Boilerplate FastAPI & Dockerfile + NGINX

app/models/access_request.py

@@ -0,0 +1,13 @@
+from sqlalchemy import ForeignKey, String, DateTime
+from sqlalchemy.orm import Mapped, mapped_column
+from datetime import datetime, timezone
+from app.models.user import Base
+
+class AccessRequest(Base):
+    __tablename__ = "access_requests"
+    id: Mapped[int] = mapped_column(primary_key=True)
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"))
+    server_id: Mapped[int] = mapped_column(ForeignKey("servers.id", ondelete="CASCADE"))
+    status: Mapped[str] = mapped_column(String(16), default="requested")  # requested|approved|denied|expired
+    expires_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))
+    reason: Mapped[str | None] = mapped_column(String(512))

app/models/audit.py

@@ -0,0 +1,15 @@
+from sqlalchemy.orm import Mapped, mapped_column
+from sqlalchemy import String, DateTime
+from datetime import datetime, timezone
+from app.models.user import Base
+
+class AuditEvent(Base):
+    __tablename__ = "audit_events"
+    id: Mapped[int] = mapped_column(primary_key=True)
+    ts: Mapped[datetime] = mapped_column(DateTime(timezone=True), default=lambda: datetime.now(tz=timezone.utc))
+    actor: Mapped[str] = mapped_column(String(254))     # email or system
+    action: Mapped[str] = mapped_column(String(64))     # "request.create", "key.add", etc.
+    object: Mapped[str] = mapped_column(String(64))     # "server:host123" / "user:42"
+    details: Mapped[str] = mapped_column(String(1024))  # summary (keep short)
+    prev_hash: Mapped[str | None] = mapped_column(String(128))
+    curr_hash: Mapped[str | None] = mapped_column(String(128))

app/models/server.py

@@ -0,0 +1,11 @@
+from sqlalchemy.orm import Mapped, mapped_column
+from sqlalchemy import String, JSON, Boolean, Integer
+from app.models.user import Base
+
+class Server(Base):
+    __tablename__ = "servers"
+    id: Mapped[int] = mapped_column(primary_key=True)
+    hostname: Mapped[str] = mapped_column(String(255), unique=True, index=True)
+    tags: Mapped[dict] = mapped_column(JSON, default=dict)  # e.g. {"env":"prod","group":"db"}
+    managed: Mapped[bool] = mapped_column(Boolean, default=True)
+    version: Mapped[int] = mapped_column(Integer, default=0)  # bump to trigger agent reconcile

app/models/sshkey.py

@@ -0,0 +1,14 @@
+from sqlalchemy import ForeignKey, String, DateTime, Boolean
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+from datetime import datetime, timezone
+from app.models.user import Base
+
+class SSHKey(Base):
+    __tablename__ = "ssh_keys"
+    id: Mapped[int] = mapped_column(primary_key=True)
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"))
+    name: Mapped[str] = mapped_column(String(80))
+    public_key: Mapped[str] = mapped_column(String(4096))
+    algo: Mapped[str] = mapped_column(String(32))
+    expires_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))
+    is_active: Mapped[bool] = mapped_column(Boolean, default=True)

app/models/user.py

@@ -0,0 +1,13 @@
+from sqlalchemy.orm import Mapped, mapped_column
+from sqlalchemy import String, Boolean
+from app.db.session import engine  # only for Alembic discovery, not used here
+from sqlalchemy.orm import declarative_base
+Base = declarative_base()
+
+class User(Base):
+    __tablename__ = "users"
+    id: Mapped[int] = mapped_column(primary_key=True, index=True)
+    email: Mapped[str] = mapped_column(String(254), unique=True, index=True)
+    hashed_password: Mapped[str | None] = mapped_column(String(255))
+    role: Mapped[str] = mapped_column(String(32), default="user")  # user|admin|auditor
+    is_active: Mapped[bool] = mapped_column(Boolean, default=True)