Phase 1: VM Provision

# On kvm-01
sudo virt-install \
  --name mail-01 \
  --ram 2048 \
  --vcpus 2 \
  --disk size=20,format=qcow2,bus=virtio \
  --os-variant rocky9 \
  --network bridge=br0,model=virtio \
  --location /var/lib/libvirt/images/Rocky-9-latest-x86_64-dvd.iso \
  --graphics none \
  --console pty,target_type=serial \
  --extra-args 'console=ttyS0'

# Set hostname
sudo hostnamectl set-hostname mail-01

# Set static IP
sudo nmcli con mod "System eth0" \
  ipv4.addresses 10.50.1.91/24 \
  ipv4.gateway 10.50.1.1 \
  ipv4.dns 10.50.1.90 \
  ipv4.dns-search inside.domusdigitalis.dev \
  ipv4.method manual

sudo nmcli con up "System eth0"

# Verify
hostnamectl
ip -4 addr show eth0

# Forward zone (on workstation with TSIG key)
nsupdate -k /path/to/tsig.key <<EOF
server 10.50.1.90
zone inside.domusdigitalis.dev
update add mail-01.inside.domusdigitalis.dev. 3600 A 10.50.1.91
send
EOF

# Reverse zone
nsupdate -k /path/to/tsig.key <<EOF
server 10.50.1.90
zone 1.50.10.in-addr.arpa
update add 91.1.50.10.in-addr.arpa. 3600 PTR mail-01.inside.domusdigitalis.dev.
send
EOF

# Verify
dig @10.50.1.90 mail-01.inside.domusdigitalis.dev A +short
dig @10.50.1.90 -x 10.50.1.91 +short

# Issue Vault SSH cert (from workstation)
vault write -field=signed_key ssh/sign/default \
  public_key=@~/.ssh/id_ed25519.pub \
  valid_principals=root,evan > ~/.ssh/id_ed25519-cert.pub

# Test connection
ssh evan@mail-01.inside.domusdigitalis.dev