boma/roles/base/README.md

30 lines
1.4 KiB
Markdown
Raw Normal View History

# base
Hardened baseline applied to every boma host. Built incrementally; the first concern
implemented is the **host firewall** (`firewall` tag).
## Firewall (nftables)
Default-deny inbound + east-west allowlisting + permissive egress, per ADR-020. Rules
are rendered from the shared `firewall_catalog` / `firewall_zones` (in `group_vars/all`)
by the `resolve_firewall_rules` filter, written to `/etc/nftables.conf`, syntax-checked
with `nft -c` at render time, and applied with an **auto-rollback safety net**
(`systemd-run` arms a revert that a follow-up task cancels once connectivity is
confirmed). The apply sequence lives in tasks rather than a handler so the confirm/cancel
step is controllable.
`/etc/nftables.d/*.nft` is `include`d by the ruleset — the extension hook the
`docker_host` role uses for container forward/NAT rules.
### Variables
See `defaults/main.yml` (`base__firewall_*`). SSH is accepted only on
`base__firewall_mgmt_interface` (default `wt0`, the NetBird overlay — ADR-016); set it to
a reachable interface/source until NetBird is built. Set `base__firewall_apply: false` to
render + validate without applying (used by Molecule).
### Testing
- `tests/test_firewall_rules.py` — pytest units for the resolver.
- `make test ROLE=base` — Molecule renders + `nft -c` syntax-checks (never applies; it
shares the host kernel). Enforcement + the apply/rollback path are verified at ADR-008
Level 2 on staging VMs.