story(boot-server): implement cloud-init configuration endpoint

[Zaba505]

Description

Implement HTTP endpoint for serving machine-specific cloud-init configuration to bare metal servers during boot. This endpoint is called by the booting OS (referenced in the iPXE script or kernel command line) to retrieve configuration for user creation, SSH keys, hostname, network settings, and post-boot scripts.

The endpoint performs template variable substitution using machine metadata from Firestore to generate personalized cloud-init configurations.

Acceptance Criteria

• Endpoint created in services/boot-server/endpoint/cloudinit.go:
  • GET /cloud-init/{machine_id} or GET /cloud-init?mac={mac}
  • Alternative: GET /user-data/{machine_id} (cloud-init user-data convention)
• Implements OpenAPI-first handler pattern (z5labs/humus):
  • Request/response schemas defined via OpenAPI
  • Content-Type: text/cloud-config or text/yaml
• Path/query parameter handling:
  • Accept machine ID or MAC address for lookup
  • Validate and normalize MAC address format if used
  • Returns HTTP 400 Bad Request if invalid identifier
• Firestore integration:
  • Query machine mapping by ID or MAC
  • Retrieve associated profile (if profile_id is set)
  • Load cloud-init template from profile or machine-specific override
  • Returns HTTP 404 Not Found if machine not found
• Template rendering:
  • Parse cloud-init template (YAML with Go template syntax)
  • Inject machine-specific variables:
    • {{ .Hostname }} - Machine hostname
    • {{ .MAC }} - MAC address
    • {{ .SSHKeys }} - Authorized SSH keys
    • {{ .Metadata }} - Additional metadata key-value pairs
  • Render final cloud-init YAML
  • Validate rendered YAML syntax before returning
• Cloud-init format support:
  • Support #cloud-config format
  • Support multipart MIME (optional, for advanced use cases)
  • Include cloud-init header: #cloud-config
• Source IP validation (security):
  • Validate request originates from WireGuard VPN subnet
  • Returns HTTP 403 Forbidden if outside allowed IP ranges
• Response headers:
  • Content-Type: text/cloud-config or text/yaml
  • Cache-Control: no-cache (prevent stale configs)
• OpenTelemetry instrumentation:
  • Log cloud-init requests with machine_id, hostname
  • Metrics: request count, template rendering latency, success/failure rate
  • Trace context propagation
• Error handling:
  • Proper HTTP status codes (400, 403, 404, 500)
  • Structured error responses
  • Handle template rendering errors gracefully
  • Logging with context
• Unit tests:
  • Test machine lookup by ID and MAC
  • Test template variable substitution
  • Test YAML validation
  • Test error cases (missing machine, invalid template)
  • Mock Firestore client

Related Issues

Implements ADR-0005 - Network Boot Infrastructure Implementation on Google Cloud

Depends on #605 (API documentation)
Depends on #611 (boot server scaffold)
Depends on #609 (Firestore module)
Related to #612 (UEFI boot endpoint references cloud-init URL in iPXE script)
Related to #615 (machine mappings contain metadata for templating)
Related to #616 (profiles contain cloud-init templates)
Related to #601