diff --git a/roles/base/README.md b/roles/base/README.md new file mode 100644 index 0000000..20bd053 --- /dev/null +++ b/roles/base/README.md @@ -0,0 +1,29 @@ +# base + +Hardened baseline applied to every boma host. Built incrementally; the first concern +implemented is the **host firewall** (`firewall` tag). + +## Firewall (nftables) + +Default-deny inbound + east-west allowlisting + permissive egress, per ADR-020. Rules +are rendered from the shared `firewall_catalog` / `firewall_zones` (in `group_vars/all`) +by the `resolve_firewall_rules` filter, written to `/etc/nftables.conf`, syntax-checked +with `nft -c` at render time, and applied with an **auto-rollback safety net** +(`systemd-run` arms a revert that a follow-up task cancels once connectivity is +confirmed). The apply sequence lives in tasks rather than a handler so the confirm/cancel +step is controllable. + +`/etc/nftables.d/*.nft` is `include`d by the ruleset — the extension hook the +`docker_host` role uses for container forward/NAT rules. + +### Variables +See `defaults/main.yml` (`base__firewall_*`). SSH is accepted only on +`base__firewall_mgmt_interface` (default `wt0`, the NetBird overlay — ADR-016); set it to +a reachable interface/source until NetBird is built. Set `base__firewall_apply: false` to +render + validate without applying (used by Molecule). + +### Testing +- `tests/test_firewall_rules.py` — pytest units for the resolver. +- `make test ROLE=base` — Molecule renders + `nft -c` syntax-checks (never applies; it + shares the host kernel). Enforcement + the apply/rollback path are verified at ADR-008 + Level 2 on staging VMs. diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/base/defaults/main.yml @@ -0,0 +1 @@ +--- diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/base/handlers/main.yml @@ -0,0 +1 @@ +--- diff --git a/roles/base/meta/main.yml b/roles/base/meta/main.yml new file mode 100644 index 0000000..7d8b065 --- /dev/null +++ b/roles/base/meta/main.yml @@ -0,0 +1,11 @@ +--- +galaxy_info: + author: sjat + description: Hardened baseline configuration for all boma hosts (Debian 13). + license: MIT + min_ansible_version: "2.17" + platforms: + - name: Debian + versions: + - trixie +dependencies: [] diff --git a/roles/base/molecule/default/converge.yml b/roles/base/molecule/default/converge.yml new file mode 100644 index 0000000..b7a8c1d --- /dev/null +++ b/roles/base/molecule/default/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + gather_facts: true + + roles: + - role: base diff --git a/roles/base/molecule/default/molecule.yml b/roles/base/molecule/default/molecule.yml new file mode 100644 index 0000000..b23d8da --- /dev/null +++ b/roles/base/molecule/default/molecule.yml @@ -0,0 +1,31 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ../../requirements.yml + +driver: + name: docker + +platforms: + - name: instance + # Project-owned image built from .docker/molecule-debian13/Dockerfile + # and hosted in the Forgejo container registry. + # Build/push with: make molecule-image / make molecule-image-push + image: forgejo.nyumbani.baobab.band/sjat/molecule-debian13:latest + pre_build_image: true + privileged: true # required for systemd + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /lib/systemd/systemd + +provisioner: + name: ansible + inventory: + host_vars: + instance: + ansible_user: root + +verifier: + name: ansible diff --git a/roles/base/molecule/default/verify.yml b/roles/base/molecule/default/verify.yml new file mode 100644 index 0000000..c87d14e --- /dev/null +++ b/roles/base/molecule/default/verify.yml @@ -0,0 +1,11 @@ +--- +- name: Verify + hosts: all + gather_facts: true + + tasks: + - name: Add verification tasks here + ansible.builtin.assert: + that: true + msg: "Replace this with real assertions" + tags: [verify] diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1 @@ +---