From 90683c7912623ab79c26f7ba3abd481092ce54e6 Mon Sep 17 00:00:00 2001 From: sjat Date: Sat, 6 Jun 2026 19:10:27 +0200 Subject: [PATCH] docs: record base firewall concern built (ADR-020 host layer) Co-Authored-By: Claude Sonnet 4.6 --- STATUS.md | 2 +- docs/CAPABILITIES.md | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/STATUS.md b/STATUS.md index 4c16151..32f99b8 100644 --- a/STATUS.md +++ b/STATUS.md @@ -31,7 +31,7 @@ _Last reviewed: 2026-06-06._ | Thing | State | |---|---| -| `roles/base/` | Not in git — only an empty dir on disk (untracked). `site.yml` references it, so a clean clone errors on `make deploy PLAYBOOK=site` until it is built. | +| `roles/base/` | **Partially built.** The `firewall` concern is implemented (nftables: catalog-driven default-deny + east-west allowlist + auto-rollback apply; ADR-020) with pytest + Molecule render/syntax tests. Other concerns (SSH hardening, fail2ban, auditd, packages, users) are **not** built yet, so `make deploy PLAYBOOK=site` is still incomplete. | | `roles/docker_host/` | Not in git. Same. | | `inventories/*/hosts.yml` | Structured stubs with empty host maps (`hosts: {}`); regenerated by `make tf-inventory` once Terraform has hosts | | `inventories/production/group_vars/{docker_hosts,proxmox_hosts}/` | Empty dirs | diff --git a/docs/CAPABILITIES.md b/docs/CAPABILITIES.md index d971544..efa33f6 100644 --- a/docs/CAPABILITIES.md +++ b/docs/CAPABILITIES.md @@ -33,7 +33,8 @@ _(DHCP, firewall, mDNS reflection live on OPNsense — Ansible-managed, not cont _Firewalling is two-layer (ADR-020): OPNsense at the perimeter + inter-VLAN, plus per-host `nftables` (default-deny inbound + east-west allowlist) rendered by the `base` -role from a shared `group_vars` service catalog. Both layers are still to be built._ +role from a shared `group_vars` service catalog. The host `nftables` layer is built (the +`base` firewall concern); the OPNsense layer is still to be built._ ## 2. Identity & access — [P]