fix(secrets): use Inquire::Editor instead of regular text

Reviewed-on: #150

.gitattributes

@@ -2,3 +2,5 @@ bootx64.efi filter=lfs diff=lfs merge=lfs -text
 grubx64.efi filter=lfs diff=lfs merge=lfs -text
 initrd filter=lfs diff=lfs merge=lfs -text
 linux filter=lfs diff=lfs merge=lfs -text
+data/okd/bin/* filter=lfs diff=lfs merge=lfs -text
+data/okd/installer_image/* filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -3,6 +3,7 @@ private_repos/
 
 ### Harmony ###
 harmony.log
+data/okd/installation_files*
 
 ### Helm ###
 # Chart dependencies

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "examples/try_rust_webapp/tryrust.org"]
+	path = examples/try_rust_webapp/tryrust.org
+	url = https://github.com/rust-dd/tryrust.org.git

.sqlx/query-2ea29df2326f7c84bd4100ad510a3fd4878dc2e217dc83f9bf45a402dfd62a91.json

@@ -0,0 +1,20 @@
+{
+  "db_name": "SQLite",
+  "query": "SELECT host_id FROM host_role_mapping WHERE role = ?",
+  "describe": {
+    "columns": [
+      {
+        "name": "host_id",
+        "ordinal": 0,
+        "type_info": "Text"
+      }
+    ],
+    "parameters": {
+      "Right": 1
+    },
+    "nullable": [
+      false
+    ]
+  },
+  "hash": "2ea29df2326f7c84bd4100ad510a3fd4878dc2e217dc83f9bf45a402dfd62a91"
+}

.sqlx/query-8d247918eca10a88b784ee353db090c94a222115c543231f2140cba27bd0f067.json

@@ -0,0 +1,32 @@
+{
+  "db_name": "SQLite",
+  "query": "\n        SELECT\n            p1.id,\n            p1.version_id,\n            p1.data as \"data: Json<PhysicalHost>\"\n        FROM\n            physical_hosts p1\n        INNER JOIN (\n            SELECT\n                id,\n                MAX(version_id) AS max_version\n            FROM\n                physical_hosts\n            GROUP BY\n                id\n        ) p2 ON p1.id = p2.id AND p1.version_id = p2.max_version\n        ",
+  "describe": {
+    "columns": [
+      {
+        "name": "id",
+        "ordinal": 0,
+        "type_info": "Text"
+      },
+      {
+        "name": "version_id",
+        "ordinal": 1,
+        "type_info": "Text"
+      },
+      {
+        "name": "data: Json<PhysicalHost>",
+        "ordinal": 2,
+        "type_info": "Blob"
+      }
+    ],
+    "parameters": {
+      "Right": 0
+    },
+    "nullable": [
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "8d247918eca10a88b784ee353db090c94a222115c543231f2140cba27bd0f067"
+}

.sqlx/query-934035c7ca6e064815393e4e049a7934b0a7fac04a4fe4b2a354f0443d630990.json

@@ -0,0 +1,32 @@
+{
+  "db_name": "SQLite",
+  "query": "SELECT id, version_id, data as \"data: Json<PhysicalHost>\" FROM physical_hosts WHERE id = ? ORDER BY version_id DESC LIMIT 1",
+  "describe": {
+    "columns": [
+      {
+        "name": "id",
+        "ordinal": 0,
+        "type_info": "Text"
+      },
+      {
+        "name": "version_id",
+        "ordinal": 1,
+        "type_info": "Text"
+      },
+      {
+        "name": "data: Json<PhysicalHost>",
+        "ordinal": 2,
+        "type_info": "Null"
+      }
+    ],
+    "parameters": {
+      "Right": 1
+    },
+    "nullable": [
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "934035c7ca6e064815393e4e049a7934b0a7fac04a4fe4b2a354f0443d630990"
+}

.sqlx/query-df7a7c9cfdd0972e2e0ce7ea444ba8bc9d708a4fb89d5593a0be2bbebde62aff.json

@@ -0,0 +1,12 @@
+{
+  "db_name": "SQLite",
+  "query": "\n        INSERT INTO host_role_mapping (host_id, role)\n        VALUES (?, ?)\n        ",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Right": 2
+    },
+    "nullable": []
+  },
+  "hash": "df7a7c9cfdd0972e2e0ce7ea444ba8bc9d708a4fb89d5593a0be2bbebde62aff"
+}

.sqlx/query-f10f615ee42129ffa293e46f2f893d65a237d31d24b74a29c6a8d8420d255ab8.json

@@ -0,0 +1,12 @@
+{
+  "db_name": "SQLite",
+  "query": "INSERT INTO physical_hosts (id, version_id, data) VALUES (?, ?, ?)",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Right": 3
+    },
+    "nullable": []
+  },
+  "hash": "f10f615ee42129ffa293e46f2f893d65a237d31d24b74a29c6a8d8420d255ab8"
+}

Cargo.toml

@@ -12,6 +12,10 @@ members = [
   "harmony_cli",
   "k3d",
   "harmony_composer",
+  "harmony_inventory_agent",
+  "harmony_secret_derive",
+  "harmony_secret",
+  "adr/agent_discovery/mdns",
 ]
 
 [workspace.package]
@@ -20,7 +24,7 @@ readme = "README.md"
 license = "GNU AGPL v3"
 
 [workspace.dependencies]
-log = "0.4"
+log = { version = "0.4", features = ["kv"] }
 env_logger = "0.11"
 derive-new = "0.7"
 async-trait = "0.1"
@@ -33,7 +37,7 @@ tokio = { version = "1.40", features = [
 cidr = { features = ["serde"], version = "0.2" }
 russh = "0.45"
 russh-keys = "0.45"
-rand = "0.8"
+rand = "0.9"
 url = "2.5"
 kube = { version = "1.1.0", features = [
   "config",
@@ -47,12 +51,27 @@ k8s-openapi = { version = "0.25", features = ["v1_30"] }
 serde_yaml = "0.9"
 serde-value = "0.7"
 http = "1.2"
-inquire = "0.7"
+inquire = { version = "0.7", features = ["editor"] }
 convert_case = "0.8"
 chrono = "0.4"
 similar = "2"
 uuid = { version = "1.11", features = ["v4", "fast-rng", "macro-diagnostics"] }
 pretty_assertions = "1.4.1"
+tempfile = "3.20.0"
 bollard = "0.19.1"
 base64 = "0.22.1"
 tar = "0.4.44"
+lazy_static = "1.5.0"
+directories = "6.0.0"
+thiserror = "2.0.14"
+serde = { version = "1.0.209", features = ["derive", "rc"] }
+serde_json = "1.0.127"
+askama = "0.14"
+sqlx = { version = "0.8", features = ["runtime-tokio", "sqlite"] }
+reqwest = { version = "0.12", features = [
+  "blocking",
+  "stream",
+  "rustls-tls",
+  "http2",
+  "json",
+], default-features = false }

Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/rust:1.87.0 AS build
+FROM docker.io/rust:1.89.0 AS build
 
 WORKDIR /app
 
@@ -6,7 +6,7 @@ COPY . .
 
 RUN cargo build --release --bin harmony_composer
 
-FROM docker.io/rust:1.87.0
+FROM docker.io/rust:1.89.0
 
 WORKDIR /app
 

adr/agent_discovery/mdns/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "mdns"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+mdns-sd = "0.14"
+tokio = { version = "1", features = ["full"] }
+futures = "0.3"
+dmidecode = "0.2" # For getting the motherboard ID on the agent
+log.workspace=true
+env_logger.workspace=true
+clap = { version = "4.5.46", features = ["derive"] }
+get_if_addrs = "0.5.3"
+local-ip-address = "0.6.5"

adr/agent_discovery/mdns/src/advertise.rs

@@ -0,0 +1,60 @@
+// harmony-agent/src/main.rs
+
+use log::info;
+use mdns_sd::{ServiceDaemon, ServiceInfo};
+use std::collections::HashMap;
+
+use crate::SERVICE_TYPE;
+
+// The service we are advertising.
+const SERVICE_PORT: u16 = 43210; // A port for the service. It needs one, even if unused.
+
+pub async fn advertise() {
+    info!("Starting Harmony Agent...");
+
+    // Get a unique ID for this machine.
+    let motherboard_id = "some motherboard id";
+    let instance_name = format!("harmony-agent-{}", motherboard_id);
+    info!("This agent's instance name: {}", instance_name);
+    info!("Advertising with ID: {}", motherboard_id);
+
+    // Create a new mDNS daemon.
+    let mdns = ServiceDaemon::new().expect("Failed to create mDNS daemon");
+
+    // Create a TXT record HashMap to hold our metadata.
+    let mut properties = HashMap::new();
+    properties.insert("id".to_string(), motherboard_id.to_string());
+    properties.insert("version".to_string(), "1.0".to_string());
+
+    // Create the service information.
+    // The instance name should be unique on the network.
+    let local_ip = local_ip_address::local_ip().unwrap();
+    let service_info = ServiceInfo::new(
+        SERVICE_TYPE,
+        &instance_name,
+        "harmony-host.local.", // A hostname for the service
+        local_ip,
+        // "0.0.0.0",
+        SERVICE_PORT,
+        Some(properties),
+    )
+    .expect("Failed to create service info");
+
+    // Register our service with the daemon.
+    mdns.register(service_info)
+        .expect("Failed to register service");
+
+    info!(
+        "Service '{}' registered and now being advertised.",
+        instance_name
+    );
+    info!("Agent is running. Press Ctrl+C to exit.");
+
+    for iface in get_if_addrs::get_if_addrs().unwrap() {
+        println!("{:#?}", iface);
+    }
+
+    // Keep the agent running indefinitely.
+    tokio::signal::ctrl_c().await.unwrap();
+    info!("Shutting down agent.");
+}

adr/agent_discovery/mdns/src/discover.rs

@@ -0,0 +1,109 @@
+use mdns_sd::{ServiceDaemon, ServiceEvent};
+
+use crate::SERVICE_TYPE;
+
+pub async fn discover() {
+    println!("Starting Harmony Master and browsing for agents...");
+
+    // Create a new mDNS daemon.
+    let mdns = ServiceDaemon::new().expect("Failed to create mDNS daemon");
+
+    // Start browsing for the service type.
+    // The receiver will be a stream of events.
+    let receiver = mdns.browse(SERVICE_TYPE).expect("Failed to browse");
+
+    println!(
+        "Listening for mDNS events for '{}'. Press Ctrl+C to exit.",
+        SERVICE_TYPE
+    );
+
+    std::thread::spawn(move || {
+        while let Ok(event) = receiver.recv() {
+            match event {
+                ServiceEvent::ServiceData(resolved) => {
+                    println!("Resolved a new service: {}", resolved.fullname);
+                }
+                other_event => {
+                    println!("Received other event: {:?}", &other_event);
+                }
+            }
+        }
+    });
+
+    // Gracefully shutdown the daemon.
+    std::thread::sleep(std::time::Duration::from_secs(1000000));
+    mdns.shutdown().unwrap();
+
+    // Process events as they come in.
+    // while let Ok(event) = receiver.recv_async().await {
+    //     debug!("Received event {event:?}");
+    //     // match event {
+    //     //     ServiceEvent::ServiceFound(svc_type, fullname) => {
+    //     //         println!("\n--- Agent Discovered ---");
+    //     //         println!("  Service Name: {}", fullname());
+    //     //         // You can now resolve this service to get its IP, port, and TXT records
+    //     //         // The resolve operation is a separate network call.
+    //     //         let receiver = mdns.browse(info.get_fullname()).unwrap();
+    //     //         if let Ok(resolve_event) = receiver.recv_timeout(Duration::from_secs(2)) {
+    //     //              if let ServiceEvent::ServiceResolved(info) = resolve_event {
+    //     //                 let ip = info.get_addresses().iter().next().unwrap();
+    //     //                 let port = info.get_port();
+    //     //                 let motherboard_id = info.get_property("id").map_or("N/A", |v| v.val_str());
+    //     //
+    //     //                 println!("  IP: {}:{}", ip, port);
+    //     //                 println!("  Motherboard ID: {}", motherboard_id);
+    //     //                 println!("------------------------");
+    //     //
+    //     //                 // TODO: Add this agent to your central list of discovered hosts.
+    //     //              }
+    //     //         } else {
+    //     //             println!("Could not resolve service '{}' in time.", info.get_fullname());
+    //     //         }
+    //     //     }
+    //     //     ServiceEvent::ServiceRemoved(info) => {
+    //     //         println!("\n--- Agent Removed ---");
+    //     //         println!("  Service Name: {}", info.get_fullname());
+    //     //         println!("---------------------");
+    //     //         // TODO: Remove this agent from your list.
+    //     //     }
+    //     //     _ => {
+    //     //         // We don't care about other event types for this example
+    //     //     }
+    //     // }
+    // }
+}
+
+async fn _discover_example() {
+    use mdns_sd::{ServiceDaemon, ServiceEvent};
+
+    // Create a daemon
+    let mdns = ServiceDaemon::new().expect("Failed to create daemon");
+
+    // Use recently added `ServiceEvent::ServiceData`.
+    mdns.use_service_data(true)
+        .expect("Failed to use ServiceData");
+
+    // Browse for a service type.
+    let service_type = "_mdns-sd-my-test._udp.local.";
+    let receiver = mdns.browse(service_type).expect("Failed to browse");
+
+    // Receive the browse events in sync or async. Here is
+    // an example of using a thread. Users can call `receiver.recv_async().await`
+    // if running in async environment.
+    std::thread::spawn(move || {
+        while let Ok(event) = receiver.recv() {
+            match event {
+                ServiceEvent::ServiceData(resolved) => {
+                    println!("Resolved a new service: {}", resolved.fullname);
+                }
+                other_event => {
+                    println!("Received other event: {:?}", &other_event);
+                }
+            }
+        }
+    });
+
+    // Gracefully shutdown the daemon.
+    std::thread::sleep(std::time::Duration::from_secs(1));
+    mdns.shutdown().unwrap();
+}

adr/agent_discovery/mdns/src/main.rs

@@ -0,0 +1,31 @@
+use clap::{Parser, ValueEnum};
+
+mod advertise;
+mod discover;
+
+#[derive(Parser, Debug)]
+#[command(version, about, long_about = None)]
+struct Args {
+    #[arg(value_enum)]
+    profile: Profiles,
+}
+
+#[derive(Copy, Clone, Debug, PartialEq, Eq, PartialOrd, Ord, ValueEnum)]
+enum Profiles {
+    Advertise,
+    Discover,
+}
+
+// The service type we are looking for.
+const SERVICE_TYPE: &str = "_harmony._tcp.local.";
+
+#[tokio::main]
+async fn main() {
+    env_logger::init();
+    let args = Args::parse();
+
+    match args.profile {
+        Profiles::Advertise => advertise::advertise().await,
+        Profiles::Discover => discover::discover().await,
+    }
+}

check.sh

@@ -1,6 +1,7 @@
 #!/bin/sh
 set -e
 
+rustc --version
 cargo check --all-targets --all-features --keep-going
 cargo fmt --check
 cargo clippy

data/okd/installer_image/scos-live-initramfs.x86_64.img

@@ -0,0 +1 @@
+scos-9.0.20250510-0-live-initramfs.x86_64.img

data/okd/installer_image/scos-live-kernel.x86_64

@@ -0,0 +1 @@
+scos-9.0.20250510-0-live-kernel.x86_64

data/okd/installer_image/scos-live-rootfs.x86_64.img

@@ -0,0 +1 @@
+scos-9.0.20250510-0-live-rootfs.x86_64.img

data/pxe/okd/README.md

@@ -0,0 +1,8 @@
+Here lies all the data files required for an OKD cluster PXE boot setup.
+
+This inclues ISO files, binary boot files, ipxe, etc.
+
+TODO as of august 2025 :
+
+- `harmony_inventory_agent` should be downloaded from official releases, this embedded version is practical for now though
+- The cluster ssh key should be generated and handled by harmony with the private key saved in a secret store

data/pxe/okd/http_files/.gitattributes

@@ -0,0 +1,9 @@
+harmony_inventory_agent filter=lfs diff=lfs merge=lfs -text
+os filter=lfs diff=lfs merge=lfs -text
+os/centos-stream-9 filter=lfs diff=lfs merge=lfs -text
+os/centos-stream-9/images filter=lfs diff=lfs merge=lfs -text
+os/centos-stream-9/initrd.img filter=lfs diff=lfs merge=lfs -text
+os/centos-stream-9/vmlinuz filter=lfs diff=lfs merge=lfs -text
+os/centos-stream-9/images/efiboot.img filter=lfs diff=lfs merge=lfs -text
+os/centos-stream-9/images/install.img filter=lfs diff=lfs merge=lfs -text
+os/centos-stream-9/images/pxeboot filter=lfs diff=lfs merge=lfs -text

data/pxe/okd/http_files/cluster_ssh_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBx6bDylvC68cVpjKfEFtLQJ/dOFi6PVS2vsIOqPDJIc jeangab@liliane2

demos/cncf-k8s-quebec-meetup-september-2025/storyline.md

@@ -0,0 +1,132 @@
+# Harmony, Orchestrateur d'infrastructure open-source
+
+**Target Duration:** 25 minutes\
+**Tone:** Friendly, expert-to-expert, inspiring.
+
+---
+
+#### **Slide 1: Title Slide**
+
+- **Visual:** Clean and simple. Your company logo (NationTech) and the Harmony logo.
+
+---
+
+#### **Slide 2: The YAML Labyrinth**
+
+**Goal:** Get every head in the room nodding in agreement. Start with their world, not yours.
+
+- **Visual:**
+  - Option A: "The Pull Request from Hell". A screenshot of a GitHub pull request for a seemingly minor change that touches dozens of YAML files across multiple directories. A sea of red and green diffs that is visually overwhelming.
+  - Option B: A complex flowchart connecting dozens of logos: Terraform, Ansible, K8s, Helm, etc.
+- **Narration:**\
+  [...ADD SOMETHING FOR INTRODUCTION...]\
+  "We love the power that tools like Kubernetes and the CNCF landscape have given us. But let's be honest... when did our infrastructure code start looking like _this_?"\
+  "We have GitOps, which is great. But it often means we're managing this fragile cathedral of YAML, Helm charts, and brittle scripts. We spend more time debugging indentation and tracing variables than we do building truly resilient systems."
+
+---
+
+#### **Slide 3: The Real Cost of Infrastructure**
+
+- **Visual:** "The Jenga Tower of Tools". A tall, precarious Jenga tower where each block is the logo of a different tool (Terraform, K8s, Helm, Ansible, Prometheus, ArgoCD, etc.). One block near the bottom is being nervously pulled out.
+- **Narration:**
+  "The real cost isn't just complexity; it's the constant need to choose, learn, integrate, and operate a dozen different tools, each with its own syntax and failure modes. It's the nagging fear that a tiny typo in a config file could bring everything down. Click-ops isn't the answer, but the current state of IaC feels like we've traded one problem for another."
+
+---
+
+#### **Slide 4: The Broken Promise of "Code"**
+
+**Goal:** Introduce the core idea before introducing the product. This makes the solution feel inevitable.
+
+- **(Initial Visual):** A two-panel slide.
+  - **Left Panel Title: "The Plan"** - A terminal showing a green, successful `terraform plan` output.
+  - **Right Panel Title: "The Reality"** - The _next_ screen in the terminal, showing the `terraform apply` failing with a cascade of red error text.
+- **Narration:**
+  "We call our discipline **Infrastructure as Code**. And we've all been here. Our 'compiler' is a `terraform plan` that says everything looks perfect. We get the green light."
+  (Pause for a beat)
+  "And then we `apply`, and reality hits. It fails halfway through, at runtime, when it's most expensive and painful to fix."
+
+**(Click to transition the slide)**
+
+- **(New Visual):** The entire slide is replaced by a clean screenshot of a code editor (like nvim 😉) showing Harmony's Rust DSL. A red squiggly line is under a config line. The error message is clear in the "Problems" panel: `error: Incompatible deployment. Production target 'gcp-prod-cluster' requires a StorageClass with 'snapshots' capability, but 'standard-sc' does not provide it.`
+- **Narration (continued):**
+  "In software development, we solved these problems years ago. We don't accept 'it compiled, but crashed on startup'. We have real tools, type systems, compilers, test frameworks, and IDEs that catch our mistakes before they ever reach production. **So, what if we could treat our entire infrastructure... like a modern, compiled application?**"
+  "What if your infrastructure code could get compile-time checks, straight into the editor... instead of runtime panics and failures at 3 AM in production?"
+
+---
+
+#### **Slide 5: Introducing Harmony**
+
+**Goal:** Introduce Harmony as the answer to the "What If?" question.
+
+- **Visual:** The Harmony logo, large and centered.
+- **Tagline:** `Infrastructure in type-safe Rust. No YAML required.`
+- **Narration:**
+  "This is Harmony. It's an open-source orchestrator that lets you define your entire stack — from a dev laptop to a multi-site bare-metal cluster—in a single, type-safe Rust codebase."
+
+---
+
+#### **Slide 6: Before & After**
+
+- **Visual:** A side-by-side comparison. Left side: A screen full of complex, nested YAML. Right side: 10-15 lines of clean, readable Harmony Rust DSL that accomplishes the same thing.
+- **Narration:**
+  "This is the difference. On the left, the fragile world of strings and templates. On the right, a portable, verifiable program that describes your apps, your infra, and your operations. We unify scaffolding, provisioning, and Day-2 ops, all verified by the Rust compiler. But enough slides... let's see it in action."
+
+---
+
+#### **Slide 7: Live Demo: Zero to Monitored App**
+
+**Goal:** Show, don't just tell. Make it look effortless. This is where you build the "dream."
+
+- **Visual:** Your terminal/IDE, ready to go.
+- **Narration Guide:**
+  "Okay, for this demo, we're going to take a standard web app from GitHub. Nothing special about it."
+  _(Show the repo)_
+  "Now, let's bring it into Harmony. This is the entire definition we need to describe the application and its needs."
+  _(Show the Rust DSL)_
+  "First, let's run it locally on k3d. The exact same definition for dev as for prod."
+  _(Deploy locally, show it works)_
+  "Cool. But a real app needs monitoring. In Harmony, that's just adding a feature to our code."
+  _(Uncomment one line: `.with_feature(Monitoring)` and redeploy)_
+  "And just like that, we have a fully configured Prometheus and Grafana stack, scraping our app. No YAML, no extra config."
+  "Finally, let's push this to our production staging cluster. We just change the target and specify our multi-site Ceph storage."
+  _(Deploy to the remote cluster)_
+  "And there it is. We've gone from a simple web app to a monitored, enterprise-grade service in minutes."
+
+---
+
+#### **Slide 8: Live Demo: Embracing Chaos**
+
+**Goal:** Prove the "predictable" and "resilient" claims in the most dramatic way possible.
+
+- **Visual:** A slide showing a map or diagram of your distributed infrastructure (the different data centers). Then switch back to your terminal.
+- **Narration Guide:**
+  "This is great when things are sunny. But production is chaos. So... let's break things. On purpose."
+  "First, a network failure." _(Kill a switch/link, show app is still up)_
+  "Now, let's power off a storage server." _(Force off a server, show Ceph healing and the app is unaffected)_
+  "How about a control plane node?" _(Force off a k8s control plane, show the cluster is still running)_
+  "Okay, for the grand finale. What if we have a cascading failure? I'm going to kill _another_ storage server. This should cause a total failure in this data center."
+  _(Force off the second server, narrate what's happening)_
+  "And there it is... Ceph has lost quorum in this site... and Harmony has automatically failed everything over to our other datacenter. The app is still running."
+
+---
+
+#### **Slide 9: The New Reality**
+
+**Goal:** Summarize the dream and tell the audience what you want them to do.
+
+- **Visual:** The clean, simple Harmony Rust DSL code from Slide 6. A summary of what was just accomplished is listed next to it: `✓ GitHub to Prod in minutes`, `✓ Type-Safe Validation`, `✓ Built-in Monitoring`, `✓ Automated Multi-Site Failover`.
+- **Narration:**
+  "So, in just a few minutes, we went from a simple web app to a multi-site, monitored, and chaos-proof production deployment. We did it with a small amount of code that is easy to read, easy to verify, and completely portable. This is our vision: to offload the complexity, and make infrastructure simple, predictable, and even fun again."
+
+---
+
+#### **Slide 10: Join Us**
+
+- **Visual:** A clean, final slide with QR codes and links.
+  - GitHub Repo (`github.com/nation-tech/harmony`)
+  - Website (`harmony.sh` or similar)
+  - Your contact info (`jg@nation.tech` / LinkedIn / Twitter)
+- **Narration:**
+  "Harmony is open-source, AGPLv3. We believe this is the future, but we're just getting started. We know this crowd has great infrastructure minds out there, and we need your feedback. Please, check out the project on GitHub. Star it if you like what you see. Tell us what's missing. Let's build this future together. Thank you."
+
+**(Open for Q&A)**

docs/OKD_Host_preparation.md

@@ -0,0 +1,8 @@
+## Bios settings
+
+1. CSM : Disabled (compatibility support to boot gpt formatted drives)
+2. Secure boot : disabled
+3. Boot order :
+    1. Local Hard drive
+    2. PXE IPv4
+4. System clock, make sure it is adjusted, otherwise you will get invalid certificates error

docs/pxe_test/README.md

@@ -0,0 +1,108 @@
+# OPNsense PXE Lab Environment
+
+This project contains a script to automatically set up a virtual lab environment for testing PXE boot services managed by an OPNsense firewall.
+
+## Overview
+
+The `pxe_vm_lab_setup.sh` script will create the following resources using libvirt/KVM:
+
+1.  **A Virtual Network**: An isolated network named `harmonylan` (`virbr1`) for the lab.
+2.  **Two Virtual Machines**:
+    *   `opnsense-pxe`: A firewall VM that will act as the gateway and PXE server.
+    *   `pxe-node-1`: A client VM configured to boot from the network.
+
+## Prerequisites
+
+Ensure you have the following software installed on your Arch Linux host:
+
+*   `libvirt`
+*   `qemu`
+*   `virt-install` (from the `virt-install` package)
+*   `curl`
+*   `bzip2`
+
+## Usage
+
+### 1. Create the Environment
+
+Run the `up` command to download the necessary images and create the network and VMs.
+
+```bash
+sudo ./pxe_vm_lab_setup.sh up
+```
+
+### 2. Install and Configure OPNsense
+
+The OPNsense VM is created but the OS needs to be installed manually via the console.
+
+1.  **Connect to the VM console**:
+    ```bash
+    sudo virsh console opnsense-pxe
+    ```
+
+2.  **Log in as the installer**:
+    *   Username: `installer`
+    *   Password: `opnsense`
+
+3.  **Follow the on-screen installation wizard**. When prompted to assign network interfaces (`WAN` and `LAN`):
+    *   Find the MAC address for the `harmonylan` interface by running this command in another terminal:
+        ```bash
+        virsh domiflist opnsense-pxe
+        # Example output:
+        # Interface   Type      Source       Model    MAC
+        # ---------------------------------------------------------
+        # vnet18      network   default      virtio   52:54:00:b5:c4:6d
+        # vnet19      network   harmonylan   virtio   52:54:00:21:f9:ba
+        ```
+    *   Assign the interface connected to `harmonylan` (e.g., `vtnet1` with MAC `52:54:00:21:f9:ba`) as your **LAN**.
+    *   Assign the other interface as your **WAN**.
+
+4.  After the installation is complete, **shut down** the VM from the console menu.
+
+5.  **Detach the installation media** by editing the VM's configuration:
+    ```bash
+    sudo virsh edit opnsense-pxe
+    ```
+    Find and **delete** the entire `<disk>` block corresponding to the `.img` file (the one with `<target ... bus='usb'/>`).
+
+6.  **Start the VM** to boot into the newly installed system:
+    ```bash
+    sudo virsh start opnsense-pxe
+    ```
+
+### 3. Connect to OPNsense from Your Host
+
+To configure OPNsense, you need to connect your host to the `harmonylan` network.
+
+1.  By default, OPNsense configures its LAN interface with the IP `192.168.1.1`.
+2.  Assign a compatible IP address to your host's `virbr1` bridge interface:
+    ```bash
+    sudo ip addr add 192.168.1.5/24 dev virbr1
+    ```
+3.  You can now access the OPNsense VM from your host:
+    *   **SSH**: `ssh root@192.168.1.1` (password: `opnsense`)
+    *   **Web UI**: `https://192.168.1.1`
+
+### 4. Configure PXE Services with Harmony
+
+With connectivity established, you can now use Harmony to configure the OPNsense firewall for PXE booting. Point your Harmony OPNsense scores to the firewall using these details:
+
+*   **Hostname/IP**: `192.168.1.1`
+*   **Credentials**: `root` / `opnsense`
+
+### 5. Boot the PXE Client
+
+Once your Harmony configuration has been applied and OPNsense is serving DHCP/TFTP, start the client VM. It will automatically attempt to boot from the network.
+
+```bash
+sudo virsh start pxe-node-1
+sudo virsh console pxe-node-1
+```
+
+## Cleanup
+
+To destroy all VMs and networks created by the script, run the `clean` command:
+
+```bash
+sudo ./pxe_vm_lab_setup.sh clean
+```

docs/pxe_test/pxe_vm_lab_setup.sh

@@ -0,0 +1,191 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# --- Configuration ---
+LAB_DIR="/var/lib/harmony_pxe_test"
+IMG_DIR="${LAB_DIR}/images"
+STATE_DIR="${LAB_DIR}/state"
+VM_OPN="opnsense-pxe"
+VM_PXE="pxe-node-1"
+NET_HARMONYLAN="harmonylan"
+
+# Network settings for the isolated LAN
+VLAN_CIDR="192.168.150.0/24"
+VLAN_GW="192.168.150.1"
+VLAN_MASK="255.255.255.0"
+
+# VM Specifications
+RAM_OPN="2048"
+VCPUS_OPN="2"
+DISK_OPN_GB="10"
+OS_VARIANT_OPN="freebsd14.0" # Updated to a more recent FreeBSD variant
+
+RAM_PXE="4096"
+VCPUS_PXE="2"
+DISK_PXE_GB="40"
+OS_VARIANT_LINUX="centos-stream9"
+
+OPN_IMG_URL="https://mirror.ams1.nl.leaseweb.net/opnsense/releases/25.7/OPNsense-25.7-serial-amd64.img.bz2"
+OPN_IMG_PATH="${IMG_DIR}/OPNsense-25.7-serial-amd64.img"
+CENTOS_ISO_URL="https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/boot.iso"
+CENTOS_ISO_PATH="${IMG_DIR}/CentOS-Stream-9-latest-boot.iso"
+
+CONNECT_URI="qemu:///system"
+
+download_if_missing() {
+  local url="$1"
+  local dest="$2"
+  if [[ ! -f "$dest" ]]; then
+    echo "Downloading $url to $dest"
+    mkdir -p "$(dirname "$dest")"
+    local tmp
+    tmp="$(mktemp)"
+    curl -L --progress-bar "$url" -o "$tmp"
+    case "$url" in
+      *.bz2) bunzip2 -c "$tmp" > "$dest" && rm -f "$tmp" ;;
+      *) mv "$tmp" "$dest" ;;
+    esac
+  else
+    echo "Already present: $dest"
+  fi
+}
+
+# Ensures a libvirt network is defined and active
+ensure_network() {
+  local net_name="$1"
+  local net_xml_path="$2"
+  if virsh --connect "${CONNECT_URI}" net-info "${net_name}" >/dev/null 2>&1; then
+    echo "Network ${net_name} already exists."
+  else
+    echo "Defining network ${net_name} from ${net_xml_path}"
+    virsh --connect "${CONNECT_URI}" net-define "${net_xml_path}"
+  fi
+
+  if ! virsh --connect "${CONNECT_URI}" net-info "${net_name}" | grep "Active: *yes"; then
+    echo "Starting network ${net_name}..."
+    virsh --connect "${CONNECT_URI}" net-start "${net_name}"
+    virsh --connect "${CONNECT_URI}" net-autostart "${net_name}"
+  fi
+}
+
+# Destroys a VM completely
+destroy_vm() {
+  local vm_name="$1"
+  if virsh --connect "${CONNECT_URI}" dominfo "$vm_name" >/dev/null 2>&1; then
+    echo "Destroying and undefining VM: ${vm_name}"
+    virsh --connect "${CONNECT_URI}" destroy "$vm_name" || true
+    virsh --connect "${CONNECT_URI}" undefine "$vm_name" --nvram
+  fi
+}
+
+# Destroys a libvirt network
+destroy_network() {
+  local net_name="$1"
+  if virsh --connect "${CONNECT_URI}" net-info "$net_name" >/dev/null 2>&1; then
+    echo "Destroying and undefining network: ${net_name}"
+    virsh --connect "${CONNECT_URI}" net-destroy "$net_name" || true
+    virsh --connect "${CONNECT_URI}" net-undefine "$net_name"
+  fi
+}
+
+# --- Main Logic ---
+create_lab_environment() {
+  # Create network definition files
+  cat > "${STATE_DIR}/default.xml" <<EOF
+<network>
+  <name>default</name>
+  <forward mode='nat'/>
+  <bridge name='virbr0' stp='on' delay='0'/>
+  <ip address='192.168.122.1' netmask='255.255.255.0'>
+    <dhcp>
+      <range start='192.168.122.100' end='192.168.122.200'/>
+    </dhcp>
+  </ip>
+</network>
+EOF
+
+  cat > "${STATE_DIR}/${NET_HARMONYLAN}.xml" <<EOF
+<network>
+  <name>${NET_HARMONYLAN}</name>
+  <bridge name='virbr1' stp='on' delay='0'/>
+</network>
+EOF
+
+  # Ensure both networks exist and are active
+  ensure_network "default" "${STATE_DIR}/default.xml"
+  ensure_network "${NET_HARMONYLAN}" "${STATE_DIR}/${NET_HARMONYLAN}.xml"
+
+  # --- Create OPNsense VM (MODIFIED SECTION) ---
+  local disk_opn="${IMG_DIR}/${VM_OPN}.qcow2"
+  if [[ ! -f "$disk_opn" ]]; then
+    qemu-img create -f qcow2 "$disk_opn" "${DISK_OPN_GB}G"
+  fi
+
+  echo "Creating OPNsense VM using serial image..."
+  virt-install \
+    --connect "${CONNECT_URI}" \
+    --name "${VM_OPN}" \
+    --ram "${RAM_OPN}" \
+    --vcpus "${VCPUS_OPN}" \
+    --cpu host-passthrough \
+    --os-variant "${OS_VARIANT_OPN}" \
+    --graphics none \
+    --noautoconsole \
+    --disk path="${disk_opn}",device=disk,bus=virtio,boot.order=1 \
+    --disk path="${OPN_IMG_PATH}",device=disk,bus=usb,readonly=on,boot.order=2 \
+    --network network=default,model=virtio \
+    --network network="${NET_HARMONYLAN}",model=virtio \
+    --boot uefi,menu=on
+
+  echo "OPNsense VM created. Connect with: sudo virsh console ${VM_OPN}"
+  echo "The VM will boot from the serial installation image."
+  echo "Login with user 'installer' and password 'opnsense' to start the installation."
+  echo "Install onto the VirtIO disk (vtbd0)."
+  echo "After installation, shutdown the VM, then run 'sudo virsh edit ${VM_OPN}' and remove the USB disk block to boot from the installed system."
+
+  # --- Create PXE Client VM ---
+  local disk_pxe="${IMG_DIR}/${VM_PXE}.qcow2"
+  if [[ ! -f "$disk_pxe" ]]; then
+    qemu-img create -f qcow2 "$disk_pxe" "${DISK_PXE_GB}G"
+  fi
+
+  echo "Creating PXE client VM..."
+  virt-install \
+    --connect "${CONNECT_URI}" \
+    --name "${VM_PXE}" \
+    --ram "${RAM_PXE}" \
+    --vcpus "${VCPUS_PXE}" \
+    --cpu host-passthrough \
+    --os-variant "${OS_VARIANT_LINUX}" \
+    --graphics none \
+    --noautoconsole \
+    --disk path="${disk_pxe}",format=qcow2,bus=virtio \
+    --network network="${NET_HARMONYLAN}",model=virtio \
+    --pxe \
+    --boot uefi,menu=on
+
+  echo "PXE VM created. It will attempt to netboot on ${NET_HARMONYLAN}."
+}
+
+# --- Script Entrypoint ---
+case "${1:-}" in
+  up)
+    mkdir -p "${IMG_DIR}" "${STATE_DIR}"
+    download_if_missing "$OPN_IMG_URL" "$OPN_IMG_PATH"
+    download_if_missing "$CENTOS_ISO_URL" "$CENTOS_ISO_PATH"
+    create_lab_environment
+    echo "Lab setup complete. Use 'sudo virsh list --all' to see VMs."
+    ;;
+  clean)
+    destroy_vm "${VM_PXE}"
+    destroy_vm "${VM_OPN}"
+    destroy_network "${NET_HARMONYLAN}"
+    # Optionally destroy the default network if you want a full reset
+    # destroy_network "default"
+    echo "Cleanup complete."
+    ;;
+  *)
+    echo "Usage: sudo $0 {up|clean}"
+    exit 1
+    ;;
+esac

examples/application_monitoring_with_tenant/Cargo.toml

@@ -7,8 +7,9 @@ license.workspace = true
 
 [dependencies]
 env_logger.workspace = true
-harmony = { version = "0.1.0", path = "../../harmony" }
-harmony_cli = { version = "0.1.0", path = "../../harmony_cli" }
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
 logging = "0.1.0"
 tokio.workspace = true
 url.workspace = true

examples/application_monitoring_with_tenant/src/main.rs

@@ -1,15 +1,16 @@
 use std::{path::PathBuf, str::FromStr, sync::Arc};
 
 use harmony::{
-    data::Id,
     inventory::Inventory,
     modules::{
         application::{ApplicationScore, RustWebFramework, RustWebapp, features::Monitoring},
         monitoring::alert_channel::webhook_receiver::WebhookReceiver,
         tenant::TenantScore,
     },
-    topology::{K8sAnywhereTopology, Url, tenant::TenantConfig},
+    topology::{K8sAnywhereTopology, tenant::TenantConfig},
 };
+use harmony_types::id::Id;
+use harmony_types::net::Url;
 
 #[tokio::main]
 async fn main() {
@@ -26,9 +27,9 @@ async fn main() {
     };
     let application = Arc::new(RustWebapp {
         name: "example-monitoring".to_string(),
-        domain: Url::Url(url::Url::parse("https://rustapp.harmony.example.com").unwrap()),
         project_root: PathBuf::from("./examples/rust/webapp"),
         framework: Some(RustWebFramework::Leptos),
+        service_port: 3000,
     });
 
     let webhook_receiver = WebhookReceiver {

examples/cli/src/main.rs

@@ -1,6 +1,9 @@
 use harmony::{
     inventory::Inventory,
-    modules::dummy::{ErrorScore, PanicScore, SuccessScore},
+    modules::{
+        dummy::{ErrorScore, PanicScore, SuccessScore},
+        inventory::LaunchDiscoverInventoryAgentScore,
+    },
     topology::LocalhostTopology,
 };
 
@@ -13,6 +16,9 @@ async fn main() {
             Box::new(SuccessScore {}),
             Box::new(ErrorScore {}),
             Box::new(PanicScore {}),
+            Box::new(LaunchDiscoverInventoryAgentScore {
+                discovery_timeout: Some(10),
+            }),
         ],
         None,
     )

examples/lamp/src/main.rs

@@ -2,8 +2,9 @@ use harmony::{
     data::Version,
     inventory::Inventory,
     modules::lamp::{LAMPConfig, LAMPScore},
-    topology::{K8sAnywhereTopology, Url},
+    topology::K8sAnywhereTopology,
 };
+use harmony_types::net::Url;
 
 #[tokio::main]
 async fn main() {

examples/monitoring/Cargo.toml

@@ -6,8 +6,9 @@ readme.workspace = true
 license.workspace = true
 
 [dependencies]
-harmony = { version = "0.1.0", path = "../../harmony" }
-harmony_cli = { version = "0.1.0", path = "../../harmony_cli" }
-harmony_macros = { version = "0.1.0", path = "../../harmony_macros" }
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_macros = { path = "../../harmony_macros" }
+harmony_types = { path = "../../harmony_types" }
 tokio.workspace = true
 url.workspace = true

examples/monitoring/src/main.rs

@@ -22,8 +22,9 @@ use harmony::{
             k8s::pvc::high_pvc_fill_rate_over_two_days,
         },
     },
-    topology::{K8sAnywhereTopology, Url},
+    topology::K8sAnywhereTopology,
 };
+use harmony_types::net::Url;
 
 #[tokio::main]
 async fn main() {

examples/monitoring_with_tenant/Cargo.toml

@@ -7,7 +7,8 @@ license.workspace = true
 
 [dependencies]
 cidr.workspace = true
-harmony = { version = "0.1.0", path = "../../harmony" }
-harmony_cli = { version = "0.1.0", path = "../../harmony_cli" }
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
 tokio.workspace = true
 url.workspace = true

examples/monitoring_with_tenant/src/main.rs

@@ -1,7 +1,6 @@
 use std::{collections::HashMap, str::FromStr};
 
 use harmony::{
-    data::Id,
     inventory::Inventory,
     modules::{
         monitoring::{
@@ -19,10 +18,12 @@ use harmony::{
         tenant::TenantScore,
     },
     topology::{
-        K8sAnywhereTopology, Url,
+        K8sAnywhereTopology,
         tenant::{ResourceLimits, TenantConfig, TenantNetworkPolicy},
     },
 };
+use harmony_types::id::Id;
+use harmony_types::net::Url;
 
 #[tokio::main]
 async fn main() {

examples/nanodc/Cargo.toml

@@ -13,6 +13,7 @@ harmony_types = { path = "../../harmony_types" }
 cidr = { workspace = true }
 tokio = { workspace = true }
 harmony_macros = { path = "../../harmony_macros" }
+harmony_secret = { path = "../../harmony_secret" }
 log = { workspace = true }
 env_logger = { workspace = true }
 url = { workspace = true }

examples/nanodc/src/main.rs

@@ -5,23 +5,25 @@ use std::{
 
 use cidr::Ipv4Cidr;
 use harmony::{
-    hardware::{FirewallGroup, HostCategory, Location, PhysicalHost, SwitchGroup},
+    config::secret::SshKeyPair,
+    data::{FileContent, FilePath},
+    hardware::{HostCategory, Location, PhysicalHost, SwitchGroup},
     infra::opnsense::OPNSenseManagementInterface,
     inventory::Inventory,
-    maestro::Maestro,
     modules::{
         http::StaticFilesHttpScore,
-        ipxe::IpxeScore,
         okd::{
             bootstrap_dhcp::OKDBootstrapDhcpScore,
             bootstrap_load_balancer::OKDBootstrapLoadBalancerScore, dhcp::OKDDhcpScore,
-            dns::OKDDnsScore,
+            dns::OKDDnsScore, ipxe::OKDIpxeScore,
         },
         tftp::TftpScore,
     },
-    topology::{LogicalHost, UnmanagedRouter, Url},
+    topology::{LogicalHost, UnmanagedRouter},
 };
 use harmony_macros::{ip, mac_address};
+use harmony_secret::SecretManager;
+use harmony_types::net::Url;
 
 #[tokio::main]
 async fn main() {
@@ -87,8 +89,7 @@ async fn main() {
     let inventory = Inventory {
         location: Location::new("I am mobile".to_string(), "earth".to_string()),
         switch: SwitchGroup::from([]),
-        firewall: FirewallGroup::from([PhysicalHost::empty(HostCategory::Firewall)
-            .management(Arc::new(OPNSenseManagementInterface::new()))]),
+        firewall_mgmt: Box::new(OPNSenseManagementInterface::new()),
         storage_host: vec![],
         worker_host: vec![
             PhysicalHost::empty(HostCategory::Server)
@@ -125,21 +126,43 @@ async fn main() {
     let load_balancer_score =
         harmony::modules::okd::load_balancer::OKDLoadBalancerScore::new(&topology);
 
+    let ssh_key = SecretManager::get_or_prompt::<SshKeyPair>().await.unwrap();
+
     let tftp_score = TftpScore::new(Url::LocalFolder("./data/watchguard/tftpboot".to_string()));
-    let http_score = StaticFilesHttpScore::new(Url::LocalFolder(
-        "./data/watchguard/pxe-http-files".to_string(),
-    ));
-    let ipxe_score = IpxeScore::new();
-    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
-    maestro.register_all(vec![
-        Box::new(dns_score),
-        Box::new(bootstrap_dhcp_score),
-        Box::new(bootstrap_load_balancer_score),
-        Box::new(load_balancer_score),
-        Box::new(tftp_score),
-        Box::new(http_score),
-        Box::new(ipxe_score),
-        Box::new(dhcp_score),
-    ]);
-    harmony_tui::init(maestro).await.unwrap();
+    let http_score = StaticFilesHttpScore {
+        folder_to_serve: Some(Url::LocalFolder(
+            "./data/watchguard/pxe-http-files".to_string(),
+        )),
+        files: vec![],
+        remote_path: None,
+    };
+
+    let kickstart_filename = "inventory.kickstart".to_string();
+    let harmony_inventory_agent = "harmony_inventory_agent".to_string();
+
+    let ipxe_score = OKDIpxeScore {
+        kickstart_filename,
+        harmony_inventory_agent,
+        cluster_pubkey: FileContent {
+            path: FilePath::Relative("cluster_ssh_key.pub".to_string()),
+            content: ssh_key.public,
+        },
+    };
+
+    harmony_tui::run(
+        inventory,
+        topology,
+        vec![
+            Box::new(dns_score),
+            Box::new(bootstrap_dhcp_score),
+            Box::new(bootstrap_load_balancer_score),
+            Box::new(load_balancer_score),
+            Box::new(tftp_score),
+            Box::new(http_score),
+            Box::new(ipxe_score),
+            Box::new(dhcp_score),
+        ],
+    )
+    .await
+    .unwrap();
 }

examples/okd_installation/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "example-okd-install"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+publish = false
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+harmony_secret = { path = "../../harmony_secret" }
+harmony_secret_derive = { path = "../../harmony_secret_derive" }
+cidr = { workspace = true }
+tokio = { workspace = true }
+harmony_macros = { path = "../../harmony_macros" }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
+serde.workspace = true

examples/okd_installation/env.sh

@@ -0,0 +1,4 @@
+export HARMONY_SECRET_NAMESPACE=example-vms
+export HARMONY_SECRET_STORE=file
+export HARMONY_DATABASE_URL=sqlite://harmony_vms.sqlite RUST_LOG=info 
+export RUST_LOG=info

examples/okd_installation/src/main.rs

@@ -0,0 +1,34 @@
+mod topology;
+
+use crate::topology::{get_inventory, get_topology};
+use harmony::{
+    config::secret::SshKeyPair,
+    data::{FileContent, FilePath},
+    modules::okd::{installation::OKDInstallationPipeline, ipxe::OKDIpxeScore},
+    score::Score,
+    topology::HAClusterTopology,
+};
+use harmony_secret::SecretManager;
+
+#[tokio::main]
+async fn main() {
+    let inventory = get_inventory();
+    let topology = get_topology().await;
+
+    let ssh_key = SecretManager::get_or_prompt::<SshKeyPair>().await.unwrap();
+
+    let mut scores: Vec<Box<dyn Score<HAClusterTopology>>> = vec![Box::new(OKDIpxeScore {
+        kickstart_filename: "inventory.kickstart".to_string(),
+        harmony_inventory_agent: "harmony_inventory_agent".to_string(),
+        cluster_pubkey: FileContent {
+            path: FilePath::Relative("cluster_ssh_key.pub".to_string()),
+            content: ssh_key.public,
+        },
+    })];
+
+    scores.append(&mut OKDInstallationPipeline::get_all_scores().await);
+
+    harmony_cli::run(inventory, topology, scores, None)
+        .await
+        .unwrap();
+}

examples/okd_installation/src/topology.rs

@@ -0,0 +1,77 @@
+use cidr::Ipv4Cidr;
+use harmony::{
+    hardware::{FirewallGroup, HostCategory, Location, PhysicalHost, SwitchGroup},
+    infra::opnsense::OPNSenseManagementInterface,
+    inventory::Inventory,
+    topology::{HAClusterTopology, LogicalHost, UnmanagedRouter},
+};
+use harmony_macros::{ip, ipv4};
+use harmony_secret::{Secret, SecretManager};
+use serde::{Deserialize, Serialize};
+use std::{net::IpAddr, sync::Arc};
+
+#[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
+struct OPNSenseFirewallConfig {
+    username: String,
+    password: String,
+}
+
+pub async fn get_topology() -> HAClusterTopology {
+    let firewall = harmony::topology::LogicalHost {
+        ip: ip!("192.168.1.1"),
+        name: String::from("opnsense-1"),
+    };
+
+    let config = SecretManager::get_or_prompt::<OPNSenseFirewallConfig>().await;
+    let config = config.unwrap();
+
+    let opnsense = Arc::new(
+        harmony::infra::opnsense::OPNSenseFirewall::new(
+            firewall,
+            None,
+            &config.username,
+            &config.password,
+        )
+        .await,
+    );
+    let lan_subnet = ipv4!("192.168.1.0");
+    let gateway_ipv4 = ipv4!("192.168.1.1");
+    let gateway_ip = IpAddr::V4(gateway_ipv4);
+    harmony::topology::HAClusterTopology {
+        domain_name: "demo.harmony.mcd".to_string(),
+        router: Arc::new(UnmanagedRouter::new(
+            gateway_ip,
+            Ipv4Cidr::new(lan_subnet, 24).unwrap(),
+        )),
+        load_balancer: opnsense.clone(),
+        firewall: opnsense.clone(),
+        tftp_server: opnsense.clone(),
+        http_server: opnsense.clone(),
+        dhcp_server: opnsense.clone(),
+        dns_server: opnsense.clone(),
+        control_plane: vec![LogicalHost {
+            ip: ip!("192.168.1.20"),
+            name: "master".to_string(),
+        }],
+        bootstrap_host: LogicalHost {
+            ip: ip!("192.168.1.10"),
+            name: "bootstrap".to_string(),
+        },
+        workers: vec![],
+        switch: vec![],
+    }
+}
+
+pub fn get_inventory() -> Inventory {
+    Inventory {
+        location: Location::new(
+            "Some virtual machine or maybe a physical machine if you're cool".to_string(),
+            "testopnsense".to_string(),
+        ),
+        switch: SwitchGroup::from([]),
+        firewall_mgmt: Box::new(OPNSenseManagementInterface::new()),
+        storage_host: vec![],
+        worker_host: vec![],
+        control_plane_host: vec![],
+    }
+}

examples/okd_installation/ssh_example_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAcemw8pbwuvHFaYynxBbS0Cf3ThYuj1Utr7CDqjwySHAAAAJikacCNpGnA
+jQAAAAtzc2gtZWQyNTUxOQAAACAcemw8pbwuvHFaYynxBbS0Cf3ThYuj1Utr7CDqjwySHA
+AAAECiiKk4V6Q5cVs6axDM4sjAzZn/QCZLQekmYQXS9XbEYxx6bDylvC68cVpjKfEFtLQJ
+/dOFi6PVS2vsIOqPDJIcAAAAEGplYW5nYWJAbGlsaWFuZTIBAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----

examples/okd_installation/ssh_example_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBx6bDylvC68cVpjKfEFtLQJ/dOFi6PVS2vsIOqPDJIc jeangab@liliane2

examples/okd_pxe/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "example-pxe"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+publish = false
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+harmony_secret = { path = "../../harmony_secret" }
+harmony_secret_derive = { path = "../../harmony_secret_derive" }
+cidr = { workspace = true }
+tokio = { workspace = true }
+harmony_macros = { path = "../../harmony_macros" }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
+serde.workspace = true

examples/okd_pxe/src/main.rs

@@ -0,0 +1,32 @@
+mod topology;
+
+use crate::topology::{get_inventory, get_topology};
+use harmony::{
+    config::secret::SshKeyPair,
+    data::{FileContent, FilePath},
+    modules::okd::ipxe::OKDIpxeScore,
+};
+use harmony_secret::SecretManager;
+
+#[tokio::main]
+async fn main() {
+    let inventory = get_inventory();
+    let topology = get_topology().await;
+
+    let kickstart_filename = "inventory.kickstart".to_string();
+    let harmony_inventory_agent = "harmony_inventory_agent".to_string();
+    let ssh_key = SecretManager::get_or_prompt::<SshKeyPair>().await.unwrap();
+
+    let ipxe_score = OKDIpxeScore {
+        kickstart_filename,
+        harmony_inventory_agent,
+        cluster_pubkey: FileContent {
+            path: FilePath::Relative("cluster_ssh_key.pub".to_string()),
+            content: ssh_key.public,
+        },
+    };
+
+    harmony_cli::run(inventory, topology, vec![Box::new(ipxe_score)], None)
+        .await
+        .unwrap();
+}

examples/okd_pxe/src/topology.rs

@@ -0,0 +1,71 @@
+use cidr::Ipv4Cidr;
+use harmony::{
+    config::secret::OPNSenseFirewallCredentials,
+    hardware::{Location, SwitchGroup},
+    infra::opnsense::OPNSenseManagementInterface,
+    inventory::Inventory,
+    topology::{HAClusterTopology, LogicalHost, UnmanagedRouter},
+};
+use harmony_macros::{ip, ipv4};
+use harmony_secret::SecretManager;
+use std::{net::IpAddr, sync::Arc};
+
+pub async fn get_topology() -> HAClusterTopology {
+    let firewall = harmony::topology::LogicalHost {
+        ip: ip!("192.168.1.1"),
+        name: String::from("opnsense-1"),
+    };
+
+    let config = SecretManager::get_or_prompt::<OPNSenseFirewallCredentials>().await;
+    let config = config.unwrap();
+
+    let opnsense = Arc::new(
+        harmony::infra::opnsense::OPNSenseFirewall::new(
+            firewall,
+            None,
+            &config.username,
+            &config.password,
+        )
+        .await,
+    );
+    let lan_subnet = ipv4!("192.168.1.0");
+    let gateway_ipv4 = ipv4!("192.168.1.1");
+    let gateway_ip = IpAddr::V4(gateway_ipv4);
+    harmony::topology::HAClusterTopology {
+        domain_name: "demo.harmony.mcd".to_string(),
+        router: Arc::new(UnmanagedRouter::new(
+            gateway_ip,
+            Ipv4Cidr::new(lan_subnet, 24).unwrap(),
+        )),
+        load_balancer: opnsense.clone(),
+        firewall: opnsense.clone(),
+        tftp_server: opnsense.clone(),
+        http_server: opnsense.clone(),
+        dhcp_server: opnsense.clone(),
+        dns_server: opnsense.clone(),
+        control_plane: vec![LogicalHost {
+            ip: ip!("10.100.8.20"),
+            name: "cp0".to_string(),
+        }],
+        bootstrap_host: LogicalHost {
+            ip: ip!("10.100.8.20"),
+            name: "cp0".to_string(),
+        },
+        workers: vec![],
+        switch: vec![],
+    }
+}
+
+pub fn get_inventory() -> Inventory {
+    Inventory {
+        location: Location::new(
+            "Some virtual machine or maybe a physical machine if you're cool".to_string(),
+            "testopnsense".to_string(),
+        ),
+        switch: SwitchGroup::from([]),
+        firewall_mgmt: Box::new(OPNSenseManagementInterface::new()),
+        storage_host: vec![],
+        worker_host: vec![],
+        control_plane_host: vec![],
+    }
+}

examples/okd_pxe/ssh_example_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAcemw8pbwuvHFaYynxBbS0Cf3ThYuj1Utr7CDqjwySHAAAAJikacCNpGnA
+jQAAAAtzc2gtZWQyNTUxOQAAACAcemw8pbwuvHFaYynxBbS0Cf3ThYuj1Utr7CDqjwySHA
+AAAECiiKk4V6Q5cVs6axDM4sjAzZn/QCZLQekmYQXS9XbEYxx6bDylvC68cVpjKfEFtLQJ
+/dOFi6PVS2vsIOqPDJIcAAAAEGplYW5nYWJAbGlsaWFuZTIBAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----

examples/okd_pxe/ssh_example_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBx6bDylvC68cVpjKfEFtLQJ/dOFi6PVS2vsIOqPDJIc jeangab@liliane2

examples/opnsense/src/main.rs

@@ -5,10 +5,9 @@ use std::{
 
 use cidr::Ipv4Cidr;
 use harmony::{
-    hardware::{FirewallGroup, HostCategory, Location, PhysicalHost, SwitchGroup},
+    hardware::{HostCategory, Location, PhysicalHost, SwitchGroup},
     infra::opnsense::OPNSenseManagementInterface,
     inventory::Inventory,
-    maestro::Maestro,
     modules::{
         dummy::{ErrorScore, PanicScore, SuccessScore},
         http::StaticFilesHttpScore,
@@ -16,9 +15,10 @@ use harmony::{
         opnsense::OPNsenseShellCommandScore,
         tftp::TftpScore,
     },
-    topology::{LogicalHost, UnmanagedRouter, Url},
+    topology::{LogicalHost, UnmanagedRouter},
 };
 use harmony_macros::{ip, mac_address};
+use harmony_types::net::Url;
 
 #[tokio::main]
 async fn main() {
@@ -63,8 +63,7 @@ async fn main() {
             "wk".to_string(),
         ),
         switch: SwitchGroup::from([]),
-        firewall: FirewallGroup::from([PhysicalHost::empty(HostCategory::Firewall)
-            .management(Arc::new(OPNSenseManagementInterface::new()))]),
+        firewall_mgmt: Box::new(OPNSenseManagementInterface::new()),
         storage_host: vec![],
         worker_host: vec![],
         control_plane_host: vec![
@@ -81,23 +80,32 @@ async fn main() {
     let load_balancer_score = OKDLoadBalancerScore::new(&topology);
 
     let tftp_score = TftpScore::new(Url::LocalFolder("./data/watchguard/tftpboot".to_string()));
-    let http_score = StaticFilesHttpScore::new(Url::LocalFolder(
-        "./data/watchguard/pxe-http-files".to_string(),
-    ));
-    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
-    maestro.register_all(vec![
-        Box::new(dns_score),
-        Box::new(dhcp_score),
-        Box::new(load_balancer_score),
-        Box::new(tftp_score),
-        Box::new(http_score),
-        Box::new(OPNsenseShellCommandScore {
-            opnsense: opnsense.get_opnsense_config(),
-            command: "touch /tmp/helloharmonytouching".to_string(),
-        }),
-        Box::new(SuccessScore {}),
-        Box::new(ErrorScore {}),
-        Box::new(PanicScore {}),
-    ]);
-    harmony_tui::init(maestro).await.unwrap();
+    let http_score = StaticFilesHttpScore {
+        folder_to_serve: Some(Url::LocalFolder(
+            "./data/watchguard/pxe-http-files".to_string(),
+        )),
+        files: vec![],
+        remote_path: None,
+    };
+
+    harmony_tui::run(
+        inventory,
+        topology,
+        vec![
+            Box::new(dns_score),
+            Box::new(dhcp_score),
+            Box::new(load_balancer_score),
+            Box::new(tftp_score),
+            Box::new(http_score),
+            Box::new(OPNsenseShellCommandScore {
+                opnsense: opnsense.get_opnsense_config(),
+                command: "touch /tmp/helloharmonytouching".to_string(),
+            }),
+            Box::new(SuccessScore {}),
+            Box::new(ErrorScore {}),
+            Box::new(PanicScore {}),
+        ],
+    )
+    .await
+    .unwrap();
 }

examples/rhob_application_monitoring/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "rhob-application-monitoring"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+harmony_macros = { path = "../../harmony_macros" }
+tokio = { workspace = true }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
+base64.workspace = true

examples/rhob_application_monitoring/src/main.rs

@@ -0,0 +1,49 @@
+use std::{path::PathBuf, sync::Arc};
+
+use harmony::{
+    inventory::Inventory,
+    modules::{
+        application::{
+            ApplicationScore, RustWebFramework, RustWebapp,
+            features::rhob_monitoring::RHOBMonitoring,
+        },
+        monitoring::alert_channel::discord_alert_channel::DiscordWebhook,
+    },
+    topology::K8sAnywhereTopology,
+};
+use harmony_types::net::Url;
+
+#[tokio::main]
+async fn main() {
+    let application = Arc::new(RustWebapp {
+        name: "test-rhob-monitoring".to_string(),
+        project_root: PathBuf::from("./webapp"), // Relative from 'harmony-path' param
+        framework: Some(RustWebFramework::Leptos),
+        service_port: 3000,
+    });
+
+    let discord_receiver = DiscordWebhook {
+        name: "test-discord".to_string(),
+        url: Url::Url(url::Url::parse("https://discord.doesnt.exist.com").unwrap()),
+    };
+
+    let app = ApplicationScore {
+        features: vec![
+            Box::new(RHOBMonitoring {
+                application: application.clone(),
+                alert_receiver: vec![Box::new(discord_receiver)],
+            }),
+            // TODO add backups, multisite ha, etc
+        ],
+        application,
+    };
+
+    harmony_cli::run(
+        Inventory::autoload(),
+        K8sAnywhereTopology::from_env(),
+        vec![Box::new(app)],
+        None,
+    )
+    .await
+    .unwrap();
+}

examples/rust/src/main.rs

@@ -11,26 +11,27 @@ use harmony::{
             discord_alert_channel::DiscordWebhook, webhook_receiver::WebhookReceiver,
         },
     },
-    topology::{K8sAnywhereTopology, Url},
+    topology::K8sAnywhereTopology,
 };
+use harmony_macros::hurl;
 
 #[tokio::main]
 async fn main() {
     let application = Arc::new(RustWebapp {
         name: "harmony-example-rust-webapp".to_string(),
-        domain: Url::Url(url::Url::parse("https://rustapp.harmony.example.com").unwrap()),
-        project_root: PathBuf::from("./webapp"), // Relative from 'harmony-path' param
+        project_root: PathBuf::from("./webapp"),
         framework: Some(RustWebFramework::Leptos),
+        service_port: 3000,
     });
 
     let discord_receiver = DiscordWebhook {
         name: "test-discord".to_string(),
-        url: Url::Url(url::Url::parse("https://discord.doesnt.exist.com").unwrap()),
+        url: hurl!("https://discord.doesnt.exist.com"),
     };
 
     let webhook_receiver = WebhookReceiver {
         name: "sample-webhook-receiver".to_string(),
-        url: Url::Url(url::Url::parse("https://webhook-doesnt-exist.com").unwrap()),
+        url: hurl!("https://webhook-doesnt-exist.com"),
     };
 
     let app = ApplicationScore {

examples/tenant/src/main.rs

@@ -1,11 +1,11 @@
 use std::str::FromStr;
 
 use harmony::{
-    data::Id,
     inventory::Inventory,
     modules::tenant::TenantScore,
     topology::{K8sAnywhereTopology, tenant::TenantConfig},
 };
+use harmony_types::id::Id;
 
 #[tokio::main]
 async fn main() {

examples/try_rust_webapp/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "example-try-rust-webapp"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+harmony_macros = { path = "../../harmony_macros" }
+tokio = { workspace = true }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
+base64.workspace = true

examples/try_rust_webapp/src/main.rs

@@ -0,0 +1,50 @@
+use harmony::{
+    inventory::Inventory,
+    modules::{
+        application::{
+            ApplicationScore, RustWebFramework, RustWebapp,
+            features::{ContinuousDelivery, Monitoring, rhob_monitoring::RHOBMonitoring},
+        },
+        monitoring::alert_channel::discord_alert_channel::DiscordWebhook,
+    },
+    topology::K8sAnywhereTopology,
+};
+use harmony_macros::hurl;
+use std::{path::PathBuf, sync::Arc};
+
+#[tokio::main]
+async fn main() {
+    let application = Arc::new(RustWebapp {
+        name: "harmony-example-tryrust".to_string(),
+        project_root: PathBuf::from("./tryrust.org"),
+        framework: Some(RustWebFramework::Leptos),
+        service_port: 8080,
+    });
+
+    let discord_receiver = DiscordWebhook {
+        name: "test-discord".to_string(),
+        url: hurl!("https://discord.doesnt.exist.com"),
+    };
+
+    let app = ApplicationScore {
+        features: vec![
+            Box::new(ContinuousDelivery {
+                application: application.clone(),
+            }),
+            Box::new(RHOBMonitoring {
+                application: application.clone(),
+                alert_receiver: vec![Box::new(discord_receiver)],
+            }),
+        ],
+        application,
+    };
+
+    harmony_cli::run(
+        Inventory::autoload(),
+        K8sAnywhereTopology::from_env(),
+        vec![Box::new(app)],
+        None,
+    )
+    .await
+    .unwrap();
+}

examples/tui/src/main.rs

@@ -2,7 +2,6 @@ use std::net::{SocketAddr, SocketAddrV4};
 
 use harmony::{
     inventory::Inventory,
-    maestro::Maestro,
     modules::{
         dns::DnsScore,
         dummy::{ErrorScore, PanicScore, SuccessScore},
@@ -10,24 +9,26 @@ use harmony::{
     },
     topology::{
         BackendServer, DummyInfra, HealthCheck, HttpMethod, HttpStatusCode, LoadBalancerService,
+        SSL,
     },
 };
 use harmony_macros::ipv4;
 
 #[tokio::main]
 async fn main() {
-    let inventory = Inventory::autoload();
-    let topology = DummyInfra {};
-    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
-
-    maestro.register_all(vec![
-        Box::new(SuccessScore {}),
-        Box::new(ErrorScore {}),
-        Box::new(PanicScore {}),
-        Box::new(DnsScore::new(vec![], None)),
-        Box::new(build_large_score()),
-    ]);
-    harmony_tui::init(maestro).await.unwrap();
+    harmony_tui::run(
+        Inventory::autoload(),
+        DummyInfra {},
+        vec![
+            Box::new(SuccessScore {}),
+            Box::new(ErrorScore {}),
+            Box::new(PanicScore {}),
+            Box::new(DnsScore::new(vec![], None)),
+            Box::new(build_large_score()),
+        ],
+    )
+    .await
+    .unwrap();
 }
 
 fn build_large_score() -> LoadBalancerScore {
@@ -47,6 +48,7 @@ fn build_large_score() -> LoadBalancerScore {
                 .to_string(),
             HttpMethod::GET,
             HttpStatusCode::Success2xx,
+            SSL::Disabled,
         )),
     };
     LoadBalancerScore {

examples/validate_ceph_cluster_health/Cargo.toml

@@ -0,0 +1,11 @@
+[package]
+name = "example_validate_ceph_cluster_health"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+harmony = { version = "0.1.0", path = "../../harmony" }
+harmony_cli = { version = "0.1.0", path = "../../harmony_cli" }
+tokio.workspace = true

examples/validate_ceph_cluster_health/src/main.rs

@@ -0,0 +1,18 @@
+use harmony::{
+    inventory::Inventory,
+    modules::storage::ceph::ceph_validate_health_score::CephVerifyClusterHealth,
+    topology::K8sAnywhereTopology,
+};
+
+#[tokio::main]
+async fn main() {
+    let ceph_health_score = CephVerifyClusterHealth {
+        rook_ceph_namespace: "rook-ceph".to_string(),
+    };
+
+    let topology = K8sAnywhereTopology::from_env();
+    let inventory = Inventory::autoload();
+    harmony_cli::run(inventory, topology, vec![Box::new(ceph_health_score)], None)
+        .await
+        .unwrap();
+}

harmony/Cargo.toml

@@ -9,15 +9,17 @@ license.workspace = true
 testing = []
 
 [dependencies]
-rand = "0.9"
 hex = "0.4"
-libredfish = "0.1.1"
-reqwest = { version = "0.11", features = ["blocking", "json"] }
+reqwest = { version = "0.11", features = [
+  "blocking",
+  "json",
+  "rustls-tls",
+], default-features = false }
 russh = "0.45.0"
 rust-ipmi = "0.1.1"
 semver = "1.0.23"
-serde = { version = "1.0.209", features = ["derive", "rc"] }
-serde_json = "1.0.127"
+serde.workspace = true
+serde_json.workspace = true
 tokio.workspace = true
 derive-new.workspace = true
 log.workspace = true
@@ -38,8 +40,8 @@ serde-value.workspace = true
 helm-wrapper-rs = "0.4.0"
 non-blank-string-rs = "1.0.4"
 k3d-rs = { path = "../k3d" }
-directories = "6.0.0"
-lazy_static = "1.5.0"
+directories.workspace = true
+lazy_static.workspace = true
 dockerfile_builder = "0.1.5"
 temp-file = "0.1.9"
 convert_case.workspace = true
@@ -59,14 +61,22 @@ similar.workspace = true
 futures-util = "0.3.31"
 tokio-util = "0.7.15"
 strum = { version = "0.27.1", features = ["derive"] }
-tempfile = "3.20.0"
+tempfile.workspace = true
 serde_with = "3.14.0"
 schemars = "0.8.22"
 kube-derive = "1.1.0"
 bollard.workspace = true
 tar.workspace = true
 base64.workspace = true
+thiserror.workspace = true
 once_cell = "1.21.3"
+walkdir = "2.5.0"
+harmony_inventory_agent = { path = "../harmony_inventory_agent" }
+harmony_secret_derive = { path = "../harmony_secret_derive" }
+harmony_secret = { path = "../harmony_secret" }
+askama.workspace = true
+sqlx.workspace = true
+inquire.workspace = true
 
 [dev-dependencies]
 pretty_assertions.workspace = true

harmony/src/domain/config/mod.rs

@@ -1,3 +1,5 @@
+pub mod secret;
+
 use lazy_static::lazy_static;
 use std::path::PathBuf;
 
@@ -12,4 +14,12 @@ lazy_static! {
         std::env::var("HARMONY_REGISTRY_PROJECT").unwrap_or_else(|_| "harmony".to_string());
     pub static ref DRY_RUN: bool =
         std::env::var("HARMONY_DRY_RUN").is_ok_and(|value| value.parse().unwrap_or(false));
+    pub static ref DEFAULT_DATABASE_URL: String = "sqlite://harmony.sqlite".to_string();
+    pub static ref DATABASE_URL: String = std::env::var("HARMONY_DATABASE_URL")
+        .map(|value| if value.is_empty() {
+            (*DEFAULT_DATABASE_URL).clone()
+        } else {
+            value
+        })
+        .unwrap_or((*DEFAULT_DATABASE_URL).clone());
 }

harmony/src/domain/config/secret.rs

@@ -0,0 +1,20 @@
+use harmony_secret_derive::Secret;
+use serde::{Deserialize, Serialize};
+
+#[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
+pub struct OPNSenseFirewallCredentials {
+    pub username: String,
+    pub password: String,
+}
+
+// TODO we need a better way to handle multiple "instances" of the same secret structure.
+#[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
+pub struct SshKeyPair {
+    pub private: String,
+    pub public: String,
+}
+
+#[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
+pub struct RedhatSecret {
+    pub pull_secret: String,
+}

harmony/src/domain/data/file.rs

@@ -0,0 +1,22 @@
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct FileContent {
+    pub path: FilePath,
+    pub content: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum FilePath {
+    Relative(String),
+    Absolute(String),
+}
+
+impl std::fmt::Display for FilePath {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            FilePath::Relative(path) => f.write_fmt(format_args!("./{path}")),
+            FilePath::Absolute(path) => f.write_fmt(format_args!("/{path}")),
+        }
+    }
+}

harmony/src/domain/data/id.rs

@@ -24,6 +24,14 @@ pub struct Id {
     value: String,
 }
 
+impl Id {
+    pub fn empty() -> Self {
+        Id {
+            value: String::new(),
+        }
+    }
+}
+
 impl FromStr for Id {
     type Err = ();
 
@@ -34,6 +42,12 @@ impl FromStr for Id {
     }
 }
 
+impl From<String> for Id {
+    fn from(value: String) -> Self {
+        Self { value }
+    }
+}
+
 impl std::fmt::Display for Id {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         f.write_str(&self.value)

harmony/src/domain/data/mod.rs

@@ -1,4 +1,4 @@
-mod id;
+mod file;
 mod version;
-pub use id::*;
+pub use file::*;
 pub use version::*;

harmony/src/domain/executors/mod.rs

@@ -1,8 +1,7 @@
 use std::fmt;
 
 use async_trait::async_trait;
-
-use super::topology::IpAddress;
+use harmony_types::net::IpAddress;
 
 #[derive(Debug)]
 pub enum ExecutorError {

harmony/src/domain/hardware/mod.rs

@@ -1,38 +1,246 @@
-use std::sync::Arc;
-
 use derive_new::new;
+use harmony_inventory_agent::hwinfo::{CPU, MemoryModule, NetworkInterface, StorageDrive};
 use harmony_types::net::MacAddress;
-use serde::{Serialize, Serializer, ser::SerializeStruct};
+use serde::{Deserialize, Serialize};
 use serde_value::Value;
 
 pub type HostGroup = Vec<PhysicalHost>;
 pub type SwitchGroup = Vec<Switch>;
 pub type FirewallGroup = Vec<PhysicalHost>;
 
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct PhysicalHost {
+    pub id: Id,
     pub category: HostCategory,
     pub network: Vec<NetworkInterface>,
-    pub management: Arc<dyn ManagementInterface>,
-    pub storage: Vec<Storage>,
+    pub storage: Vec<StorageDrive>,
     pub labels: Vec<Label>,
-    pub memory_size: Option<u64>,
-    pub cpu_count: Option<u64>,
+    pub memory_modules: Vec<MemoryModule>,
+    pub cpus: Vec<CPU>,
 }
 
 impl PhysicalHost {
     pub fn empty(category: HostCategory) -> Self {
         Self {
+            id: Id::empty(),
             category,
             network: vec![],
             storage: vec![],
             labels: vec![],
-            management: Arc::new(ManualManagementInterface {}),
-            memory_size: None,
-            cpu_count: None,
+            memory_modules: vec![],
+            cpus: vec![],
         }
     }
 
+    pub fn summary(&self) -> String {
+        let mut parts = Vec::new();
+
+        // Part 1: System Model (from labels) or Category as a fallback
+        let model = self
+            .labels
+            .iter()
+            .find(|l| l.name == "system-product-name" || l.name == "model")
+            .map(|l| l.value.clone())
+            .unwrap_or_else(|| self.category.to_string());
+        parts.push(model);
+
+        // Part 2: CPU Information
+        if !self.cpus.is_empty() {
+            let cpu_count = self.cpus.len();
+            let total_cores = self.cpus.iter().map(|c| c.cores).sum::<u32>();
+            let total_threads = self.cpus.iter().map(|c| c.threads).sum::<u32>();
+            let model_name = &self.cpus[0].model;
+
+            let cpu_summary = if cpu_count > 1 {
+                format!(
+                    "{}x {} ({}c/{}t)",
+                    cpu_count, model_name, total_cores, total_threads
+                )
+            } else {
+                format!("{} ({}c/{}t)", model_name, total_cores, total_threads)
+            };
+            parts.push(cpu_summary);
+        }
+
+        // Part 3: Memory Information
+        if !self.memory_modules.is_empty() {
+            let total_mem_bytes = self
+                .memory_modules
+                .iter()
+                .map(|m| m.size_bytes)
+                .sum::<u64>();
+            let total_mem_gb = (total_mem_bytes as f64 / (1024.0 * 1024.0 * 1024.0)).round() as u64;
+
+            // Find the most common speed among modules
+            let mut speeds = std::collections::HashMap::new();
+            for module in &self.memory_modules {
+                if let Some(speed) = module.speed_mhz {
+                    *speeds.entry(speed).or_insert(0) += 1;
+                }
+            }
+            let common_speed = speeds
+                .into_iter()
+                .max_by_key(|&(_, count)| count)
+                .map(|(speed, _)| speed);
+
+            if let Some(speed) = common_speed {
+                parts.push(format!("{} GB RAM @ {}MHz", total_mem_gb, speed));
+            } else {
+                parts.push(format!("{} GB RAM", total_mem_gb));
+            }
+        }
+
+        // Part 4: Storage Information
+        if !self.storage.is_empty() {
+            let total_storage_bytes = self.storage.iter().map(|d| d.size_bytes).sum::<u64>();
+            let drive_count = self.storage.len();
+            let first_drive_model = &self.storage[0].model;
+
+            // Helper to format bytes into TB or GB
+            let format_storage = |bytes: u64| {
+                let tb = bytes as f64 / (1024.0 * 1024.0 * 1024.0 * 1024.0);
+                if tb >= 1.0 {
+                    format!("{:.2} TB", tb)
+                } else {
+                    let gb = bytes as f64 / (1024.0 * 1024.0 * 1024.0);
+                    format!("{:.0} GB", gb)
+                }
+            };
+
+            let storage_summary = if drive_count > 1 {
+                format!(
+                    "{} Storage ({}x {})",
+                    format_storage(total_storage_bytes),
+                    drive_count,
+                    first_drive_model
+                )
+            } else {
+                format!(
+                    "{} Storage ({})",
+                    format_storage(total_storage_bytes),
+                    first_drive_model
+                )
+            };
+            parts.push(storage_summary);
+        }
+
+        // Part 5: Network Information
+        // Prioritize an "up" interface with an IPv4 address
+        let best_nic = self
+            .network
+            .iter()
+            .find(|n| n.is_up && !n.ipv4_addresses.is_empty())
+            .or_else(|| self.network.first());
+
+        if let Some(nic) = best_nic {
+            let speed = nic
+                .speed_mbps
+                .map(|s| format!("{}Gbps", s / 1000))
+                .unwrap_or_else(|| "N/A".to_string());
+            let mac = nic.mac_address.to_string();
+            let nic_summary = if let Some(ip) = nic.ipv4_addresses.first() {
+                format!("NIC: {} ({}, {})", speed, ip, mac)
+            } else {
+                format!("NIC: {} ({})", speed, mac)
+            };
+            parts.push(nic_summary);
+        }
+
+        parts.join(" | ")
+    }
+
+    pub fn parts_list(&self) -> String {
+        let PhysicalHost {
+            id,
+            category,
+            network,
+            storage,
+            labels,
+            memory_modules,
+            cpus,
+        } = self;
+
+        let mut parts_list = String::new();
+        parts_list.push_str("\n\n=====================");
+        parts_list.push_str(&format!("\nHost ID {id}"));
+        parts_list.push_str("\n=====================");
+        parts_list.push_str("\n\n=====================");
+        parts_list.push_str(&format!("\nCPU count {}", cpus.len()));
+        parts_list.push_str("\n=====================");
+        cpus.iter().for_each(|c| {
+            let CPU {
+                model,
+                vendor,
+                cores,
+                threads,
+                frequency_mhz,
+            } = c;
+            parts_list.push_str(&format!(
+                "\n{vendor} {model}, {cores}/{threads} {}Ghz",
+                *frequency_mhz as f64 / 1000.0
+            ));
+        });
+
+        parts_list.push_str("\n\n=====================");
+        parts_list.push_str(&format!("\nNetwork Interfaces count {}", network.len()));
+        parts_list.push_str("\n=====================");
+        network.iter().for_each(|nic| {
+            parts_list.push_str(&format!(
+                "\nNic({} {}Gbps mac({}) ipv4({}), ipv6({})",
+                nic.name,
+                nic.speed_mbps.unwrap_or(0) / 1000,
+                nic.mac_address,
+                nic.ipv4_addresses.join(","),
+                nic.ipv6_addresses.join(",")
+            ));
+        });
+
+        parts_list.push_str("\n\n=====================");
+        parts_list.push_str(&format!("\nStorage drives count {}", storage.len()));
+        parts_list.push_str("\n=====================");
+        storage.iter().for_each(|drive| {
+            let StorageDrive {
+                name,
+                model,
+                serial,
+                size_bytes,
+                logical_block_size: _,
+                physical_block_size: _,
+                rotational: _,
+                wwn: _,
+                interface_type,
+                smart_status,
+            } = drive;
+            parts_list.push_str(&format!(
+                "\n{name} {}Gb {model} {interface_type} smart({smart_status:?}) {serial}",
+                size_bytes / 1000 / 1000 / 1000
+            ));
+        });
+
+        parts_list.push_str("\n\n=====================");
+        parts_list.push_str(&format!("\nMemory modules count {}", memory_modules.len()));
+        parts_list.push_str("\n=====================");
+        memory_modules.iter().for_each(|mem| {
+            let MemoryModule {
+                size_bytes,
+                speed_mhz,
+                manufacturer,
+                part_number,
+                serial_number,
+                rank,
+            } = mem;
+            parts_list.push_str(&format!(
+                "\n{}Gb, {}Mhz, Manufacturer ({}), Part Number ({})",
+                size_bytes / 1000 / 1000 / 1000,
+                speed_mhz.unwrap_or(0),
+                manufacturer.as_ref().unwrap_or(&String::new()),
+                part_number.as_ref().unwrap_or(&String::new()),
+            ));
+        });
+
+        parts_list
+    }
+
     pub fn cluster_mac(&self) -> MacAddress {
         self.network
             .first()
@@ -40,93 +248,72 @@ impl PhysicalHost {
             .mac_address
     }
 
-    pub fn cpu(mut self, cpu_count: Option<u64>) -> Self {
-        self.cpu_count = cpu_count;
-        self
-    }
-
-    pub fn memory_size(mut self, memory_size: Option<u64>) -> Self {
-        self.memory_size = memory_size;
-        self
-    }
-
-    pub fn storage(
-        mut self,
-        connection: StorageConnectionType,
-        kind: StorageKind,
-        size: u64,
-        serial: String,
-    ) -> Self {
-        self.storage.push(Storage {
-            connection,
-            kind,
-            size,
-            serial,
-        });
-        self
-    }
-
     pub fn mac_address(mut self, mac_address: MacAddress) -> Self {
         self.network.push(NetworkInterface {
-            name: None,
+            name: String::new(),
             mac_address,
-            speed: None,
+            speed_mbps: None,
+            is_up: false,
+            mtu: 0,
+            ipv4_addresses: vec![],
+            ipv6_addresses: vec![],
+            driver: String::new(),
+            firmware_version: None,
         });
         self
     }
 
+    pub fn get_mac_address(&self) -> Vec<MacAddress> {
+        self.network.iter().map(|nic| nic.mac_address).collect()
+    }
+
     pub fn label(mut self, name: String, value: String) -> Self {
         self.labels.push(Label { name, value });
         self
     }
-
-    pub fn management(mut self, management: Arc<dyn ManagementInterface>) -> Self {
-        self.management = management;
-        self
-    }
 }
 
 // Custom Serialize implementation for PhysicalHost
-impl Serialize for PhysicalHost {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: Serializer,
-    {
-        // Determine the number of fields
-        let mut num_fields = 5; // category, network, storage, labels, management
-        if self.memory_size.is_some() {
-            num_fields += 1;
-        }
-        if self.cpu_count.is_some() {
-            num_fields += 1;
-        }
-
-        // Create a serialization structure
-        let mut state = serializer.serialize_struct("PhysicalHost", num_fields)?;
-
-        // Serialize the standard fields
-        state.serialize_field("category", &self.category)?;
-        state.serialize_field("network", &self.network)?;
-        state.serialize_field("storage", &self.storage)?;
-        state.serialize_field("labels", &self.labels)?;
-
-        // Serialize optional fields
-        if let Some(memory) = self.memory_size {
-            state.serialize_field("memory_size", &memory)?;
-        }
-        if let Some(cpu) = self.cpu_count {
-            state.serialize_field("cpu_count", &cpu)?;
-        }
-
-        let mgmt_data = self.management.serialize_management();
-        // pub management: Arc<dyn ManagementInterface>,
-
-        // Handle management interface - either as a field or flattened
-        state.serialize_field("management", &mgmt_data)?;
-
-        state.end()
-    }
-}
+// impl Serialize for PhysicalHost {
+//     fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+//     where
+//         S: Serializer,
+//     {
+//         // Determine the number of fields
+//         let mut num_fields = 5; // category, network, storage, labels, management
+//         if self.memory_modules.is_some() {
+//             num_fields += 1;
+//         }
+//         if self.cpus.is_some() {
+//             num_fields += 1;
+//         }
+//
+//         // Create a serialization structure
+//         let mut state = serializer.serialize_struct("PhysicalHost", num_fields)?;
+//
+//         // Serialize the standard fields
+//         state.serialize_field("category", &self.category)?;
+//         state.serialize_field("network", &self.network)?;
+//         state.serialize_field("storage", &self.storage)?;
+//         state.serialize_field("labels", &self.labels)?;
+//
+//         // Serialize optional fields
+//         if let Some(memory) = self.memory_modules {
+//             state.serialize_field("memory_size", &memory)?;
+//         }
+//         if let Some(cpu) = self.cpus {
+//             state.serialize_field("cpu_count", &cpu)?;
+//         }
+//
+//         let mgmt_data = self.management.serialize_management();
+//         // pub management: Arc<dyn ManagementInterface>,
+//
+//         // Handle management interface - either as a field or flattened
+//         state.serialize_field("management", &mgmt_data)?;
+//
+//         state.end()
+//     }
+// }
 
 #[derive(new, Serialize)]
 pub struct ManualManagementInterface;
@@ -171,66 +358,14 @@ where
     }
 }
 
-#[derive(Debug, Clone, Serialize)]
+#[derive(Debug, Clone, Serialize, Deserialize)]
 pub enum HostCategory {
     Server,
     Firewall,
     Switch,
 }
 
-#[derive(Debug, new, Clone, Serialize)]
-pub struct NetworkInterface {
-    pub name: Option<String>,
-    pub mac_address: MacAddress,
-    pub speed: Option<u64>,
-}
-
-#[cfg(test)]
-use harmony_macros::mac_address;
-#[cfg(test)]
-impl NetworkInterface {
-    pub fn dummy() -> Self {
-        Self {
-            name: Some(String::new()),
-            mac_address: mac_address!("00:00:00:00:00:00"),
-            speed: Some(0),
-        }
-    }
-}
-
-#[derive(Debug, new, Clone, Serialize)]
-pub enum StorageConnectionType {
-    Sata3g,
-    Sata6g,
-    Sas6g,
-    Sas12g,
-    PCIE,
-}
-#[derive(Debug, Clone, Serialize)]
-pub enum StorageKind {
-    SSD,
-    NVME,
-    HDD,
-}
-#[derive(Debug, new, Clone, Serialize)]
-pub struct Storage {
-    pub connection: StorageConnectionType,
-    pub kind: StorageKind,
-    pub size: u64,
-    pub serial: String,
-}
-
-#[cfg(test)]
-impl Storage {
-    pub fn dummy() -> Self {
-        Self {
-            connection: StorageConnectionType::Sata3g,
-            kind: StorageKind::SSD,
-            size: 0,
-            serial: String::new(),
-        }
-    }
-}
+use harmony_types::id::Id;
 
 #[derive(Debug, Clone, Serialize)]
 pub struct Switch {
@@ -238,7 +373,7 @@ pub struct Switch {
     _management_interface: NetworkInterface,
 }
 
-#[derive(Debug, new, Clone, Serialize)]
+#[derive(Debug, new, Clone, Serialize, Deserialize)]
 pub struct Label {
     pub name: String,
     pub value: String,
@@ -261,146 +396,65 @@ impl Location {
     }
 }
 
+impl std::fmt::Display for HostCategory {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            HostCategory::Server => write!(f, "Server"),
+            HostCategory::Firewall => write!(f, "Firewall"),
+            HostCategory::Switch => write!(f, "Switch"),
+        }
+    }
+}
+
+impl std::fmt::Display for Label {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "{}: {}", self.name, self.value)
+    }
+}
+
+impl std::fmt::Display for Location {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "Address: {}, Name: {}", self.address, self.name)
+    }
+}
+
+impl std::fmt::Display for PhysicalHost {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "{}", self.summary())
+    }
+}
+
+impl std::fmt::Display for Switch {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "Switch with {} interfaces", self._interface.len())
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
-    use serde::{Deserialize, Serialize};
-    use std::sync::Arc;
-
-    // Mock implementation of ManagementInterface
-    #[derive(Debug, Clone, Serialize, Deserialize)]
-    struct MockHPIlo {
-        ip: String,
-        username: String,
-        password: String,
-        firmware_version: String,
-    }
-
-    impl ManagementInterface for MockHPIlo {
-        fn boot_to_pxe(&self) {}
-
-        fn get_supported_protocol_names(&self) -> String {
-            String::new()
-        }
-    }
-
-    // Another mock implementation
-    #[derive(Debug, Clone, Serialize, Deserialize)]
-    struct MockDellIdrac {
-        hostname: String,
-        port: u16,
-        api_token: String,
-    }
-
-    impl ManagementInterface for MockDellIdrac {
-        fn boot_to_pxe(&self) {}
-
-        fn get_supported_protocol_names(&self) -> String {
-            String::new()
-        }
-    }
-
-    #[test]
-    fn test_serialize_physical_host_with_hp_ilo() {
-        // Create a PhysicalHost with HP iLO management
-        let host = PhysicalHost {
-            category: HostCategory::Server,
-            network: vec![NetworkInterface::dummy()],
-            management: Arc::new(MockHPIlo {
-                ip: "192.168.1.100".to_string(),
-                username: "admin".to_string(),
-                password: "password123".to_string(),
-                firmware_version: "2.5.0".to_string(),
-            }),
-            storage: vec![Storage::dummy()],
-            labels: vec![Label::new("datacenter".to_string(), "us-east".to_string())],
-            memory_size: Some(64_000_000),
-            cpu_count: Some(16),
-        };
-
-        // Serialize to JSON
-        let json = serde_json::to_string(&host).expect("Failed to serialize host");
-
-        // Check that the serialized JSON contains the HP iLO details
-        assert!(json.contains("192.168.1.100"));
-        assert!(json.contains("admin"));
-        assert!(json.contains("password123"));
-        assert!(json.contains("firmware_version"));
-        assert!(json.contains("2.5.0"));
-
-        // Parse back to verify structure (not the exact management interface)
-        let parsed: serde_json::Value = serde_json::from_str(&json).expect("Failed to parse JSON");
-
-        // Verify basic structure
-        assert_eq!(parsed["cpu_count"], 16);
-        assert_eq!(parsed["memory_size"], 64_000_000);
-        assert_eq!(parsed["network"][0]["name"], "");
-    }
-
-    #[test]
-    fn test_serialize_physical_host_with_dell_idrac() {
-        // Create a PhysicalHost with Dell iDRAC management
-        let host = PhysicalHost {
-            category: HostCategory::Server,
-            network: vec![NetworkInterface::dummy()],
-            management: Arc::new(MockDellIdrac {
-                hostname: "idrac-server01".to_string(),
-                port: 443,
-                api_token: "abcdef123456".to_string(),
-            }),
-            storage: vec![Storage::dummy()],
-            labels: vec![Label::new("env".to_string(), "production".to_string())],
-            memory_size: Some(128_000_000),
-            cpu_count: Some(32),
-        };
-
-        // Serialize to JSON
-        let json = serde_json::to_string(&host).expect("Failed to serialize host");
-
-        // Check that the serialized JSON contains the Dell iDRAC details
-        assert!(json.contains("idrac-server01"));
-        assert!(json.contains("443"));
-        assert!(json.contains("abcdef123456"));
-
-        // Parse back to verify structure
-        let parsed: serde_json::Value = serde_json::from_str(&json).expect("Failed to parse JSON");
-
-        // Verify basic structure
-        assert_eq!(parsed["cpu_count"], 32);
-        assert_eq!(parsed["memory_size"], 128_000_000);
-        assert_eq!(parsed["storage"][0]["path"], serde_json::Value::Null);
-    }
 
     #[test]
     fn test_different_management_implementations_produce_valid_json() {
         // Create hosts with different management implementations
         let host1 = PhysicalHost {
+            id: Id::empty(),
             category: HostCategory::Server,
             network: vec![],
-            management: Arc::new(MockHPIlo {
-                ip: "10.0.0.1".to_string(),
-                username: "root".to_string(),
-                password: "secret".to_string(),
-                firmware_version: "3.0.0".to_string(),
-            }),
             storage: vec![],
             labels: vec![],
-            memory_size: None,
-            cpu_count: None,
+            memory_modules: vec![],
+            cpus: vec![],
         };
 
         let host2 = PhysicalHost {
+            id: Id::empty(),
             category: HostCategory::Server,
             network: vec![],
-            management: Arc::new(MockDellIdrac {
-                hostname: "server02-idrac".to_string(),
-                port: 8443,
-                api_token: "token123".to_string(),
-            }),
             storage: vec![],
             labels: vec![],
-            memory_size: None,
-            cpu_count: None,
+            memory_modules: vec![],
+            cpus: vec![],
         };
 
         // Both should serialize successfully
@@ -410,8 +464,5 @@ mod tests {
         // Both JSONs should be valid and parseable
         let _: serde_json::Value = serde_json::from_str(&json1).expect("Invalid JSON for host1");
         let _: serde_json::Value = serde_json::from_str(&json2).expect("Invalid JSON for host2");
-
-        // The JSONs should be different because they contain different management interfaces
-        assert_ne!(json1, json2);
     }
 }

harmony/src/domain/instrumentation.rs

@@ -1,6 +1,5 @@
-use log::debug;
 use once_cell::sync::Lazy;
-use tokio::sync::broadcast;
+use std::{collections::HashMap, sync::Mutex};
 
 use crate::modules::application::ApplicationFeatureStatus;
 
@@ -40,43 +39,46 @@ pub enum HarmonyEvent {
     },
 }
 
-static HARMONY_EVENT_BUS: Lazy<broadcast::Sender<HarmonyEvent>> = Lazy::new(|| {
-    // TODO: Adjust channel capacity
-    let (tx, _rx) = broadcast::channel(100);
-    tx
-});
+type Subscriber = Box<dyn Fn(&HarmonyEvent) + Send + Sync>;
 
-pub fn instrument(event: HarmonyEvent) -> Result<(), &'static str> {
-    if cfg!(any(test, feature = "testing")) {
-        let _ = event; // Suppress the "unused variable" warning for `event`
-        Ok(())
-    } else {
-        match HARMONY_EVENT_BUS.send(event) {
-            Ok(_) => Ok(()),
-            Err(_) => Err("send error: no subscribers"),
-        }
-    }
-}
+static SUBSCRIBERS: Lazy<Mutex<HashMap<String, Subscriber>>> =
+    Lazy::new(|| Mutex::new(HashMap::new()));
 
-pub async fn subscribe<F, Fut>(name: &str, mut handler: F)
+/// Subscribes a listener to all instrumentation events.
+///
+/// Simply provide a unique name and a closure to run when an event happens.
+///
+/// # Example
+/// ```
+/// use harmony::instrumentation;
+/// instrumentation::subscribe("my_logger", |event| {
+///   println!("Event occurred: {:?}", event);
+/// });
+/// ```
+pub fn subscribe<F>(name: &str, callback: F)
 where
-    F: FnMut(HarmonyEvent) -> Fut + Send + 'static,
-    Fut: Future<Output = bool> + Send,
+    F: Fn(&HarmonyEvent) + Send + Sync + 'static,
 {
-    let mut rx = HARMONY_EVENT_BUS.subscribe();
-    debug!("[{name}] Service started. Listening for events...");
-    loop {
-        match rx.recv().await {
-            Ok(event) => {
-                if !handler(event).await {
-                    debug!("[{name}] Handler requested exit.");
-                    break;
-                }
-            }
-            Err(broadcast::error::RecvError::Lagged(n)) => {
-                debug!("[{name}] Lagged behind by {n} messages.");
-            }
-            Err(_) => break,
-        }
-    }
+    let mut subs = SUBSCRIBERS.lock().unwrap();
+    subs.insert(name.to_string(), Box::new(callback));
+}
+
+/// Instruments an event, notifying all subscribers.
+///
+/// This will call every closure that was registered with `subscribe`.
+///
+/// # Example
+/// ```
+/// use harmony::instrumentation;
+/// use harmony::instrumentation::HarmonyEvent;
+/// instrumentation::instrument(HarmonyEvent::HarmonyStarted);
+/// ```
+pub fn instrument(event: HarmonyEvent) -> Result<(), &'static str> {
+    let subs = SUBSCRIBERS.lock().unwrap();
+
+    for callback in subs.values() {
+        callback(&event);
+    }
+
+    Ok(())
 }

harmony/src/domain/interpret/mod.rs

@@ -1,13 +1,11 @@
+use harmony_types::id::Id;
 use std::error::Error;
 
 use async_trait::async_trait;
 use derive_new::new;
 
 use super::{
-    data::{Id, Version},
-    executors::ExecutorError,
-    inventory::Inventory,
-    topology::PreparationError,
+    data::Version, executors::ExecutorError, inventory::Inventory, topology::PreparationError,
 };
 
 pub enum InterpretName {
@@ -32,6 +30,10 @@ pub enum InterpretName {
     Lamp,
     ApplicationMonitoring,
     K8sPrometheusCrdAlerting,
+    DiscoverInventoryAgent,
+    CephClusterHealth,
+    Custom(&'static str),
+    RHOBAlerting,
 }
 
 impl std::fmt::Display for InterpretName {
@@ -58,6 +60,10 @@ impl std::fmt::Display for InterpretName {
             InterpretName::Lamp => f.write_str("LAMP"),
             InterpretName::ApplicationMonitoring => f.write_str("ApplicationMonitoring"),
             InterpretName::K8sPrometheusCrdAlerting => f.write_str("K8sPrometheusCrdAlerting"),
+            InterpretName::DiscoverInventoryAgent => f.write_str("DiscoverInventoryAgent"),
+            InterpretName::CephClusterHealth => f.write_str("CephClusterHealth"),
+            InterpretName::Custom(name) => f.write_str(name),
+            InterpretName::RHOBAlerting => f.write_str("RHOBAlerting"),
         }
     }
 }
@@ -138,6 +144,12 @@ impl From<PreparationError> for InterpretError {
     }
 }
 
+impl From<harmony_secret::SecretStoreError> for InterpretError {
+    fn from(value: harmony_secret::SecretStoreError) -> Self {
+        InterpretError::new(format!("Interpret error : {value}"))
+    }
+}
+
 impl From<ExecutorError> for InterpretError {
     fn from(value: ExecutorError) -> Self {
         Self {

harmony/src/domain/inventory/mod.rs

@@ -1,3 +1,6 @@
+mod repository;
+pub use repository::*;
+
 #[derive(Debug, new, Clone)]
 pub struct InventoryFilter {
     target: Vec<Filter>,
@@ -14,10 +17,14 @@ impl InventoryFilter {
 
 use derive_new::new;
 use log::info;
+use serde::{Deserialize, Serialize};
+use strum::EnumIter;
+
+use crate::hardware::{ManagementInterface, ManualManagementInterface};
 
 use super::{
     filter::Filter,
-    hardware::{FirewallGroup, HostGroup, Location, SwitchGroup},
+    hardware::{HostGroup, Location, SwitchGroup},
 };
 
 #[derive(Debug)]
@@ -27,7 +34,7 @@ pub struct Inventory {
     // Firewall is really just a host but with somewhat specialized hardware
     // I'm not entirely sure it belongs to its own category but it helps make things easier and
     // clearer for now so let's try it this way.
-    pub firewall: FirewallGroup,
+    pub firewall_mgmt: Box<dyn ManagementInterface>,
     pub worker_host: HostGroup,
     pub storage_host: HostGroup,
     pub control_plane_host: HostGroup,
@@ -38,7 +45,7 @@ impl Inventory {
         Self {
             location: Location::new("Empty".to_string(), "location".to_string()),
             switch: vec![],
-            firewall: vec![],
+            firewall_mgmt: Box::new(ManualManagementInterface {}),
             worker_host: vec![],
             storage_host: vec![],
             control_plane_host: vec![],
@@ -49,10 +56,18 @@ impl Inventory {
         Self {
             location: Location::test_building(),
             switch: SwitchGroup::new(),
-            firewall: FirewallGroup::new(),
+            firewall_mgmt: Box::new(ManualManagementInterface {}),
             worker_host: HostGroup::new(),
             storage_host: HostGroup::new(),
             control_plane_host: HostGroup::new(),
         }
     }
 }
+
+#[derive(Debug, Serialize, Deserialize, sqlx::Type, Clone, EnumIter)]
+pub enum HostRole {
+    Bootstrap,
+    ControlPlane,
+    Worker,
+    Storage,
+}

harmony/src/domain/inventory/repository.rs

@@ -0,0 +1,38 @@
+use async_trait::async_trait;
+
+use crate::{hardware::PhysicalHost, interpret::InterpretError, inventory::HostRole};
+
+/// Errors that can occur within the repository layer.
+#[derive(thiserror::Error, Debug)]
+pub enum RepoError {
+    #[error("Database query failed: {0}")]
+    QueryFailed(String),
+    #[error("Data serialization failed: {0}")]
+    Serialization(String),
+    #[error("Data deserialization failed: {0}")]
+    Deserialization(String),
+    #[error("Could not connect to the database: {0}")]
+    ConnectionFailed(String),
+}
+
+impl From<RepoError> for InterpretError {
+    fn from(value: RepoError) -> Self {
+        InterpretError::new(format!("Interpret error : {value}"))
+    }
+}
+
+// --- Trait and Implementation ---
+
+/// Defines the contract for inventory persistence.
+#[async_trait]
+pub trait InventoryRepository: Send + Sync + 'static {
+    async fn save(&self, host: &PhysicalHost) -> Result<(), RepoError>;
+    async fn get_latest_by_id(&self, host_id: &str) -> Result<Option<PhysicalHost>, RepoError>;
+    async fn get_all_hosts(&self) -> Result<Vec<PhysicalHost>, RepoError>;
+    async fn get_host_for_role(&self, role: &HostRole) -> Result<Vec<PhysicalHost>, RepoError>;
+    async fn save_role_mapping(
+        &self,
+        role: &HostRole,
+        host: &PhysicalHost,
+    ) -> Result<(), RepoError>;
+}

harmony/src/domain/maestro/mod.rs

@@ -74,6 +74,7 @@ impl<T: Topology> Maestro<T> {
 
     fn is_topology_initialized(&self) -> bool {
         self.topology_state.status == TopologyStatus::Success
+            || self.topology_state.status == TopologyStatus::Noop
     }
 
     pub async fn interpret(&self, score: Box<dyn Score<T>>) -> Result<Outcome, InterpretError> {

harmony/src/domain/score.rs

@@ -1,3 +1,4 @@
+use harmony_types::id::Id;
 use std::collections::BTreeMap;
 
 use async_trait::async_trait;
@@ -5,7 +6,6 @@ use serde::Serialize;
 use serde_value::Value;
 
 use super::{
-    data::Id,
     instrumentation::{self, HarmonyEvent},
     interpret::{Interpret, InterpretError, Outcome},
     inventory::Inventory,

harmony/src/domain/topology/ha_cluster.rs

@@ -1,9 +1,13 @@
 use async_trait::async_trait;
 use harmony_macros::ip;
 use harmony_types::net::MacAddress;
+use harmony_types::net::Url;
+use log::debug;
 use log::info;
 
+use crate::data::FileContent;
 use crate::executors::ExecutorError;
+use crate::topology::PxeOptions;
 
 use super::DHCPStaticEntry;
 use super::DhcpServer;
@@ -23,7 +27,6 @@ use super::Router;
 use super::TftpServer;
 
 use super::Topology;
-use super::Url;
 use super::k8s::K8sClient;
 use std::sync::Arc;
 
@@ -49,9 +52,10 @@ impl Topology for HAClusterTopology {
         "HAClusterTopology"
     }
     async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
-        todo!(
+        debug!(
             "ensure_ready, not entirely sure what it should do here, probably something like verify that the hosts are reachable and all services are up and ready."
-        )
+        );
+        Ok(PreparationOutcome::Noop)
     }
 }
 
@@ -65,6 +69,26 @@ impl K8sclient for HAClusterTopology {
 }
 
 impl HAClusterTopology {
+    // TODO this is a hack to avoid refactoring
+    pub fn get_cluster_name(&self) -> String {
+        self.domain_name
+            .split(".")
+            .next()
+            .expect("Cluster domain name must not be empty")
+            .to_string()
+    }
+
+    pub fn get_cluster_base_domain(&self) -> String {
+        let base_domain = self
+            .domain_name
+            .strip_prefix(&self.get_cluster_name())
+            .expect("cluster domain must start with cluster name");
+        base_domain
+            .strip_prefix(".")
+            .unwrap_or(base_domain)
+            .to_string()
+    }
+
     pub fn autoload() -> Self {
         let dummy_infra = Arc::new(DummyInfra {});
         let dummy_host = LogicalHost {
@@ -153,12 +177,18 @@ impl DhcpServer for HAClusterTopology {
     async fn list_static_mappings(&self) -> Vec<(MacAddress, IpAddress)> {
         self.dhcp_server.list_static_mappings().await
     }
-    async fn set_next_server(&self, ip: IpAddress) -> Result<(), ExecutorError> {
-        self.dhcp_server.set_next_server(ip).await
+    async fn set_pxe_options(&self, options: PxeOptions) -> Result<(), ExecutorError> {
+        self.dhcp_server.set_pxe_options(options).await
     }
-    async fn set_boot_filename(&self, boot_filename: &str) -> Result<(), ExecutorError> {
-        self.dhcp_server.set_boot_filename(boot_filename).await
+
+    async fn set_dhcp_range(
+        &self,
+        start: &IpAddress,
+        end: &IpAddress,
+    ) -> Result<(), ExecutorError> {
+        self.dhcp_server.set_dhcp_range(start, end).await
     }
+
     fn get_ip(&self) -> IpAddress {
         self.dhcp_server.get_ip()
     }
@@ -168,16 +198,6 @@ impl DhcpServer for HAClusterTopology {
     async fn commit_config(&self) -> Result<(), ExecutorError> {
         self.dhcp_server.commit_config().await
     }
-
-    async fn set_filename(&self, filename: &str) -> Result<(), ExecutorError> {
-        self.dhcp_server.set_filename(filename).await
-    }
-    async fn set_filename64(&self, filename64: &str) -> Result<(), ExecutorError> {
-        self.dhcp_server.set_filename64(filename64).await
-    }
-    async fn set_filenameipxe(&self, filenameipxe: &str) -> Result<(), ExecutorError> {
-        self.dhcp_server.set_filenameipxe(filenameipxe).await
-    }
 }
 
 #[async_trait]
@@ -217,21 +237,29 @@ impl Router for HAClusterTopology {
 
 #[async_trait]
 impl HttpServer for HAClusterTopology {
-    async fn serve_files(&self, url: &Url) -> Result<(), ExecutorError> {
-        self.http_server.serve_files(url).await
+    async fn serve_files(
+        &self,
+        url: &Url,
+        remote_path: &Option<String>,
+    ) -> Result<(), ExecutorError> {
+        self.http_server.serve_files(url, remote_path).await
+    }
+
+    async fn serve_file_content(&self, file: &FileContent) -> Result<(), ExecutorError> {
+        self.http_server.serve_file_content(file).await
     }
 
     fn get_ip(&self) -> IpAddress {
-        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+        self.http_server.get_ip()
     }
     async fn ensure_initialized(&self) -> Result<(), ExecutorError> {
-        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+        self.http_server.ensure_initialized().await
     }
     async fn commit_config(&self) -> Result<(), ExecutorError> {
-        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+        self.http_server.commit_config().await
     }
     async fn reload_restart(&self) -> Result<(), ExecutorError> {
-        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+        self.http_server.reload_restart().await
     }
 }
 
@@ -241,7 +269,7 @@ pub struct DummyInfra;
 #[async_trait]
 impl Topology for DummyInfra {
     fn name(&self) -> &str {
-        todo!()
+        "DummyInfra"
     }
 
     async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
@@ -299,19 +327,14 @@ impl DhcpServer for DummyInfra {
     async fn list_static_mappings(&self) -> Vec<(MacAddress, IpAddress)> {
         unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
     }
-    async fn set_next_server(&self, _ip: IpAddress) -> Result<(), ExecutorError> {
+    async fn set_pxe_options(&self, _options: PxeOptions) -> Result<(), ExecutorError> {
         unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
     }
-    async fn set_boot_filename(&self, _boot_filename: &str) -> Result<(), ExecutorError> {
-        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
-    }
-    async fn set_filename(&self, _filename: &str) -> Result<(), ExecutorError> {
-        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
-    }
-    async fn set_filename64(&self, _filename: &str) -> Result<(), ExecutorError> {
-        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
-    }
-    async fn set_filenameipxe(&self, _filenameipxe: &str) -> Result<(), ExecutorError> {
+    async fn set_dhcp_range(
+        &self,
+        start: &IpAddress,
+        end: &IpAddress,
+    ) -> Result<(), ExecutorError> {
         unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
     }
     fn get_ip(&self) -> IpAddress {
@@ -378,7 +401,14 @@ impl TftpServer for DummyInfra {
 
 #[async_trait]
 impl HttpServer for DummyInfra {
-    async fn serve_files(&self, _url: &Url) -> Result<(), ExecutorError> {
+    async fn serve_files(
+        &self,
+        _url: &Url,
+        _remote_path: &Option<String>,
+    ) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+    async fn serve_file_content(&self, _file: &FileContent) -> Result<(), ExecutorError> {
         unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
     }
     fn get_ip(&self) -> IpAddress {

harmony/src/domain/topology/http.rs

@@ -1,11 +1,16 @@
-use crate::executors::ExecutorError;
+use crate::{data::FileContent, executors::ExecutorError};
 use async_trait::async_trait;
 
-use super::{IpAddress, Url};
-
+use harmony_types::net::IpAddress;
+use harmony_types::net::Url;
 #[async_trait]
 pub trait HttpServer: Send + Sync {
-    async fn serve_files(&self, url: &Url) -> Result<(), ExecutorError>;
+    async fn serve_files(
+        &self,
+        url: &Url,
+        remote_path: &Option<String>,
+    ) -> Result<(), ExecutorError>;
+    async fn serve_file_content(&self, file: &FileContent) -> Result<(), ExecutorError>;
     fn get_ip(&self) -> IpAddress;
 
     // async fn set_ip(&self, ip: IpAddress) -> Result<(), ExecutorError>;

harmony/src/domain/topology/ingress.rs

@@ -0,0 +1,7 @@
+use crate::topology::PreparationError;
+use async_trait::async_trait;
+
+#[async_trait]
+pub trait Ingress {
+    async fn get_domain(&self, service: &str) -> Result<String, PreparationError>;
+}

harmony/src/domain/topology/k8s.rs

@@ -17,7 +17,7 @@ use kube::{
 };
 use log::{debug, error, trace};
 use serde::{Serialize, de::DeserializeOwned};
-use serde_json::json;
+use serde_json::{Value, json};
 use similar::TextDiff;
 use tokio::io::AsyncReadExt;
 
@@ -53,6 +53,21 @@ impl K8sClient {
         })
     }
 
+    pub async fn get_resource_json_value(
+        &self,
+        name: &str,
+        namespace: Option<&str>,
+        gvk: &GroupVersionKind,
+    ) -> Result<DynamicObject, Error> {
+        let gvk = ApiResource::from_gvk(gvk);
+        let resource: Api<DynamicObject> = if let Some(ns) = namespace {
+            Api::namespaced_with(self.client.clone(), ns, &gvk)
+        } else {
+            Api::default_namespaced_with(self.client.clone(), &gvk)
+        };
+        Ok(resource.get(name).await?)
+    }
+
     pub async fn get_deployment(
         &self,
         name: &str,
@@ -185,7 +200,10 @@ impl K8sClient {
                 if let Some(s) = status.status {
                     let mut stdout_buf = String::new();
                     if let Some(mut stdout) = process.stdout().take() {
-                        stdout.read_to_string(&mut stdout_buf).await;
+                        stdout
+                            .read_to_string(&mut stdout_buf)
+                            .await
+                            .map_err(|e| format!("Failed to get status stdout {e}"))?;
                     }
                     debug!("Status: {} - {:?}", s, status.details);
                     if s == "Success" {

harmony/src/domain/topology/k8s_anywhere.rs

@@ -1,6 +1,7 @@
 use std::{process::Command, sync::Arc};
 
 use async_trait::async_trait;
+use kube::api::GroupVersionKind;
 use log::{debug, info, warn};
 use serde::Serialize;
 use tokio::sync::OnceCell;
@@ -14,13 +15,15 @@ use crate::{
         monitoring::kube_prometheus::crd::{
             crd_alertmanager_config::CRDPrometheus,
             prometheus_operator::prometheus_operator_helm_chart_score,
+            rhob_alertmanager_config::RHOBObservability,
         },
         prometheus::{
             k8s_prometheus_alerting_score::K8sPrometheusCRDAlertingScore,
-            prometheus::PrometheusApplicationMonitoring,
+            prometheus::PrometheusApplicationMonitoring, rhob_alerting_score::RHOBAlertingScore,
         },
     },
     score::Score,
+    topology::ingress::Ingress,
 };
 
 use super::{
@@ -108,6 +111,43 @@ impl PrometheusApplicationMonitoring<CRDPrometheus> for K8sAnywhereTopology {
     }
 }
 
+#[async_trait]
+impl PrometheusApplicationMonitoring<RHOBObservability> for K8sAnywhereTopology {
+    async fn install_prometheus(
+        &self,
+        sender: &RHOBObservability,
+        inventory: &Inventory,
+        receivers: Option<Vec<Box<dyn AlertReceiver<RHOBObservability>>>>,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let po_result = self.ensure_cluster_observability_operator(sender).await?;
+
+        if po_result == PreparationOutcome::Noop {
+            debug!("Skipping Prometheus CR installation due to missing operator.");
+            return Ok(po_result);
+        }
+
+        let result = self
+            .get_cluster_observability_operator_prometheus_application_score(
+                sender.clone(),
+                receivers,
+            )
+            .await
+            .interpret(inventory, self)
+            .await;
+
+        match result {
+            Ok(outcome) => match outcome.status {
+                InterpretStatus::SUCCESS => Ok(PreparationOutcome::Success {
+                    details: outcome.message,
+                }),
+                InterpretStatus::NOOP => Ok(PreparationOutcome::Noop),
+                _ => Err(PreparationError::new(outcome.message)),
+            },
+            Err(err) => Err(PreparationError::new(err.to_string())),
+        }
+    }
+}
+
 impl Serialize for K8sAnywhereTopology {
     fn serialize<S>(&self, _serializer: S) -> Result<S::Ok, S::Error>
     where
@@ -134,6 +174,19 @@ impl K8sAnywhereTopology {
         }
     }
 
+    async fn get_cluster_observability_operator_prometheus_application_score(
+        &self,
+        sender: RHOBObservability,
+        receivers: Option<Vec<Box<dyn AlertReceiver<RHOBObservability>>>>,
+    ) -> RHOBAlertingScore {
+        RHOBAlertingScore {
+            sender,
+            receivers: receivers.unwrap_or_default(),
+            service_monitors: vec![],
+            prometheus_rules: vec![],
+        }
+    }
+
     async fn get_k8s_prometheus_application_score(
         &self,
         sender: CRDPrometheus,
@@ -147,6 +200,26 @@ impl K8sAnywhereTopology {
         }
     }
 
+    async fn openshift_ingress_operator_available(&self) -> Result<(), PreparationError> {
+        let client = self.k8s_client().await?;
+        let gvk = GroupVersionKind {
+            group: "operator.openshift.io".into(),
+            version: "v1".into(),
+            kind: "IngressController".into(),
+        };
+        let ic = client
+            .get_resource_json_value("default", Some("openshift-ingress-operator"), &gvk)
+            .await?;
+        let ready_replicas = ic.data["status"]["availableReplicas"].as_i64().unwrap_or(0);
+        if ready_replicas >= 1 {
+            return Ok(());
+        } else {
+            return Err(PreparationError::new(
+                "openshift-ingress-operator not available".to_string(),
+            ));
+        }
+    }
+
     fn is_helm_available(&self) -> Result<(), String> {
         let version_result = Command::new("helm")
             .arg("version")
@@ -286,6 +359,62 @@ impl K8sAnywhereTopology {
         }
     }
 
+    async fn ensure_cluster_observability_operator(
+        &self,
+        sender: &RHOBObservability,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let status = Command::new("sh")
+            .args(["-c", "kubectl get crd -A | grep -i rhobs"])
+            .status()
+            .map_err(|e| PreparationError::new(format!("could not connect to cluster: {}", e)))?;
+
+        if !status.success() {
+            if let Some(Some(k8s_state)) = self.k8s_state.get() {
+                match k8s_state.source {
+                    K8sSource::LocalK3d => {
+                        warn!("Installing observability operator is not supported on LocalK3d source");
+                        return Ok(PreparationOutcome::Noop);
+                        debug!("installing cluster observability operator");
+                        todo!();
+                        let op_score =
+                            prometheus_operator_helm_chart_score(sender.namespace.clone());
+                        let result = op_score.interpret(&Inventory::empty(), self).await;
+
+                        return match result {
+                            Ok(outcome) => match outcome.status {
+                                InterpretStatus::SUCCESS => Ok(PreparationOutcome::Success {
+                                    details: "installed cluster observability operator".into(),
+                                }),
+                                InterpretStatus::NOOP => Ok(PreparationOutcome::Noop),
+                                _ => Err(PreparationError::new(
+                                    "failed to install cluster observability operator (unknown error)".into(),
+                                )),
+                            },
+                            Err(err) => Err(PreparationError::new(err.to_string())),
+                        };
+                    }
+                    K8sSource::Kubeconfig => {
+                        debug!(
+                            "unable to install cluster observability operator, contact cluster admin"
+                        );
+                        return Ok(PreparationOutcome::Noop);
+                    }
+                }
+            } else {
+                warn!(
+                    "Unable to detect k8s_state. Skipping Cluster Observability Operator install."
+                );
+                return Ok(PreparationOutcome::Noop);
+            }
+        }
+
+        debug!("Cluster Observability Operator is already present, skipping install");
+
+        Ok(PreparationOutcome::Success {
+            details: "cluster observability operator present in cluster".into(),
+        })
+    }
+
     async fn ensure_prometheus_operator(
         &self,
         sender: &CRDPrometheus,
@@ -423,7 +552,7 @@ impl MultiTargetTopology for K8sAnywhereTopology {
         match self.config.harmony_profile.to_lowercase().as_str() {
             "staging" => DeploymentTarget::Staging,
             "production" => DeploymentTarget::Production,
-            _ => todo!("HARMONY_PROFILE must be set when use_local_k3d is not set"),
+            _ => todo!("HARMONY_PROFILE must be set when use_local_k3d is false"),
         }
     }
 }
@@ -445,3 +574,45 @@ impl TenantManager for K8sAnywhereTopology {
             .await
     }
 }
+
+#[async_trait]
+impl Ingress for K8sAnywhereTopology {
+    //TODO this is specifically for openshift/okd which violates the k8sanywhere idea
+    async fn get_domain(&self, service: &str) -> Result<String, PreparationError> {
+        let client = self.k8s_client().await?;
+
+        if let Some(Some(k8s_state)) = self.k8s_state.get() {
+            match k8s_state.source {
+                K8sSource::LocalK3d => Ok(format!("{service}.local.k3d")),
+                K8sSource::Kubeconfig => {
+                    self.openshift_ingress_operator_available().await?;
+
+                    let gvk = GroupVersionKind {
+                        group: "operator.openshift.io".into(),
+                        version: "v1".into(),
+                        kind: "IngressController".into(),
+                    };
+                    let ic = client
+                        .get_resource_json_value(
+                            "default",
+                            Some("openshift-ingress-operator"),
+                            &gvk,
+                        )
+                        .await
+                        .map_err(|_| {
+                            PreparationError::new("Failed to fetch IngressController".to_string())
+                        })?;
+
+                    match ic.data["status"]["domain"].as_str() {
+                        Some(domain) => Ok(format!("{service}.{domain}")),
+                        None => Err(PreparationError::new("Could not find domain".to_string())),
+                    }
+                }
+            }
+        } else {
+            Err(PreparationError::new(
+                "Cannot get domain: unable to detect K8s state".to_string(),
+            ))
+        }
+    }
+}

harmony/src/domain/topology/load_balancer.rs

@@ -4,8 +4,9 @@ use async_trait::async_trait;
 use log::debug;
 use serde::Serialize;
 
-use super::{IpAddress, LogicalHost};
+use super::LogicalHost;
 use crate::executors::ExecutorError;
+use harmony_types::net::IpAddress;
 
 impl std::fmt::Debug for dyn LoadBalancer {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
@@ -101,8 +102,17 @@ pub enum HttpStatusCode {
     ServerError5xx,
 }
 
+#[derive(Debug, Clone, PartialEq, Serialize)]
+pub enum SSL {
+    SSL,
+    Disabled,
+    Default,
+    SNI,
+    Other(String),
+}
+
 #[derive(Debug, Clone, PartialEq, Serialize)]
 pub enum HealthCheck {
-    HTTP(String, HttpMethod, HttpStatusCode),
+    HTTP(String, HttpMethod, HttpStatusCode, SSL),
     TCP(Option<u16>),
 }

harmony/src/domain/topology/mod.rs

@@ -1,4 +1,6 @@
 mod ha_cluster;
+pub mod ingress;
+use harmony_types::net::IpAddress;
 mod host_binding;
 mod http;
 pub mod installable;
@@ -32,7 +34,6 @@ use super::{
     instrumentation::{self, HarmonyEvent},
 };
 use std::error::Error;
-use std::net::IpAddr;
 
 /// Represents a logical view of an infrastructure environment providing specific capabilities.
 ///
@@ -196,35 +197,6 @@ pub trait MultiTargetTopology: Topology {
     fn current_target(&self) -> DeploymentTarget;
 }
 
-pub type IpAddress = IpAddr;
-
-#[derive(Debug, Clone)]
-pub enum Url {
-    LocalFolder(String),
-    Url(url::Url),
-}
-
-impl Serialize for Url {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: serde::Serializer,
-    {
-        match self {
-            Url::LocalFolder(path) => serializer.serialize_str(path),
-            Url::Url(url) => serializer.serialize_str(url.as_str()),
-        }
-    }
-}
-
-impl std::fmt::Display for Url {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self {
-            Url::LocalFolder(path) => write!(f, "{}", path),
-            Url::Url(url) => write!(f, "{}", url),
-        }
-    }
-}
-
 /// Represents a logical member of a cluster that provides one or more services.
 ///
 /// A LogicalHost can represent various roles within the infrastructure, such as:
@@ -263,7 +235,8 @@ impl LogicalHost {
     ///
     /// ```
     /// use std::str::FromStr;
-    /// use harmony::topology::{IpAddress, LogicalHost};
+    /// use harmony::topology::{LogicalHost};
+    /// use harmony_types::net::IpAddress;
     ///
     /// let start_ip = IpAddress::from_str("192.168.0.20").unwrap();
     /// let hosts = LogicalHost::create_hosts(3, start_ip, "worker");
@@ -319,7 +292,7 @@ fn increment_ip(ip: IpAddress, increment: u32) -> Option<IpAddress> {
 
 #[cfg(test)]
 mod tests {
-    use super::*;
+    use harmony_types::net::Url;
     use serde_json;
 
     #[test]

harmony/src/domain/topology/network.rs

@@ -1,25 +1,31 @@
 use std::{net::Ipv4Addr, str::FromStr, sync::Arc};
 
 use async_trait::async_trait;
-use harmony_types::net::MacAddress;
+use harmony_types::net::{IpAddress, MacAddress};
 use serde::Serialize;
 
 use crate::executors::ExecutorError;
 
-use super::{IpAddress, LogicalHost, k8s::K8sClient};
+use super::{LogicalHost, k8s::K8sClient};
 
 #[derive(Debug)]
 pub struct DHCPStaticEntry {
     pub name: String,
-    pub mac: MacAddress,
+    pub mac: Vec<MacAddress>,
     pub ip: Ipv4Addr,
 }
 
 impl std::fmt::Display for DHCPStaticEntry {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mac = self
+            .mac
+            .iter()
+            .map(|m| m.to_string())
+            .collect::<Vec<String>>()
+            .join(",");
         f.write_fmt(format_args!(
             "DHCPStaticEntry : name {}, mac {}, ip {}",
-            self.name, self.mac, self.ip
+            self.name, mac, self.ip
         ))
     }
 }
@@ -41,21 +47,27 @@ impl std::fmt::Debug for dyn Firewall {
 pub struct NetworkDomain {
     pub name: String,
 }
+
 #[async_trait]
 pub trait K8sclient: Send + Sync {
     async fn k8s_client(&self) -> Result<Arc<K8sClient>, String>;
 }
 
+pub struct PxeOptions {
+    pub ipxe_filename: String,
+    pub bios_filename: String,
+    pub efi_filename: String,
+    pub tftp_ip: Option<IpAddress>,
+}
+
 #[async_trait]
 pub trait DhcpServer: Send + Sync + std::fmt::Debug {
     async fn add_static_mapping(&self, entry: &DHCPStaticEntry) -> Result<(), ExecutorError>;
     async fn remove_static_mapping(&self, mac: &MacAddress) -> Result<(), ExecutorError>;
     async fn list_static_mappings(&self) -> Vec<(MacAddress, IpAddress)>;
-    async fn set_next_server(&self, ip: IpAddress) -> Result<(), ExecutorError>;
-    async fn set_boot_filename(&self, boot_filename: &str) -> Result<(), ExecutorError>;
-    async fn set_filename(&self, filename: &str) -> Result<(), ExecutorError>;
-    async fn set_filename64(&self, filename64: &str) -> Result<(), ExecutorError>;
-    async fn set_filenameipxe(&self, filenameipxe: &str) -> Result<(), ExecutorError>;
+    async fn set_pxe_options(&self, pxe_options: PxeOptions) -> Result<(), ExecutorError>;
+    async fn set_dhcp_range(&self, start: &IpAddress, end: &IpAddress)
+    -> Result<(), ExecutorError>;
     fn get_ip(&self) -> IpAddress;
     fn get_host(&self) -> LogicalHost;
     async fn commit_config(&self) -> Result<(), ExecutorError>;

harmony/src/domain/topology/oberservability/monitoring.rs

@@ -4,11 +4,12 @@ use async_trait::async_trait;
 use log::debug;
 
 use crate::{
-    data::{Id, Version},
+    data::Version,
     interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
     inventory::Inventory,
     topology::{Topology, installable::Installable},
 };
+use harmony_types::id::Id;
 
 #[async_trait]
 pub trait AlertSender: Send + Sync + std::fmt::Debug {