docs(todo): mark 3.5 firewall strategy decided (ADR-020)

2026-06-06 16:00:01 +02:00 · 2026-06-06 16:00:01 +02:00 · a9287427e3
commit a9287427e3
parent e24aab28b2
1 changed files with 6 additions and 1 deletions
--- a/docs/TODO.md
+++ b/docs/TODO.md
@ -23,7 +23,12 @@
      translate-don't-transplant — V4 is a source only of gotchas + working config
      snippets, re-derived on boma's terms; never structure/requirements/values.
   4. Decide what each node runs — base packages plus which apps/services.
-   5. Decide the firewall strategy (which firewall, ruleset, per-host vs central).
+   5. ~~Decide the firewall strategy (which firewall, ruleset, per-host vs central).~~
+      DECIDED (ADR-020): two layers — OPNsense (perimeter + inter-VLAN) + host nftables
+      (default-deny inbound + east-west allowlist, permissive egress). Single source of
+      truth: a `group_vars` service catalog with symbolic sources; each layer renders
+      its own slice. Builds deferred to follow-up specs (host nftables in `base`, then
+      OPNsense-as-code).
   6. Wire up the monitoring stack. Logging topology DECIDED (ADR-018): cluster Loki
      (all logs) + off-site security subset on `askari` + Grafana on-cluster (not the
      whole stack on `askari`). Still to design/build: Prometheus + metric exporters,