2026-06-06 18:48:35 +02:00
|
|
|
---
|
2026-06-06 18:49:40 +02:00
|
|
|
# Host firewall (nftables) behaviour knobs. Shared topology (firewall_catalog/
|
|
|
|
|
# firewall_zones) lives in group_vars/all, not here. See docs/decisions/020-firewall.md.
|
|
|
|
|
base__firewall_mgmt_interface: wt0 # SSH accepted only on this iface (NetBird, ADR-016)
|
2026-06-09 17:40:01 +02:00
|
|
|
base__firewall_control_addr: "" # control-node LAN address (ubongo); SSH allowed from it
|
|
|
|
|
# as the guaranteed-management-plane `ssh-from-control`
|
|
|
|
|
# source (ADR-021). Empty = no rule. Set in group_vars
|
|
|
|
|
# once ubongo exists.
|
2026-06-06 18:49:40 +02:00
|
|
|
base__firewall_ssh_port: 22
|
|
|
|
|
base__firewall_rollback_timeout: 45 # seconds before the auto-revert fires on a bad apply
|
2026-06-06 19:06:39 +02:00
|
|
|
base__firewall_confirm_timeout: 20 # seconds to re-establish a fresh connection post-apply
|
2026-06-06 18:49:40 +02:00
|
|
|
base__firewall_dropin_dir: /etc/nftables.d
|
|
|
|
|
base__firewall_apply: true # set false to render+validate without applying (CI/Molecule)
|
2026-06-14 16:42:56 +02:00
|
|
|
|
|
|
|
|
# SSH hardening + fail2ban (ADR-002) — `hardening` concern.
|
|
|
|
|
base__ssh_password_authentication: "no"
|
|
|
|
|
base__ssh_permit_root_login: "no"
|
|
|
|
|
base__fail2ban_maxretry: 5
|
|
|
|
|
base__fail2ban_bantime: 1h
|
|
|
|
|
base__fail2ban_findtime: 10m
|
|
|
|
|
# base__ssh_authorised_keys lives in group_vars/all/vars.yml (per-person control keys).
|