Initial implementation: host lifecycle + PXE + admin dashboard

Go service for Proxmox homelab cluster provisioning. Handles PXE boot,
Proxmox autoinstall (answer file generation), cluster join via SSH,
and Infrastructure API registration.

- Host state machine (registered → pxe_ready → installing → ready)
- dnsmasq supervisor with MAC-based allowlist
- iPXE script and Proxmox answer file generation
- First-boot phone-home → cluster join → infra registration
- Operation locking with expiry (409 on conflict)
- SSE event hub for real-time dashboard updates
- Admin dashboard (host grid, detail, registration form)
- Config-driven server types with hot-reload
- Docker deployment (multi-stage fat image)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/pxe/answer.go

@@ -0,0 +1,44 @@
+package pxe
+
+import (
+	"fmt"
+	"strings"
+
+	"provisioning/internal/config"
+	"provisioning/internal/model"
+)
+
+func GenerateAnswerFile(host *model.Host, serverType model.ServerType, cfg *config.Config) string {
+	var b strings.Builder
+
+	b.WriteString("[global]\n")
+	b.WriteString(`keyboard = "en-us"` + "\n")
+	b.WriteString(`country = "us"` + "\n")
+	b.WriteString(fmt.Sprintf("fqdn = \"%s.thewrightserver.net\"\n", host.Hostname))
+	b.WriteString(`mailto = "admin@thewrightserver.net"` + "\n")
+	b.WriteString(`timezone = "America/Indiana/Indianapolis"` + "\n")
+	b.WriteString(fmt.Sprintf("root-password-hashed = \"%s\"\n", cfg.Credentials.RootPasswordHash))
+	b.WriteString(fmt.Sprintf("root-ssh-keys = [\"%s\"]\n", cfg.Credentials.SSHPublicKey))
+	b.WriteString("\n")
+
+	b.WriteString("[network]\n")
+	b.WriteString(`source = "from-dhcp"` + "\n")
+	b.WriteString("\n")
+
+	b.WriteString("[disk-setup]\n")
+	b.WriteString(`filesystem = "zfs"` + "\n")
+	b.WriteString(`zfs.raid = "raid0"` + "\n")
+	b.WriteString(fmt.Sprintf("disk-list = [\"%s\"]\n", serverType.BootDisk))
+	b.WriteString("\n")
+
+	b.WriteString("[post-installation-webhook]\n")
+	b.WriteString(fmt.Sprintf("url = \"%s/api/hosts/%d/installed\"\n", cfg.Server.PublicURL, host.ID))
+	b.WriteString("\n")
+
+	b.WriteString("[first-boot]\n")
+	b.WriteString(`source = "from-url"` + "\n")
+	b.WriteString(fmt.Sprintf("url = \"%s/api/hosts/%d/first-boot-script\"\n", cfg.Server.PublicURL, host.ID))
+	b.WriteString(`ordering = "after-network"` + "\n")
+
+	return b.String()
+}

internal/pxe/firstboot.go

@@ -0,0 +1,28 @@
+package pxe
+
+import (
+	"fmt"
+
+	"provisioning/internal/config"
+	"provisioning/internal/model"
+)
+
+func GenerateFirstBootScript(host *model.Host, serverType model.ServerType, cfg *config.Config) string {
+	return fmt.Sprintf(`#!/bin/bash
+set -euo pipefail
+
+PROVISIONING_URL="%s"
+HOST_ID="%d"
+NIC="%s"
+
+IP=$(ip -4 addr show dev "$NIC" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
+HWID=$(dmidecode -s system-uuid)
+
+curl -fsSL -X POST "${PROVISIONING_URL}/api/hosts/${HOST_ID}/phone-home" \
+  -H "Content-Type: application/json" \
+  -d "{\"ip\": \"${IP}\", \"hardware_id\": \"${HWID}\", \"hostname\": \"$(hostname)\"}"
+
+systemctl disable provisioning-firstboot.service
+rm -f /etc/systemd/system/provisioning-firstboot.service
+`, cfg.Server.PublicURL, host.ID, serverType.ManagementNIC)
+}

internal/pxe/ipxe.go

@@ -0,0 +1,19 @@
+package pxe
+
+import (
+	"fmt"
+
+	"provisioning/internal/model"
+)
+
+func BuildIPXEScript(publicURL string, img *model.Image, mac string) string {
+	kernelURL := fmt.Sprintf("%s/images/boot/%s/%s", publicURL, img.Name, "linux26")
+	initrdURL := fmt.Sprintf("%s/images/boot/%s/%s", publicURL, img.Name, "initrd.img")
+
+	return fmt.Sprintf(`#!ipxe
+echo Provisioning: booting %s on ${mac}
+kernel %s vga=791 video=vesafb:lfb:on
+initrd %s
+boot
+`, img.Name, kernelURL, initrdURL)
+}

internal/pxe/signal_unix.go

@@ -0,0 +1,12 @@
+//go:build !windows
+
+package pxe
+
+import (
+	"os"
+	"syscall"
+)
+
+func signalReload(p *os.Process) error {
+	return p.Signal(syscall.SIGHUP)
+}

internal/pxe/signal_windows.go

@@ -0,0 +1,9 @@
+//go:build windows
+
+package pxe
+
+import "os"
+
+func signalReload(_ *os.Process) error {
+	return nil
+}

internal/pxe/supervisor.go

@@ -0,0 +1,161 @@
+package pxe
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"text/template"
+
+	"provisioning/internal/model"
+)
+
+type SupervisorConfig struct {
+	Enabled    bool
+	Interface  string
+	Subnet     string
+	RuntimeDir string
+	TFTPRoot   string
+	DnsmasqBin string
+	PublicURL  string
+}
+
+type Supervisor struct {
+	cfg    SupervisorConfig
+	cmd    *exec.Cmd
+	cancel context.CancelFunc
+}
+
+func NewSupervisor(cfg SupervisorConfig) *Supervisor {
+	return &Supervisor{cfg: cfg}
+}
+
+func (s *Supervisor) Start(ctx context.Context, hosts []model.Host) error {
+	if !s.cfg.Enabled {
+		log.Printf("pxe: dnsmasq disabled")
+		return nil
+	}
+	if err := os.MkdirAll(s.cfg.RuntimeDir, 0o755); err != nil {
+		return fmt.Errorf("pxe: create runtime dir: %w", err)
+	}
+	if err := s.writeConfig(hosts); err != nil {
+		return err
+	}
+	return s.startProcess(ctx)
+}
+
+func (s *Supervisor) Reload(hosts []model.Host) error {
+	if !s.cfg.Enabled {
+		return nil
+	}
+	if err := s.writeConfig(hosts); err != nil {
+		return err
+	}
+	if s.cmd != nil && s.cmd.Process != nil {
+		return signalReload(s.cmd.Process)
+	}
+	return nil
+}
+
+func (s *Supervisor) Shutdown() error {
+	if s.cancel != nil {
+		s.cancel()
+	}
+	if s.cmd != nil && s.cmd.Process != nil {
+		return s.cmd.Process.Kill()
+	}
+	return nil
+}
+
+func (s *Supervisor) writeConfig(hosts []model.Host) error {
+	confPath := filepath.Join(s.cfg.RuntimeDir, "dnsmasq.conf")
+	hostsPath := filepath.Join(s.cfg.RuntimeDir, "dhcp-hostsfile")
+
+	var macs []string
+	for _, h := range hosts {
+		macs = append(macs, h.MAC)
+	}
+	if err := os.WriteFile(hostsPath, []byte(strings.Join(macs, "\n")+"\n"), 0o644); err != nil {
+		return fmt.Errorf("pxe: write dhcp-hostsfile: %w", err)
+	}
+
+	conf := dnsmasqConf{
+		Interface:  s.cfg.Interface,
+		TFTPRoot:   s.cfg.TFTPRoot,
+		HostsFile:  hostsPath,
+		PublicURL:  s.cfg.PublicURL,
+		RuntimeDir: s.cfg.RuntimeDir,
+	}
+	f, err := os.Create(confPath)
+	if err != nil {
+		return fmt.Errorf("pxe: create dnsmasq.conf: %w", err)
+	}
+	defer f.Close()
+	if err := dnsmasqTmpl.Execute(f, conf); err != nil {
+		return fmt.Errorf("pxe: render dnsmasq.conf: %w", err)
+	}
+	return nil
+}
+
+func (s *Supervisor) startProcess(ctx context.Context) error {
+	confPath := filepath.Join(s.cfg.RuntimeDir, "dnsmasq.conf")
+	procCtx, cancel := context.WithCancel(ctx)
+	s.cancel = cancel
+	s.cmd = exec.CommandContext(procCtx, s.cfg.DnsmasqBin, "--keep-in-foreground", "--conf-file="+confPath)
+	s.cmd.Stdout = os.Stdout
+	s.cmd.Stderr = os.Stderr
+	if err := s.cmd.Start(); err != nil {
+		cancel()
+		return fmt.Errorf("pxe: start dnsmasq: %w", err)
+	}
+	go func() {
+		if err := s.cmd.Wait(); err != nil {
+			select {
+			case <-procCtx.Done():
+			default:
+				log.Printf("pxe: dnsmasq exited: %v", err)
+			}
+		}
+	}()
+	log.Printf("pxe: dnsmasq started (pid %d)", s.cmd.Process.Pid)
+	return nil
+}
+
+type dnsmasqConf struct {
+	Interface  string
+	TFTPRoot   string
+	HostsFile  string
+	PublicURL  string
+	RuntimeDir string
+}
+
+var dnsmasqTmpl = template.Must(template.New("dnsmasq.conf").Parse(`
+port=0
+interface={{.Interface}}
+bind-interfaces
+
+dhcp-range=tag:known,192.168.1.0,proxy
+dhcp-hostsfile={{.HostsFile}}
+dhcp-ignore=tag:!known
+
+enable-tftp
+tftp-root={{.TFTPRoot}}
+
+# Legacy BIOS
+dhcp-match=set:bios,option:client-arch,0
+dhcp-boot=tag:bios,undionly.kpxe
+
+# UEFI
+dhcp-match=set:efi64,option:client-arch,7
+dhcp-boot=tag:efi64,ipxe.efi
+
+# iPXE user-class: chain to HTTP script
+dhcp-match=set:ipxe,option:user-class,iPXE
+dhcp-boot=tag:ipxe,{{.PublicURL}}/ipxe/${mac:hexhyp}
+
+log-dhcp
+log-facility={{.RuntimeDir}}/dnsmasq.log
+`))