diff --git a/tests/integration/certs/internal.yml b/tests/integration/certs/internal.yml new file mode 100644 index 0000000..ba95157 --- /dev/null +++ b/tests/integration/certs/internal.yml @@ -0,0 +1,2 @@ +--- +reverse_proxy__tls_internal: true diff --git a/tests/integration/certs/le-prod-wildcard.yml b/tests/integration/certs/le-prod-wildcard.yml new file mode 100644 index 0000000..88bc1d9 --- /dev/null +++ b/tests/integration/certs/le-prod-wildcard.yml @@ -0,0 +1,6 @@ +--- +# On-demand only. Records an accepted risk (ADR-025 / accepted-risks.md): the prod +# Gandi PAT reaches an ephemeral VM and transient TXT records land in the real wingu.me. +reverse_proxy__tls_internal: false +reverse_proxy__acme_dns_provider: gandi +reverse_proxy__acme_ca: "" diff --git a/tests/integration/certs/le-staging.yml b/tests/integration/certs/le-staging.yml new file mode 100644 index 0000000..12bcdae --- /dev/null +++ b/tests/integration/certs/le-staging.yml @@ -0,0 +1,4 @@ +--- +reverse_proxy__tls_internal: false +reverse_proxy__acme_dns_provider: gandi +reverse_proxy__acme_ca: "https://acme-staging-v02.api.letsencrypt.org/directory" diff --git a/tests/integration/overrides/askari.yml b/tests/integration/overrides/askari.yml new file mode 100644 index 0000000..a4baf23 --- /dev/null +++ b/tests/integration/overrides/askari.yml @@ -0,0 +1,8 @@ +--- +# Integration-test overlay for the "askari" profile (ADR-025). Passed via `-e @`. +# Reproduces the 2026-06-17 incident: apply base's nftables default-deny to a Docker host. +base__firewall_apply: true +# Keep a break-glass: sshd stays on all interfaces (never wt0-only in a throwaway VM). +base__ssh_listen_mesh_only: false +# The VM is isolated; it must never touch the real mesh. +base__mesh_enabled: false diff --git a/tests/integration/profiles/askari.json b/tests/integration/profiles/askari.json new file mode 100644 index 0000000..bab1dd8 --- /dev/null +++ b/tests/integration/profiles/askari.json @@ -0,0 +1,10 @@ +{ + "groups": ["offsite_hosts"], + "applies": [ + {"playbook": "site.yml", "tags": ["base"]}, + {"playbook": "offsite.yml", "tags": ["docker_host", "reverse_proxy"]} + ], + "extra_vars_files": ["overrides/askari.yml"], + "mem_mib": 3072, + "vcpus": 2 +}