docs: record base firewall concern built (ADR-020 host layer)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
6fb104e934
commit
90683c7912
2 changed files with 3 additions and 2 deletions
|
|
@ -31,7 +31,7 @@ _Last reviewed: 2026-06-06._
|
||||||
|
|
||||||
| Thing | State |
|
| Thing | State |
|
||||||
|---|---|
|
|---|---|
|
||||||
| `roles/base/` | Not in git — only an empty dir on disk (untracked). `site.yml` references it, so a clean clone errors on `make deploy PLAYBOOK=site` until it is built. |
|
| `roles/base/` | **Partially built.** The `firewall` concern is implemented (nftables: catalog-driven default-deny + east-west allowlist + auto-rollback apply; ADR-020) with pytest + Molecule render/syntax tests. Other concerns (SSH hardening, fail2ban, auditd, packages, users) are **not** built yet, so `make deploy PLAYBOOK=site` is still incomplete. |
|
||||||
| `roles/docker_host/` | Not in git. Same. |
|
| `roles/docker_host/` | Not in git. Same. |
|
||||||
| `inventories/*/hosts.yml` | Structured stubs with empty host maps (`hosts: {}`); regenerated by `make tf-inventory` once Terraform has hosts |
|
| `inventories/*/hosts.yml` | Structured stubs with empty host maps (`hosts: {}`); regenerated by `make tf-inventory` once Terraform has hosts |
|
||||||
| `inventories/production/group_vars/{docker_hosts,proxmox_hosts}/` | Empty dirs |
|
| `inventories/production/group_vars/{docker_hosts,proxmox_hosts}/` | Empty dirs |
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,8 @@ _(DHCP, firewall, mDNS reflection live on OPNsense — Ansible-managed, not cont
|
||||||
|
|
||||||
_Firewalling is two-layer (ADR-020): OPNsense at the perimeter + inter-VLAN, plus
|
_Firewalling is two-layer (ADR-020): OPNsense at the perimeter + inter-VLAN, plus
|
||||||
per-host `nftables` (default-deny inbound + east-west allowlist) rendered by the `base`
|
per-host `nftables` (default-deny inbound + east-west allowlist) rendered by the `base`
|
||||||
role from a shared `group_vars` service catalog. Both layers are still to be built._
|
role from a shared `group_vars` service catalog. The host `nftables` layer is built (the
|
||||||
|
`base` firewall concern); the OPNsense layer is still to be built._
|
||||||
|
|
||||||
## 2. Identity & access — [P]
|
## 2. Identity & access — [P]
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue