From 10121e72d303794351dfa114503d1a5394ed6866 Mon Sep 17 00:00:00 2001 From: sjat Date: Thu, 18 Jun 2026 12:37:32 +0200 Subject: [PATCH] feat(integration): askari profile, stub overlay, cert-tier files Co-Authored-By: Claude Sonnet 4.6 --- tests/integration/certs/internal.yml | 2 ++ tests/integration/certs/le-prod-wildcard.yml | 6 ++++++ tests/integration/certs/le-staging.yml | 4 ++++ tests/integration/overrides/askari.yml | 8 ++++++++ tests/integration/profiles/askari.json | 10 ++++++++++ 5 files changed, 30 insertions(+) create mode 100644 tests/integration/certs/internal.yml create mode 100644 tests/integration/certs/le-prod-wildcard.yml create mode 100644 tests/integration/certs/le-staging.yml create mode 100644 tests/integration/overrides/askari.yml create mode 100644 tests/integration/profiles/askari.json diff --git a/tests/integration/certs/internal.yml b/tests/integration/certs/internal.yml new file mode 100644 index 0000000..ba95157 --- /dev/null +++ b/tests/integration/certs/internal.yml @@ -0,0 +1,2 @@ +--- +reverse_proxy__tls_internal: true diff --git a/tests/integration/certs/le-prod-wildcard.yml b/tests/integration/certs/le-prod-wildcard.yml new file mode 100644 index 0000000..88bc1d9 --- /dev/null +++ b/tests/integration/certs/le-prod-wildcard.yml @@ -0,0 +1,6 @@ +--- +# On-demand only. Records an accepted risk (ADR-025 / accepted-risks.md): the prod +# Gandi PAT reaches an ephemeral VM and transient TXT records land in the real wingu.me. +reverse_proxy__tls_internal: false +reverse_proxy__acme_dns_provider: gandi +reverse_proxy__acme_ca: "" diff --git a/tests/integration/certs/le-staging.yml b/tests/integration/certs/le-staging.yml new file mode 100644 index 0000000..12bcdae --- /dev/null +++ b/tests/integration/certs/le-staging.yml @@ -0,0 +1,4 @@ +--- +reverse_proxy__tls_internal: false +reverse_proxy__acme_dns_provider: gandi +reverse_proxy__acme_ca: "https://acme-staging-v02.api.letsencrypt.org/directory" diff --git a/tests/integration/overrides/askari.yml b/tests/integration/overrides/askari.yml new file mode 100644 index 0000000..a4baf23 --- /dev/null +++ b/tests/integration/overrides/askari.yml @@ -0,0 +1,8 @@ +--- +# Integration-test overlay for the "askari" profile (ADR-025). Passed via `-e @`. +# Reproduces the 2026-06-17 incident: apply base's nftables default-deny to a Docker host. +base__firewall_apply: true +# Keep a break-glass: sshd stays on all interfaces (never wt0-only in a throwaway VM). +base__ssh_listen_mesh_only: false +# The VM is isolated; it must never touch the real mesh. +base__mesh_enabled: false diff --git a/tests/integration/profiles/askari.json b/tests/integration/profiles/askari.json new file mode 100644 index 0000000..bab1dd8 --- /dev/null +++ b/tests/integration/profiles/askari.json @@ -0,0 +1,10 @@ +{ + "groups": ["offsite_hosts"], + "applies": [ + {"playbook": "site.yml", "tags": ["base"]}, + {"playbook": "offsite.yml", "tags": ["docker_host", "reverse_proxy"]} + ], + "extra_vars_files": ["overrides/askari.yml"], + "mem_mib": 3072, + "vcpus": 2 +}