ADR-015: resolve mesh-VPN deferral — NetBird on askari (ADR-016)
This commit is contained in:
parent
5a32dd46d3
commit
2ae5cf4535
1 changed files with 7 additions and 7 deletions
|
|
@ -63,14 +63,15 @@ Manual, on bare metal:
|
||||||
|
|
||||||
1. Install Debian 13 on the box (one-time, by hand).
|
1. Install Debian 13 on the box (one-time, by hand).
|
||||||
2. `git clone` the repo; `make setup`; `make collections`; set up `rbw` + unlock.
|
2. `git clone` the repo; `make setup`; `make collections`; set up `rbw` + unlock.
|
||||||
3. Join the mesh VPN (choice deferred — see below).
|
3. Join the mesh VPN — NetBird, self-hosted on `askari` (ADR-016).
|
||||||
4. From then on `ubongo` manages every other host normally; Ansible manages *it* for
|
4. From then on `ubongo` manages every other host normally; Ansible manages *it* for
|
||||||
baseline config via the `control` group (`base` role only).
|
baseline config via the `control` group (`base` role only).
|
||||||
|
|
||||||
### Access & security
|
### Access & security
|
||||||
|
|
||||||
- Remote access is via the **mesh VPN** (choice deferred). SSH to `ubongo` over the
|
- Remote access is via the **mesh VPN** — NetBird, self-hosted on `askari` (ADR-016).
|
||||||
mesh; nothing is published to the public internet — this stays inside ADR-002.
|
SSH to `ubongo` over the mesh; nothing is published to the public internet — this
|
||||||
|
stays inside ADR-002.
|
||||||
- `ubongo` runs the `base` role: SSH hardening, nftables default-deny, fail2ban,
|
- `ubongo` runs the `base` role: SSH hardening, nftables default-deny, fail2ban,
|
||||||
auditd, unattended-upgrades. Inbound SSH is allowed **only on the mesh interface**,
|
auditd, unattended-upgrades. Inbound SSH is allowed **only on the mesh interface**,
|
||||||
denied on the physical NIC.
|
denied on the physical NIC.
|
||||||
|
|
@ -109,10 +110,9 @@ master password.
|
||||||
|
|
||||||
## Deferred (separate specs / discussions)
|
## Deferred (separate specs / discussions)
|
||||||
|
|
||||||
1. **Mesh VPN choice** — Tailscale vs NetBird, hosted vs self-hosted. Recovery
|
1. **Mesh VPN choice — RESOLVED (ADR-016):** NetBird, self-hosted on `askari`
|
||||||
dimension: a hosted coordinator keeps the mesh up when the cluster is down; a
|
(off-site, so it survives a homelab outage and stays out of the cluster it
|
||||||
self-hosted coordinator must live off-cluster (on `ubongo`), never on the fleet,
|
administers). Replaces ADR-007's OPNsense WireGuard.
|
||||||
or it recreates the chicken-and-egg.
|
|
||||||
2. **Browser-E2E verification harness** — Playwright/headless-Chromium, test-user
|
2. **Browser-E2E verification harness** — Playwright/headless-Chromium, test-user
|
||||||
generation, screenshot-back-to-Claude, and the new ADR-008 level.
|
generation, screenshot-back-to-Claude, and the new ADR-008 level.
|
||||||
3. **`rbw` offline-cache verification** — confirm offline decryption before relying
|
3. **`rbw` offline-cache verification** — confirm offline decryption before relying
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue