes, iVentoy Pro upgrade pending marker. - procedures/pega-prox-deploy.md: New procedure for deploying PegaProx on Docker Swarm (host mode, CSRF, API gotchas). - procedures/iventoy-remaster-procedure.md: New procedure for remastering Proxmox ISOs with embedded answer URLs and locked gfxmode. - changelog/2026-05-31-pxe-pegaprox-deployment.md: Changelog entry for todays fleet work. - 04-service-catalog.md: Added PegaProx to Management / Dashboard section.
2026-05-31 21:38:45 -04:00
parent 484b2e6272
commit 4af50ec883
5 changed files with 698 additions and 0 deletions
--- a/fleet/admin-cheat-sheet.md
+++ b/fleet/admin-cheat-sheet.md
@@ -0,0 +1,206 @@
+# Iron Legion Fleet Admin Cheat Sheet
+
+Generated: 2026-05-31
+Maintainer: F.R.I.D.A.Y. (Hermes Agent)
+
+---
+
+## Quick Access Links
+
+| Service | URL / Endpoint | Notes |
+|---------|---------------|-------|
+| iVentoy PXE Server | http://192.168.27.205:26000 | Shield WiFi fallback |
+| PegaProx | https://192.168.7.7:5000 | PVE Cluster Manager (host mode) |
+| Portainer | https://portainer.ai.home | Swarm Manager |
+| Traefik Dashboard | https://traefik.ai.home:8080 | Proxy/Router |
+| Technitium DNS | https://dns.ai.home:5380 | DNS Server |
+| Beszel Monitoring | https://beszel.ai.home | Fleet Metrics |
+| Dozzle | https://dozzle.ai.home | Container Logs |
+| Homepage | https://home.ai.home | Service Portal |
+| Prometheus | https://prometheus.ai.home | Metrics DB |
+| Authelia | https://auth.ai.home | SSO Portal |
+
+---
+
+## Fleet Node Inventory
+
+### Swarm Manager
+
+- Hostname: mark-vii.ai.home
+- Armor Code: MK-7
+- LAN IP: 192.168.7.7
+- Tailscale IP: 100.66.70.51
+- Role: Swarm Manager, DNS, Traefik, Portainer, PegaProx
+- CPUs: 18 | RAM: 15 GB | Disk: 916 GB
+
+### Worker Nodes G9 (Proxmox VE)
+
+| Armor | Hostname | LAN IP | Tailscale IP | MAC | Status |
+|-------|----------|--------|--------------|-----|--------|
+| MK-33 | mk33.ai.home | 192.168.7.33 | TBD | E0-51-D8-1C-5D-56 | Online (PVE) |
+| MK-34 | mk34.ai.home | 192.168.7.34 | TBD | E0-51-D8-1C-5C-75 | Online (PVE) |
+| MK-39 | mk39.ai.home | 192.168.7.39 | TBD | PENDING | Online (PVE) |
+| MK-42 | mk42.ai.home | 192.168.7.42 | TBD | PENDING | Not Installed |
+
+### Utility Nodes
+
+| Armor | Hostname | LAN IP | Tailscale IP | Role |
+|-------|----------|--------|--------------|------|
+| Neo | nebuchadnezzar.ai.home | 192.168.192.24 | 100.99.123.16 | Nextcloud AIO, Gitea |
+| MK-44 | mark44.ai.home | 192.168.5.214 | TBD | Ollama GPU |
+| MK-5 | mark5.ai.home | 192.168.6.5 | TBD | TBD |
+| Shield | shield.ai.home | 192.168.10.15 / 192.168.27.205 | - | PXE/iVentoy Server |
+| Artemis | artemis.ai.home | 192.168.15.182 | 100.100.97.18 | Discord Gateway |
+
+### Mission Control
+
+- Hostname: mission-control.ai.home
+- OS: Windows 11
+- Role: Workstation
+- Type: Separate physical machine
+
+---
+
+## PegaProx — Proxmox VE Cluster Manager
+
+| Attribute | Value |
+|-----------|-------|
+| **Host** | MK7 (192.168.7.7) |
+| **Ports** | 5000 (HTTPS UI/API), 5001 (VNC WebSocket), 5002 (SSH WebSocket) |
+| **Deploy mode** | Docker Swarm — `host` publish mode |
+| **Network** | `traefik-public` overlay |
+| **SSL** | Self-signed cert (`CN=PegaProx`, auto-generated) |
+| **Default user** | `pegaprox` (password change required on first login) |
+| **Cluster IDs** | MK33=`726eb477`, MK34=`df6f5e5d`, MK39=`9711704b` |
+
+**Admin password must be changed on first login.**
+
+**API notes:**
+- Add cluster: `host` field must be **bare IP only** (no `:8006` — PegaProx appends port internally)
+- CSRF protection requires `X-Requested-With: XMLHttpRequest` on state-changing API calls
+- Exempt paths: `/api/auth/login`, `/api/auth/setup`, `/api/health`
+
+---
+
+## iVentoy PXE Configuration
+
+- Server: shield.ai.home -- 192.168.10.15/27
+- WebUI: http://192.168.27.205:26000
+- Subnet: 192.168.10.0/27
+- Pool: 192.168.10.20 to 192.168.10.30
+- MAC Filter: Permit mode
+- Edition: **iVentoy Free** (Pro upgrade pending -- private repo link awaited)
+
+### Registered ISOs
+
+| ISO | Node | Purpose |
+|-----|------|---------|
+| proxmox-mk33-auto.iso | MK-33 | PVE 9.2 Auto-Install |
+| proxmox-mk34-auto.iso | MK-34 | PVE 9.2 Auto-Install |
+| proxmox-mk39-auto.iso | MK-39 | PVE 9.2 Auto-Install |
+| proxmox-mk42-auto.iso | MK-42 | PVE 9.2 Auto-Install |
+| proxmox-ve_9.2-1.iso | - | Original PVE ISO |
+| ubuntu-24.04.3-live-server-amd64.iso | - | Ubuntu Autoinstall |
+
+### Whitelisted MACs
+
+- E0-51-D8-1C-5D-CA (Legacy)
+- E0-51-D8-1C-5D-5C (Legacy)
+- E0-51-D8-1C-5D-56 (MK-33)
+- E0-51-D8-1C-5C-75 (MK-34)
+- PENDING: MK-39
+- PENDING: MK-42
+
+Post-Install: Remove MAC from whitelist. Node boots local disk, gets production IP.
+
+### ISO Remastering Notes
+
+All Proxmox auto-install ISOs are **remastered** with:
+1. **Embedded answer URL** -- each ISO points to `http://192.168.10.15:8080/pve/answers/mkNN.toml` (server URL hardcoded; node IP assigned by DHCP)
+2. **UEFI gfxmode locked** -- strict `1024x768` (fallback `640x480` removed)
+3. **Per-ISO answer files** -- `mk33.toml`, `mk34.toml`, `mk39.toml`, `mk42.toml` in `/opt/iventoy/user/answers/`
+
+> iVentoy Free does NOT support per-MAC ISO binding. Remastered ISOs achieve per-node provisioning via embedded answer URLs.
+
+---
+
+## DNS Records
+
+### CNAME to traefik.ai.home -- A: 192.168.7.7
+
+- artemis.ai.home
+- hermes.ai.home
+- n8n.ai.home
+- pgadmin.ai.home
+- portainer.ai.home
+- beszel.ai.home
+- dozzle.ai.home
+- prometheus.ai.home
+- homepage.ai.home
+- auth.ai.home
+- dns.ai.home
+
+### A Records
+
+- traefik.ai.home -> 192.168.7.7
+- mk7.ai.home -> 192.168.7.7
+- mk33.ai.home -> 192.168.7.33
+- mk34.ai.home -> 192.168.7.34
+- mk39.ai.home -> 192.168.7.39
+- mk42.ai.home -> 192.168.7.42
+- mark44.ai.home -> 192.168.5.214
+- mark5.ai.home -> 192.168.6.5
+- nebuchadnezzar.ai.home -> 192.168.192.24
+- shield.ai.home -> 192.168.10.15
+
+---
+
+## SSH Topology
+
+    Portable Host (F.R.I.D.A.Y.)
+        |
+        +---> artemis.ai.home via id_ed25519
+        |         +---> mk7.ai.home via artemis_key
+        |
+        +---> shield via jarvis user
+        |         +---> PXE subnet 192.168.10.0/27
+        |
+        +---> mk33-42 via bobby user (legacy subnet)
+        |
+        +---> nebuchadnezzar via jarvis user
+
+Key Files:
+- ~/.ssh/id_ed25519 -- bobby@cinnamint
+- ~/.ssh/artemis_key -- MK7 jump-host
+
+---
+
+## Armor Codenames
+
+| Code | Name | System |
+|------|------|--------|
+| MK-7 | Mark VII | Swarm Manager |
+| MK-33 | Silver Centurion | Worker |
+| MK-34 | Igor | Worker |
+| MK-39 | Starboost | Worker |
+| MK-42 | Bones | Worker |
+| MK-44 | Hulkbuster | GPU/Ollama |
+| MK-5 | Mark 5 | TBD |
+| J.A.R.V.I.S. | Judicious Automated... | Dashboard |
+| F.R.I.D.A.Y. | Field-Ready Runtime... | Portable Agent |
+| A.R.T.E.M.I.S. | Advanced Real-Time... | Discord |
+| NEO | Nebuchadnezzar | Nextcloud |
+| SHIELD | - | PXE Server |
+
+---
+
+## Notes
+
+- iVentoy Free does NOT support per-MAC ISO binding.
+- Shield PXE subnet isolated via ip_forward=0.
+- Mission Control is separate physical machine.
+- All *.ai.home resolve via Technitium DNS.
+- PegaProx deployed on MK7 Swarm in `host` mode (not routed through Traefik).
+- iVentoy Pro upgrade pending -- private repo link awaited from vendor.
+
+Last updated: 2026-05-31 by F.R.I.D.A.Y.