feat: initial setup for PVE security scanner VM

Scripts for deploying a hardened internal network security scanner on Proxmox VE:
- PVE-level firewall and VM creation
- System hardening (sysctl, auditd, AIDE)
- nftables firewall with dynamic IP blocking
- SSH hardening with fail2ban
- Security tools (OpenVAS, Nmap, Nuclei, httpx, Nikto, testssl, NetExec)
- Monitoring, logging, and Docker autostart

pve/create-vm.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# =============================================================================
+# PVE Security Scanner VM - Creation Script
+# Run this on the Proxmox host
+# =============================================================================
+set -euo pipefail
+
+# --- Configuration (modify these) ---
+VMID=200
+VM_NAME="security-scanner"
+STORAGE="local-lvm"          # PVE storage pool
+ISO_PATH="local:iso/debian-12-amd64-netinst.iso"  # Debian 12 ISO
+BRIDGE="vmbr0"               # Network bridge
+CORES=4
+MEMORY=8192                  # MB
+DISK_SIZE="80G"
+VLAN_TAG=""                  # Set VLAN tag if needed, e.g., "10"
+
+# --- Guard: check if VM already exists ---
+if qm status "${VMID}" &>/dev/null; then
+    echo "[!] VM ${VMID} already exists. Skipping creation."
+    exit 0
+fi
+
+# --- Create VM ---
+echo "[+] Creating VM ${VMID} (${VM_NAME})..."
+
+# VLAN_TAG conditional: appends ,tag=<N> only when VLAN_TAG is set
+qm create "${VMID}" \
+  --name "${VM_NAME}" \
+  --ostype l26 \
+  --cores "${CORES}" \
+  --memory "${MEMORY}" \
+  --cpu cputype=host \
+  --scsihw virtio-scsi-single \
+  --scsi0 "${STORAGE}:${DISK_SIZE}" \
+  --ide2 "${ISO_PATH},media=cdrom" \
+  --net0 "virtio,bridge=${BRIDGE}${VLAN_TAG:+,tag=${VLAN_TAG}}" \
+  --boot "order=ide2;scsi0" \
+  --agent enabled=1 \
+  --onboot 1 \
+  --protection 0 \
+  --description "Internal network security scanner. Restricted network access."
+
+echo "[+] VM ${VMID} created successfully."
+echo "[+] Start the VM and install Debian 12, then run the vm/ scripts."
+echo ""
+echo "    qm start ${VMID}"