feat: TypeScript bastion rewrite (initial scaffold)

Full rewrite of the bash bastion.sh into a TypeScript application:
- Fastify HTTP server with typed routes (dispatch, kickstart, API)
- Commander CLI (serve, install, list, reprovision)
- Kickstart templates as TypeScript template literals (no more heredoc hell)
- dnsmasq management via execa subprocess
- Merged machine list view (hardware + install info in one table)
- Containerized via podman-compose (Dockerfile + docker-compose.yml)
- All partition logic preserved (LVM, reprovision detection, role-based)

Not yet tested end-to-end — needs VM validation before replacing bash version.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

bastion/stack/.env.example

@@ -0,0 +1,33 @@
+# Lab PXE Bastion -- Environment Configuration
+#
+# Copy this file to .env and adjust as needed.
+
+# Fedora version to install
+FEDORA_VERSION=43
+
+# Target architecture
+ARCH=x86_64
+
+# HTTP server port
+HTTP_PORT=8080
+
+# System locale and timezone for installed machines
+TIMEZONE=Europe/London
+LOCALE=en_GB.UTF-8
+
+# Data directory (inside container)
+BASTION_DIR=/data
+
+# Internal domain for hostnames (e.g., node1.ad.itaz.eu)
+DOMAIN=ad.itaz.eu
+
+# DHCP mode: "proxy" works alongside existing DHCP (e.g., UniFi)
+#             "full" means bastion is the only DHCP server
+DHCP_MODE=proxy
+
+# Only used in full DHCP mode -- auto-derived from network if empty
+DHCP_RANGE_START=
+DHCP_RANGE_END=
+
+# Path to SSH keys directory on host (mounted read-only)
+SSH_KEY_PATH=~/.ssh

bastion/stack/Dockerfile

@@ -0,0 +1,37 @@
+FROM fedora:43
+
+# Install system dependencies
+RUN dnf install -y \
+    dnsmasq \
+    ipxe-bootimgs-x86 \
+    ipxe-bootimgs-aarch64 \
+    curl \
+    openssh-clients \
+    && dnf clean all
+
+# Install Node.js 22
+RUN dnf install -y nodejs npm && dnf clean all
+RUN npm install -g pnpm@9
+
+# Create app directory
+WORKDIR /app
+
+# Copy package files and install dependencies
+COPY package.json pnpm-lock.yaml* ./
+RUN pnpm install --frozen-lockfile 2>/dev/null || pnpm install
+
+# Copy built application
+COPY dist/ ./dist/
+
+# Create data directories
+RUN mkdir -p /data/state /data/tftp /data/http
+
+ENV BASTION_DIR=/data
+ENV HTTP_PORT=8080
+
+EXPOSE 8080/tcp
+EXPOSE 67/udp
+EXPOSE 69/udp
+EXPOSE 4011/udp
+
+ENTRYPOINT ["node", "dist/cli/index.js", "serve"]

bastion/stack/docker-compose.yml

@@ -0,0 +1,21 @@
+services:
+  bastion:
+    build:
+      context: ..
+      dockerfile: stack/Dockerfile
+    network_mode: host
+    restart: unless-stopped
+    env_file: .env
+    volumes:
+      - bastion-state:/data/state
+      - bastion-tftp:/data/tftp
+      - bastion-http:/data/http
+      - ${SSH_KEY_PATH:-~/.ssh}:/root/.ssh:ro
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+
+volumes:
+  bastion-state:
+  bastion-tftp:
+  bastion-http: