docs(todo): mark 3.5 firewall strategy decided (ADR-020)
This commit is contained in:
parent
e24aab28b2
commit
a9287427e3
1 changed files with 6 additions and 1 deletions
|
|
@ -23,7 +23,12 @@
|
|||
translate-don't-transplant — V4 is a source only of gotchas + working config
|
||||
snippets, re-derived on boma's terms; never structure/requirements/values.
|
||||
4. Decide what each node runs — base packages plus which apps/services.
|
||||
5. Decide the firewall strategy (which firewall, ruleset, per-host vs central).
|
||||
5. ~~Decide the firewall strategy (which firewall, ruleset, per-host vs central).~~
|
||||
DECIDED (ADR-020): two layers — OPNsense (perimeter + inter-VLAN) + host nftables
|
||||
(default-deny inbound + east-west allowlist, permissive egress). Single source of
|
||||
truth: a `group_vars` service catalog with symbolic sources; each layer renders
|
||||
its own slice. Builds deferred to follow-up specs (host nftables in `base`, then
|
||||
OPNsense-as-code).
|
||||
6. Wire up the monitoring stack. Logging topology DECIDED (ADR-018): cluster Loki
|
||||
(all logs) + off-site security subset on `askari` + Grafana on-cluster (not the
|
||||
whole stack on `askari`). Still to design/build: Prometheus + metric exporters,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue