@ebowwa/hetzner 0.1.0

package/bootstrap/cloud-init.js

@@ -0,0 +1,279 @@
+/**
+ * Cloud-Init Bootstrap Generator
+ *
+ * Generates cloud-init YAML scripts for first-boot server provisioning.
+ * Handles seed repository installation and initial setup.
+ *
+ * Security Integration:
+ * This module integrates all security modules in the correct order:
+ * 1. UFW Firewall (network-level defense)
+ * 2. Kernel Hardening (system-level hardening)
+ * 3. SSH Hardening (service-level hardening)
+ * 4. Security Audit (verification and reporting)
+ */
+import { sshdHardeningPackages, sshdHardeningWriteFiles, sshdHardeningRunCmd, } from "./ssh-hardening";
+import { ufwFirewallPackages, ufwFirewallWriteFiles, ufwFirewallRunCmd, DEFAULT_UFW_WORKER_OPTIONS, } from "./firewall";
+import { kernelHardeningPackages, kernelHardeningWriteFiles, kernelHardeningRunCmd, } from "./kernel-hardening";
+import { securityAuditPackages, securityAuditWriteFiles, securityAuditRunCmd, } from "./security-audit";
+/**
+ * Generate a cloud-init YAML script for seed installation
+ *
+ * @param options - Bootstrap configuration options
+ * @returns Cloud-init YAML string
+ */
+export function generateSeedBootstrap(options = {}) {
+    const { seedRepo = "https://github.com/ebowwa/seed", seedBranch = "dev", seedPath = "/root/seed", runSetup = true, setupEnv = {}, packages = [], additionalCommands = [], enableSecurity = true, } = options;
+    const lines = [];
+    // Cloud-config header
+    lines.push("#cloud-config");
+    lines.push("");
+    // System updates
+    lines.push("# Update system packages");
+    lines.push("package_update: true");
+    lines.push("package_upgrade: true");
+    lines.push("");
+    // Required packages
+    lines.push("# Install required packages");
+    lines.push("packages:");
+    lines.push("  - git");
+    lines.push("  - curl");
+    lines.push("  - jq");
+    lines.push("  - unzip");
+    lines.push("  - tmux");
+    // Security Module 1: UFW Firewall packages
+    if (enableSecurity) {
+        lines.push("  # Security: UFW Firewall");
+        lines.push(...ufwFirewallPackages());
+    }
+    // Security Module 2: Kernel hardening packages
+    if (enableSecurity) {
+        lines.push("  # Security: Kernel hardening");
+        lines.push(...kernelHardeningPackages());
+    }
+    // Security Module 3: SSH hardening packages (fail2ban)
+    if (enableSecurity) {
+        lines.push("  # Security: SSH hardening");
+        lines.push(...sshdHardeningPackages());
+    }
+    // Security Module 4: Security audit packages (lynis)
+    if (enableSecurity) {
+        lines.push("  # Security: Security audit");
+        lines.push(...securityAuditPackages());
+    }
+    // Add additional packages
+    for (const pkg of packages) {
+        lines.push(`  - ${pkg}`);
+    }
+    lines.push("");
+    // Status tracking file
+    lines.push("# Write bootstrap status file");
+    lines.push("write_files:");
+    lines.push("  - path: /root/.bootstrap-status");
+    lines.push("    owner: root:root");
+    lines.push("    permissions: '0644'");
+    lines.push("    content: |");
+    lines.push("      status=started");
+    lines.push("      started_at=$(date -Iseconds)");
+    lines.push("      source=cloud-init");
+    if (enableSecurity) {
+        lines.push("      security=enabled");
+    }
+    lines.push("");
+    // Add bun to system-wide PATH via /etc/environment
+    // NOTE: /etc/environment uses simple KEY="value" format (no variables, no comments)
+    // We need to replace PATH rather than append, and include all standard paths
+    lines.push("  # Add bun to /etc/environment for all users/shells");
+    lines.push("  # Format: Simple KEY=\"value\" pairs, no variable expansion");
+    lines.push("  - path: /etc/environment");
+    lines.push("    owner: root:root");
+    lines.push("    permissions: '0644'");
+    lines.push("    content: |");
+    lines.push("      PATH=\"/root/.bun/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"");
+    lines.push("");
+    // Security Module 1: UFW Firewall configuration files
+    if (enableSecurity) {
+        lines.push("  # Security Module 1: UFW Firewall configuration");
+        lines.push(...ufwFirewallWriteFiles(DEFAULT_UFW_WORKER_OPTIONS));
+    }
+    // Security Module 2: Kernel hardening configuration files
+    if (enableSecurity) {
+        lines.push("  # Security Module 2: Kernel hardening");
+        lines.push(...kernelHardeningWriteFiles());
+    }
+    // Security Module 3: SSH hardening configuration files
+    if (enableSecurity) {
+        lines.push("  # Security Module 3: SSH hardening");
+        lines.push(...sshdHardeningWriteFiles());
+    }
+    // Security Module 4: Security audit script
+    if (enableSecurity) {
+        lines.push("  # Security Module 4: Security audit");
+        lines.push(...securityAuditWriteFiles());
+    }
+    // Node-agent systemd service
+    lines.push("  # Node-agent systemd service for Ralph Loop orchestration");
+    lines.push("  - path: /etc/systemd/system/node-agent.service");
+    lines.push("    owner: root:root");
+    lines.push("    permissions: '0644'");
+    lines.push("    content: |");
+    lines.push("      [Unit]");
+    lines.push("      Description=Node Agent for Ralph Loop Orchestration");
+    lines.push("      Documentation=https://github.com/ebowwa/seed");
+    lines.push("      After=network-online.target");
+    lines.push("      Wants=network-online.target");
+    lines.push("");
+    lines.push("      [Service]");
+    lines.push("      Type=simple");
+    lines.push("      User=root");
+    lines.push(`      WorkingDirectory=${seedPath}/node-agent`);
+    lines.push("      ExecStart=/root/.bun/bin/bun run src/index.ts");
+    lines.push(`      EnvironmentFile=-${seedPath}/node-agent/.env`);
+    lines.push("      Environment=PORT=8911");
+    lines.push("      Restart=always");
+    lines.push("      RestartSec=10");
+    lines.push("      StandardOutput=journal");
+    lines.push("      StandardError=journal");
+    lines.push("      SyslogIdentifier=node-agent");
+    lines.push("");
+    // Security hardening for node-agent service
+    if (enableSecurity) {
+        lines.push("      # Security hardening");
+        lines.push("      NoNewPrivileges=true");
+        lines.push("      PrivateTmp=true");
+        lines.push("      ProtectSystem=strict");
+        lines.push("      ProtectHome=true");
+        lines.push("      ReadOnlyPaths=/");
+        lines.push("      ReadWritePaths=/var/log " + seedPath + "/node-agent");
+    }
+    lines.push("");
+    lines.push("      [Install]");
+    lines.push("      WantedBy=multi-user.target");
+    lines.push("");
+    // Run commands
+    lines.push("# Bootstrap commands");
+    lines.push("runcmd:");
+    // Install Bun and create node symlink
+    lines.push("  # Install Bun");
+    lines.push("  - curl -fsSL https://bun.sh/install | bash");
+    lines.push("  - ln -sf /root/.bun/bin/bun /root/.bun/bin/node  # Create 'node' symlink to bun");
+    lines.push("");
+    // Clone seed repository
+    lines.push(`  # Clone seed repository`);
+    lines.push(`  - git clone --depth 1 --branch ${seedBranch} ${seedRepo} ${seedPath}`);
+    lines.push("");
+    if (runSetup) {
+        // Build environment variables
+        const envVars = ["NONINTERACTIVE=1", ...Object.entries(setupEnv).map(([k, v]) => `${k}=${v}`)];
+        const envString = envVars.join(" ");
+        lines.push(`  # Run seed setup non-interactively`);
+        lines.push(`  - cd ${seedPath} && ${envString} bash ./setup.sh 2>&1 | tee /var/log/seed-setup.log`);
+        lines.push("");
+        // Create completion marker
+        lines.push(`  # Mark setup complete`);
+        lines.push(`  - touch ${seedPath}/.seed-setup-complete`);
+        lines.push("");
+    }
+    // Additional commands
+    if (additionalCommands.length > 0) {
+        lines.push(`  # Additional custom commands`);
+        for (const cmd of additionalCommands) {
+            lines.push(`  - ${cmd}`);
+        }
+        lines.push("");
+    }
+    // Security Module 1: UFW Firewall activation (runs first)
+    if (enableSecurity) {
+        lines.push("  # Security Module 1: Activate UFW Firewall");
+        lines.push(...ufwFirewallRunCmd(DEFAULT_UFW_WORKER_OPTIONS));
+    }
+    // Security Module 2: Kernel hardening activation
+    if (enableSecurity) {
+        lines.push("  # Security Module 2: Apply kernel hardening");
+        lines.push(...kernelHardeningRunCmd());
+    }
+    // Security Module 3: SSH hardening activation
+    if (enableSecurity) {
+        lines.push("  # Security Module 3: Activate SSH hardening");
+        lines.push(...sshdHardeningRunCmd());
+    }
+    // Security Module 4: Security audit (runs last)
+    if (enableSecurity) {
+        lines.push("  # Security Module 4: Run security audit");
+        lines.push(...securityAuditRunCmd());
+    }
+    // Mark bootstrap complete
+    lines.push(`  # Mark bootstrap complete`);
+    lines.push(`  - echo "status=complete" >> /root/.bootstrap-status`);
+    lines.push(`  - echo "completed_at=$(date -Iseconds)" >> /root/.bootstrap-status`);
+    if (enableSecurity) {
+        lines.push(`  - echo "security_hardening=applied" >> /root/.bootstrap-status`);
+    }
+    lines.push("");
+    lines.push("  # Start node-agent service");
+    lines.push("  - systemctl daemon-reload");
+    lines.push("  - systemctl enable node-agent");
+    lines.push("  - systemctl start node-agent");
+    return lines.join("\n");
+}
+/**
+ * Generate a minimal cloud-init script that uses #include to fetch from a URL
+ *
+ * This is useful for larger bootstrap scripts or when you want to update
+ * the bootstrap without code changes.
+ *
+ * @param url - URL to fetch the cloud-init config from
+ * @returns Cloud-init YAML string with #include directive
+ */
+export function generateRemoteBootstrap(url) {
+    return `#include\n${url}`;
+}
+/**
+ * Bootstrap configuration presets for common scenarios
+ */
+export const BootstrapPresets = {
+    /**
+     * Default seed installation with setup.sh and full security hardening
+     */
+    default: () => generateSeedBootstrap(),
+    /**
+     * Seed installation with full security hardening and verbose logging
+     */
+    secure: () => generateSeedBootstrap({
+        setupEnv: {
+            DEBUG: "1",
+            VERBOSE: "1",
+        },
+    }),
+    /**
+     * Seed installation without running setup.sh (useful for debugging)
+     */
+    cloneOnly: () => generateSeedBootstrap({ runSetup: false }),
+    /**
+     * Development bootstrap without security hardening (for testing)
+     */
+    development: () => generateSeedBootstrap({
+        enableSecurity: false,
+        packages: ["htop", "vim", "strace"],
+    }),
+    /**
+     * Verbose bootstrap with logging enabled
+     */
+    verbose: () => generateSeedBootstrap({
+        setupEnv: {
+            DEBUG: "1",
+            VERBOSE: "1",
+        },
+    }),
+};
+// Re-export Genesis bootstrap functions
+export { generateGenesisBootstrap, generateRemoteGenesisBootstrap, GenesisBootstrapPresets, } from "./genesis";
+// Re-export SSH hardening components so callers can compose custom
+// cloud-init scripts with hardening baked in (e.g. for non-standard node types)
+export { sshdHardeningPackages, sshdHardeningWriteFiles, sshdHardeningRunCmd, } from "./ssh-hardening";
+// Re-export UFW firewall components
+export { ufwFirewallPackages, ufwFirewallWriteFiles, ufwFirewallRunCmd, DEFAULT_UFW_WORKER_OPTIONS, DEFAULT_UFW_GENESIS_OPTIONS, generateUFWFirewallForGenesis, generateUFWFirewallForWorker, } from "./firewall";
+// Re-export kernel hardening components
+export { kernelHardeningPackages, kernelHardeningWriteFiles, kernelHardeningRunCmd, } from "./kernel-hardening";
+// Re-export security audit components
+export { securityAuditPackages, securityAuditWriteFiles, securityAuditRunCmd, } from "./security-audit";
+//# sourceMappingURL=cloud-init.js.map

package/bootstrap/cloud-init.ts

@@ -0,0 +1,394 @@
+/**
+ * Cloud-Init Bootstrap Generator
+ *
+ * Generates cloud-init YAML scripts for first-boot server provisioning.
+ * Handles seed repository installation and initial setup.
+ *
+ * Security Integration:
+ * This module integrates all security modules in the correct order:
+ * 1. UFW Firewall (network-level defense)
+ * 2. Kernel Hardening (system-level hardening)
+ * 3. SSH Hardening (service-level hardening)
+ * 4. Security Audit (verification and reporting)
+ */
+
+import {
+  sshdHardeningPackages,
+  sshdHardeningWriteFiles,
+  sshdHardeningRunCmd,
+} from "./ssh-hardening";
+import {
+  ufwFirewallPackages,
+  ufwFirewallWriteFiles,
+  ufwFirewallRunCmd,
+  DEFAULT_UFW_WORKER_OPTIONS,
+} from "./firewall";
+import {
+  kernelHardeningPackages,
+  kernelHardeningWriteFiles,
+  kernelHardeningRunCmd,
+} from "./kernel-hardening";
+import {
+  securityAuditPackages,
+  securityAuditWriteFiles,
+  securityAuditRunCmd,
+} from "./security-audit";
+
+export interface BootstrapOptions {
+  /** Seed repository URL (default: https://github.com/ebowwa/seed) */
+  seedRepo?: string;
+  /** Seed repository branch (default: dev) */
+  seedBranch?: string;
+  /** Installation path (default: /root/seed) */
+  seedPath?: string;
+  /** Whether to run setup.sh non-interactively (default: true) */
+  runSetup?: boolean;
+  /** Additional environment variables for setup.sh */
+  setupEnv?: Record<string, string>;
+  /** Additional packages to install */
+  packages?: string[];
+  /** Additional commands to run after seed installation */
+  additionalCommands?: string[];
+  /** Enable security hardening (default: true) */
+  enableSecurity?: boolean;
+}
+
+/**
+ * Generate a cloud-init YAML script for seed installation
+ *
+ * @param options - Bootstrap configuration options
+ * @returns Cloud-init YAML string
+ */
+export function generateSeedBootstrap(options: BootstrapOptions = {}): string {
+  const {
+    seedRepo = "https://github.com/ebowwa/seed",
+    seedBranch = "dev",
+    seedPath = "/root/seed",
+    runSetup = true,
+    setupEnv = {},
+    packages = [],
+    additionalCommands = [],
+    enableSecurity = true,
+  } = options;
+
+  const lines: string[] = [];
+
+  // Cloud-config header
+  lines.push("#cloud-config");
+  lines.push("");
+
+  // System updates
+  lines.push("# Update system packages");
+  lines.push("package_update: true");
+  lines.push("package_upgrade: true");
+  lines.push("");
+
+  // Required packages
+  lines.push("# Install required packages");
+  lines.push("packages:");
+  lines.push("  - git");
+  lines.push("  - curl");
+  lines.push("  - jq");
+  lines.push("  - unzip");
+  lines.push("  - tmux");
+
+  // Security Module 1: UFW Firewall packages
+  if (enableSecurity) {
+    lines.push("  # Security: UFW Firewall");
+    lines.push(...ufwFirewallPackages());
+  }
+
+  // Security Module 2: Kernel hardening packages
+  if (enableSecurity) {
+    lines.push("  # Security: Kernel hardening");
+    lines.push(...kernelHardeningPackages());
+  }
+
+  // Security Module 3: SSH hardening packages (fail2ban)
+  if (enableSecurity) {
+    lines.push("  # Security: SSH hardening");
+    lines.push(...sshdHardeningPackages());
+  }
+
+  // Security Module 4: Security audit packages (lynis)
+  if (enableSecurity) {
+    lines.push("  # Security: Security audit");
+    lines.push(...securityAuditPackages());
+  }
+
+  // Add additional packages
+  for (const pkg of packages) {
+    lines.push(`  - ${pkg}`);
+  }
+  lines.push("");
+
+  // Status tracking file
+  lines.push("# Write bootstrap status file");
+  lines.push("write_files:");
+  lines.push("  - path: /root/.bootstrap-status");
+  lines.push("    owner: root:root");
+  lines.push("    permissions: '0644'");
+  lines.push("    content: |");
+  lines.push("      status=started");
+  lines.push("      started_at=$(date -Iseconds)");
+  lines.push("      source=cloud-init");
+  if (enableSecurity) {
+    lines.push("      security=enabled");
+  }
+  lines.push("");
+
+  // Add bun to system-wide PATH via /etc/environment
+  // NOTE: /etc/environment uses simple KEY="value" format (no variables, no comments)
+  // We need to replace PATH rather than append, and include all standard paths
+  lines.push("  # Add bun to /etc/environment for all users/shells");
+  lines.push("  # Format: Simple KEY=\"value\" pairs, no variable expansion");
+  lines.push("  - path: /etc/environment");
+  lines.push("    owner: root:root");
+  lines.push("    permissions: '0644'");
+  lines.push("    content: |");
+  lines.push("      PATH=\"/root/.bun/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"");
+  lines.push("");
+
+  // Security Module 1: UFW Firewall configuration files
+  if (enableSecurity) {
+    lines.push("  # Security Module 1: UFW Firewall configuration");
+    lines.push(...ufwFirewallWriteFiles(DEFAULT_UFW_WORKER_OPTIONS));
+  }
+
+  // Security Module 2: Kernel hardening configuration files
+  if (enableSecurity) {
+    lines.push("  # Security Module 2: Kernel hardening");
+    lines.push(...kernelHardeningWriteFiles());
+  }
+
+  // Security Module 3: SSH hardening configuration files
+  if (enableSecurity) {
+    lines.push("  # Security Module 3: SSH hardening");
+    lines.push(...sshdHardeningWriteFiles());
+  }
+
+  // Security Module 4: Security audit script
+  if (enableSecurity) {
+    lines.push("  # Security Module 4: Security audit");
+    lines.push(...securityAuditWriteFiles());
+  }
+
+  // Node-agent systemd service
+  lines.push("  # Node-agent systemd service for Ralph Loop orchestration");
+  lines.push("  - path: /etc/systemd/system/node-agent.service");
+  lines.push("    owner: root:root");
+  lines.push("    permissions: '0644'");
+  lines.push("    content: |");
+  lines.push("      [Unit]");
+  lines.push("      Description=Node Agent for Ralph Loop Orchestration");
+  lines.push("      Documentation=https://github.com/ebowwa/seed");
+  lines.push("      After=network-online.target");
+  lines.push("      Wants=network-online.target");
+  lines.push("");
+  lines.push("      [Service]");
+  lines.push("      Type=simple");
+  lines.push("      User=root");
+  lines.push(`      WorkingDirectory=${seedPath}/node-agent`);
+  lines.push("      ExecStart=/root/.bun/bin/bun run src/index.ts");
+  lines.push(`      EnvironmentFile=-${seedPath}/node-agent/.env`);
+  lines.push("      Environment=PORT=8911");
+  lines.push("      Restart=always");
+  lines.push("      RestartSec=10");
+  lines.push("      StandardOutput=journal");
+  lines.push("      StandardError=journal");
+  lines.push("      SyslogIdentifier=node-agent");
+  lines.push("");
+  // Security hardening for node-agent service
+  if (enableSecurity) {
+    lines.push("      # Security hardening");
+    lines.push("      NoNewPrivileges=true");
+    lines.push("      PrivateTmp=true");
+    lines.push("      ProtectSystem=strict");
+    lines.push("      ProtectHome=true");
+    lines.push("      ReadOnlyPaths=/");
+    lines.push("      ReadWritePaths=/var/log " + seedPath + "/node-agent");
+  }
+  lines.push("");
+  lines.push("      [Install]");
+  lines.push("      WantedBy=multi-user.target");
+  lines.push("");
+
+  // Run commands
+  lines.push("# Bootstrap commands");
+  lines.push("runcmd:");
+
+  // Install Bun and create node symlink
+  lines.push("  # Install Bun");
+  lines.push("  - curl -fsSL https://bun.sh/install | bash");
+  lines.push("  - ln -sf /root/.bun/bin/bun /root/.bun/bin/node  # Create 'node' symlink to bun");
+  lines.push("");
+
+  // Clone seed repository
+  lines.push(`  # Clone seed repository`);
+  lines.push(`  - git clone --depth 1 --branch ${seedBranch} ${seedRepo} ${seedPath}`);
+  lines.push("");
+
+  if (runSetup) {
+    // Build environment variables
+    const envVars = ["NONINTERACTIVE=1", ...Object.entries(setupEnv).map(([k, v]) => `${k}=${v}`)];
+    const envString = envVars.join(" ");
+
+    lines.push(`  # Run seed setup non-interactively`);
+    lines.push(`  - cd ${seedPath} && ${envString} bash ./setup.sh 2>&1 | tee /var/log/seed-setup.log`);
+    lines.push("");
+
+    // Create completion marker
+    lines.push(`  # Mark setup complete`);
+    lines.push(`  - touch ${seedPath}/.seed-setup-complete`);
+    lines.push("");
+  }
+
+  // Additional commands
+  if (additionalCommands.length > 0) {
+    lines.push(`  # Additional custom commands`);
+    for (const cmd of additionalCommands) {
+      lines.push(`  - ${cmd}`);
+    }
+    lines.push("");
+  }
+
+  // Security Module 1: UFW Firewall activation (runs first)
+  if (enableSecurity) {
+    lines.push("  # Security Module 1: Activate UFW Firewall");
+    lines.push(...ufwFirewallRunCmd(DEFAULT_UFW_WORKER_OPTIONS));
+  }
+
+  // Security Module 2: Kernel hardening activation
+  if (enableSecurity) {
+    lines.push("  # Security Module 2: Apply kernel hardening");
+    lines.push(...kernelHardeningRunCmd());
+  }
+
+  // Security Module 3: SSH hardening activation
+  if (enableSecurity) {
+    lines.push("  # Security Module 3: Activate SSH hardening");
+    lines.push(...sshdHardeningRunCmd());
+  }
+
+  // Security Module 4: Security audit (runs last)
+  if (enableSecurity) {
+    lines.push("  # Security Module 4: Run security audit");
+    lines.push(...securityAuditRunCmd());
+  }
+
+  // Mark bootstrap complete
+  lines.push(`  # Mark bootstrap complete`);
+  lines.push(`  - echo "status=complete" >> /root/.bootstrap-status`);
+  lines.push(`  - echo "completed_at=$(date -Iseconds)" >> /root/.bootstrap-status`);
+  if (enableSecurity) {
+    lines.push(`  - echo "security_hardening=applied" >> /root/.bootstrap-status`);
+  }
+  lines.push("");
+  lines.push("  # Start node-agent service");
+  lines.push("  - systemctl daemon-reload");
+  lines.push("  - systemctl enable node-agent");
+  lines.push("  - systemctl start node-agent");
+
+  return lines.join("\n");
+}
+
+/**
+ * Generate a minimal cloud-init script that uses #include to fetch from a URL
+ *
+ * This is useful for larger bootstrap scripts or when you want to update
+ * the bootstrap without code changes.
+ *
+ * @param url - URL to fetch the cloud-init config from
+ * @returns Cloud-init YAML string with #include directive
+ */
+export function generateRemoteBootstrap(url: string): string {
+  return `#include\n${url}`;
+}
+
+/**
+ * Bootstrap configuration presets for common scenarios
+ */
+export const BootstrapPresets = {
+  /**
+   * Default seed installation with setup.sh and full security hardening
+   */
+  default: () => generateSeedBootstrap(),
+
+  /**
+   * Seed installation with full security hardening and verbose logging
+   */
+  secure: () =>
+    generateSeedBootstrap({
+      setupEnv: {
+        DEBUG: "1",
+        VERBOSE: "1",
+      },
+    }),
+
+  /**
+   * Seed installation without running setup.sh (useful for debugging)
+   */
+  cloneOnly: () => generateSeedBootstrap({ runSetup: false }),
+
+  /**
+   * Development bootstrap without security hardening (for testing)
+   */
+  development: () =>
+    generateSeedBootstrap({
+      enableSecurity: false,
+      packages: ["htop", "vim", "strace"],
+    }),
+
+  /**
+   * Verbose bootstrap with logging enabled
+   */
+  verbose: () =>
+    generateSeedBootstrap({
+      setupEnv: {
+        DEBUG: "1",
+        VERBOSE: "1",
+      },
+    }),
+} as const;
+
+// Re-export Genesis bootstrap functions
+export {
+  generateGenesisBootstrap,
+  generateRemoteGenesisBootstrap,
+  GenesisBootstrapPresets,
+  type GenesisBootstrapOptions,
+} from "./genesis";
+
+// Re-export SSH hardening components so callers can compose custom
+// cloud-init scripts with hardening baked in (e.g. for non-standard node types)
+export {
+  sshdHardeningPackages,
+  sshdHardeningWriteFiles,
+  sshdHardeningRunCmd,
+} from "./ssh-hardening";
+
+// Re-export UFW firewall components
+export {
+  ufwFirewallPackages,
+  ufwFirewallWriteFiles,
+  ufwFirewallRunCmd,
+  DEFAULT_UFW_WORKER_OPTIONS,
+  DEFAULT_UFW_GENESIS_OPTIONS,
+  generateUFWFirewallForGenesis,
+  generateUFWFirewallForWorker,
+  type UFWFirewallOptions,
+} from "./firewall";
+
+// Re-export kernel hardening components
+export {
+  kernelHardeningPackages,
+  kernelHardeningWriteFiles,
+  kernelHardeningRunCmd,
+} from "./kernel-hardening";
+
+// Re-export security audit components
+export {
+  securityAuditPackages,
+  securityAuditWriteFiles,
+  securityAuditRunCmd,
+} from "./security-audit";