ADR-015: resolve mesh-VPN deferral — NetBird on askari (ADR-016)
This commit is contained in:
parent
5a32dd46d3
commit
2ae5cf4535
1 changed files with 7 additions and 7 deletions
|
|
@ -63,14 +63,15 @@ Manual, on bare metal:
|
|||
|
||||
1. Install Debian 13 on the box (one-time, by hand).
|
||||
2. `git clone` the repo; `make setup`; `make collections`; set up `rbw` + unlock.
|
||||
3. Join the mesh VPN (choice deferred — see below).
|
||||
3. Join the mesh VPN — NetBird, self-hosted on `askari` (ADR-016).
|
||||
4. From then on `ubongo` manages every other host normally; Ansible manages *it* for
|
||||
baseline config via the `control` group (`base` role only).
|
||||
|
||||
### Access & security
|
||||
|
||||
- Remote access is via the **mesh VPN** (choice deferred). SSH to `ubongo` over the
|
||||
mesh; nothing is published to the public internet — this stays inside ADR-002.
|
||||
- Remote access is via the **mesh VPN** — NetBird, self-hosted on `askari` (ADR-016).
|
||||
SSH to `ubongo` over the mesh; nothing is published to the public internet — this
|
||||
stays inside ADR-002.
|
||||
- `ubongo` runs the `base` role: SSH hardening, nftables default-deny, fail2ban,
|
||||
auditd, unattended-upgrades. Inbound SSH is allowed **only on the mesh interface**,
|
||||
denied on the physical NIC.
|
||||
|
|
@ -109,10 +110,9 @@ master password.
|
|||
|
||||
## Deferred (separate specs / discussions)
|
||||
|
||||
1. **Mesh VPN choice** — Tailscale vs NetBird, hosted vs self-hosted. Recovery
|
||||
dimension: a hosted coordinator keeps the mesh up when the cluster is down; a
|
||||
self-hosted coordinator must live off-cluster (on `ubongo`), never on the fleet,
|
||||
or it recreates the chicken-and-egg.
|
||||
1. **Mesh VPN choice — RESOLVED (ADR-016):** NetBird, self-hosted on `askari`
|
||||
(off-site, so it survives a homelab outage and stays out of the cluster it
|
||||
administers). Replaces ADR-007's OPNsense WireGuard.
|
||||
2. **Browser-E2E verification harness** — Playwright/headless-Chromium, test-user
|
||||
generation, screenshot-back-to-Claude, and the new ADR-008 level.
|
||||
3. **`rbw` offline-cache verification** — confirm offline decryption before relying
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue