feat(base): scaffold role + meta/README (firewall concern incoming)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
03329d7d25
commit
2486e31f7d
8 changed files with 92 additions and 0 deletions
29
roles/base/README.md
Normal file
29
roles/base/README.md
Normal file
|
|
@ -0,0 +1,29 @@
|
||||||
|
# base
|
||||||
|
|
||||||
|
Hardened baseline applied to every boma host. Built incrementally; the first concern
|
||||||
|
implemented is the **host firewall** (`firewall` tag).
|
||||||
|
|
||||||
|
## Firewall (nftables)
|
||||||
|
|
||||||
|
Default-deny inbound + east-west allowlisting + permissive egress, per ADR-020. Rules
|
||||||
|
are rendered from the shared `firewall_catalog` / `firewall_zones` (in `group_vars/all`)
|
||||||
|
by the `resolve_firewall_rules` filter, written to `/etc/nftables.conf`, syntax-checked
|
||||||
|
with `nft -c` at render time, and applied with an **auto-rollback safety net**
|
||||||
|
(`systemd-run` arms a revert that a follow-up task cancels once connectivity is
|
||||||
|
confirmed). The apply sequence lives in tasks rather than a handler so the confirm/cancel
|
||||||
|
step is controllable.
|
||||||
|
|
||||||
|
`/etc/nftables.d/*.nft` is `include`d by the ruleset — the extension hook the
|
||||||
|
`docker_host` role uses for container forward/NAT rules.
|
||||||
|
|
||||||
|
### Variables
|
||||||
|
See `defaults/main.yml` (`base__firewall_*`). SSH is accepted only on
|
||||||
|
`base__firewall_mgmt_interface` (default `wt0`, the NetBird overlay — ADR-016); set it to
|
||||||
|
a reachable interface/source until NetBird is built. Set `base__firewall_apply: false` to
|
||||||
|
render + validate without applying (used by Molecule).
|
||||||
|
|
||||||
|
### Testing
|
||||||
|
- `tests/test_firewall_rules.py` — pytest units for the resolver.
|
||||||
|
- `make test ROLE=base` — Molecule renders + `nft -c` syntax-checks (never applies; it
|
||||||
|
shares the host kernel). Enforcement + the apply/rollback path are verified at ADR-008
|
||||||
|
Level 2 on staging VMs.
|
||||||
1
roles/base/defaults/main.yml
Normal file
1
roles/base/defaults/main.yml
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
---
|
||||||
1
roles/base/handlers/main.yml
Normal file
1
roles/base/handlers/main.yml
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
---
|
||||||
11
roles/base/meta/main.yml
Normal file
11
roles/base/meta/main.yml
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
galaxy_info:
|
||||||
|
author: sjat
|
||||||
|
description: Hardened baseline configuration for all boma hosts (Debian 13).
|
||||||
|
license: MIT
|
||||||
|
min_ansible_version: "2.17"
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- trixie
|
||||||
|
dependencies: []
|
||||||
7
roles/base/molecule/default/converge.yml
Normal file
7
roles/base/molecule/default/converge.yml
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: Converge
|
||||||
|
hosts: all
|
||||||
|
gather_facts: true
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- role: base
|
||||||
31
roles/base/molecule/default/molecule.yml
Normal file
31
roles/base/molecule/default/molecule.yml
Normal file
|
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
dependency:
|
||||||
|
name: galaxy
|
||||||
|
options:
|
||||||
|
requirements-file: ../../requirements.yml
|
||||||
|
|
||||||
|
driver:
|
||||||
|
name: docker
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: instance
|
||||||
|
# Project-owned image built from .docker/molecule-debian13/Dockerfile
|
||||||
|
# and hosted in the Forgejo container registry.
|
||||||
|
# Build/push with: make molecule-image / make molecule-image-push
|
||||||
|
image: forgejo.nyumbani.baobab.band/sjat/molecule-debian13:latest
|
||||||
|
pre_build_image: true
|
||||||
|
privileged: true # required for systemd
|
||||||
|
cgroupns_mode: host
|
||||||
|
volumes:
|
||||||
|
- /sys/fs/cgroup:/sys/fs/cgroup:rw
|
||||||
|
command: /lib/systemd/systemd
|
||||||
|
|
||||||
|
provisioner:
|
||||||
|
name: ansible
|
||||||
|
inventory:
|
||||||
|
host_vars:
|
||||||
|
instance:
|
||||||
|
ansible_user: root
|
||||||
|
|
||||||
|
verifier:
|
||||||
|
name: ansible
|
||||||
11
roles/base/molecule/default/verify.yml
Normal file
11
roles/base/molecule/default/verify.yml
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
- name: Verify
|
||||||
|
hosts: all
|
||||||
|
gather_facts: true
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Add verification tasks here
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that: true
|
||||||
|
msg: "Replace this with real assertions"
|
||||||
|
tags: [verify]
|
||||||
1
roles/base/tasks/main.yml
Normal file
1
roles/base/tasks/main.yml
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
---
|
||||||
Loading…
Add table
Reference in a new issue