boma/roles/base/molecule/default/converge.yml

---
- name: Converge
  hosts: all
  become: true
  gather_facts: true
  vars:
    base__firewall_apply: false
    base__firewall_control_addr: 10.10.0.99   # test control-node LAN address
    base__firewall_admin_addrs:
      - "10.30.0.77"   # fixture: an operator-workstation LAN source (admin-addr SSH allow)
    # Exercise the mesh concern's include path with the live actions gated off, so it
    # runs hermetically (no coordinator/key needed) and must be a clean no-op.
    base__mesh_enabled: true
    base__mesh_manage: false
    base__mesh_setup_key: "dummy-molecule-key"
    base__mesh_coordinator_pin: "203.0.113.9"   # fixture IP (TEST-NET-3); pins FQDN from base__mesh_management_url
    base__ssh_listen_mesh_only: true
    base__ssh_listen_addr: "100.99.0.1"   # fixture mesh IP (no wt0 in the container)
    firewall_zones:
      lan: 10.30.0.0/24
      srv: 10.20.0.0/24
      mgmt: 10.10.0.0/24
      public: 0.0.0.0/0
    firewall_catalog:
      reverse_proxy:
        host: instance
        ingress:
          - { from: lan, port: 443, proto: tcp }
      photoprism:
        host: instance
        ingress:
          - { from: srv, port: 2342, proto: tcp }
      netbird_stun:
        host: instance
        ingress:
          - { from: public, port: 3478, proto: udp }
  roles:
    - role: base
feat(base): scaffold role + meta/README (firewall concern incoming) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-06 18:48:35 +02:00			`---`
			`- name: Converge`
			`hosts: all`
feat(base): render nftables ruleset from catalog (+ molecule fixture) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-06 18:57:44 +02:00			`become: true`
feat(base): scaffold role + meta/README (firewall concern incoming) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-06 18:48:35 +02:00			`gather_facts: true`
feat(base): render nftables ruleset from catalog (+ molecule fixture) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-06 18:57:44 +02:00			`vars:`
			`base__firewall_apply: false`
feat(base): add ssh-from-control management-plane source (ADR-021) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-09 17:40:01 +02:00			`base__firewall_control_addr: 10.10.0.99 # test control-node LAN address`
feat(base): input-only forward policy + admin-addr SSH allow base__firewall_input_only renders the forward chain policy accept (host-local INPUT filtering only) for hosts that forward container/NAT traffic; defaults false so real service hosts keep the forward default-deny. base__firewall_admin_addrs adds operator-workstation LAN sources to the SSH allow-list alongside wt0 + ssh-from-control. Molecule locks the secure default + the admin rule. Mesh-hardening 2/3 (ADR-020/021). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-19 09:37:06 +02:00			`base__firewall_admin_addrs:`
			`- "10.30.0.77" # fixture: an operator-workstation LAN source (admin-addr SSH allow)`
test(base): molecule coverage for the mesh concern (manage-off no-op) Converge enables mesh with base__mesh_manage:false (+ dummy key) so the include path runs hermetically; verify asserts netbird is not installed — proving the concern is a clean no-op when the live actions are gated off. Existing firewall/ ssh/fail2ban assertions unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-17 16:11:02 +02:00			`# Exercise the mesh concern's include path with the live actions gated off, so it`
			`# runs hermetically (no coordinator/key needed) and must be a clean no-op.`
			`base__mesh_enabled: true`
			`base__mesh_manage: false`
			`base__mesh_setup_key: "dummy-molecule-key"`
feat(base): pin the NetBird coordinator FQDN in /etc/hosts (mesh DNS-resilience) Adds base__mesh_coordinator_pin (default empty = no-op). When set + base__mesh_enabled, a lineinfile task writes "<ip> <fqdn>" to /etc/hosts so a managed mesh host survives a local-DNS hiccup (the 2026-06-18 incident class). FQDN derived from base__mesh_management_url via regex_replace (no community.general). Gated on base__mesh_enabled \| bool and pin length; the coordinator host (askari/offsite_hosts) stays exempt. Production pin wired for ubongo (77.42.120.136). Molecule dns_servers fix included (Docker/NetBird DNS incompatibility). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-20 11:22:40 +02:00			`base__mesh_coordinator_pin: "203.0.113.9" # fixture IP (TEST-NET-3); pins FQDN from base__mesh_management_url`
feat(base): opt-in sshd ListenAddress on the mesh IP (fail-closed) base__ssh_listen_mesh_only binds sshd to the live wt0 IP only, with ip_nonlocal_bind to beat the post-boot bind race and a fail-closed assert so an unresolved address never silently listens on all interfaces. Molecule covers the render + sysctl. Mesh-hardening 1/3 (ADR-016/021). Environmental checkpoint applied: the molecule-debian13 container image lacks procps (no sysctl binary). Added molecule/default/prepare.yml to install procps and sysctls: {net.ipv4.ip_nonlocal_bind: "0"} to molecule.yml platform so the ansible.posix.sysctl task can write and read back the value hermetically. Sysctl file format is net.ipv4.ip_nonlocal_bind=1 (no spaces); verify.yml grep pattern updated to match ansible.posix.sysctl's actual output. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-17 20:39:23 +02:00			`base__ssh_listen_mesh_only: true`
			`base__ssh_listen_addr: "100.99.0.1" # fixture mesh IP (no wt0 in the container)`
feat(base): render nftables ruleset from catalog (+ molecule fixture) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-06 18:57:44 +02:00			`firewall_zones:`
			`lan: 10.30.0.0/24`
			`srv: 10.20.0.0/24`
			`mgmt: 10.10.0.0/24`
feat(firewall): public zone + askari's public services in the catalog Adds a public (0.0.0.0/0) zone and askari's Caddy (80/443) + NetBird STUN (3478/udp) ingress so the base nftables default-deny does not drop the live public services when applied to askari. Molecule + filter unit test cover the public-zone rendering. Mesh-hardening 1/3 (ADR-020/024/016). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-17 20:46:03 +02:00			`public: 0.0.0.0/0`
feat(base): render nftables ruleset from catalog (+ molecule fixture) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-06 18:57:44 +02:00			`firewall_catalog:`
			`reverse_proxy:`
			`host: instance`
			`ingress:`
			`- { from: lan, port: 443, proto: tcp }`
			`photoprism:`
			`host: instance`
			`ingress:`
fix(base): iifname for load-time safety; zone-source molecule fixture nft -c rejects iif "wt0" when the interface is absent (container, or any host before NetBird); iifname matches by name and is robust to wt0 coming/going. Drop the ansible_host fixture override (the docker connection uses it as the container name) — molecule covers zone resolution, pytest covers service->IP. 2026-06-06 19:02:50 +02:00			`- { from: srv, port: 2342, proto: tcp }`
feat(firewall): public zone + askari's public services in the catalog Adds a public (0.0.0.0/0) zone and askari's Caddy (80/443) + NetBird STUN (3478/udp) ingress so the base nftables default-deny does not drop the live public services when applied to askari. Molecule + filter unit test cover the public-zone rendering. Mesh-hardening 1/3 (ADR-020/024/016). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-17 20:46:03 +02:00			`netbird_stun:`
			`host: instance`
			`ingress:`
			`- { from: public, port: 3478, proto: udp }`
feat(base): scaffold role + meta/README (firewall concern incoming) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-06 18:48:35 +02:00			`roles:`
			`- role: base`