diff --git a/docs/TODO.md b/docs/TODO.md index c8699c8..3714379 100644 --- a/docs/TODO.md +++ b/docs/TODO.md @@ -23,7 +23,12 @@ translate-don't-transplant — V4 is a source only of gotchas + working config snippets, re-derived on boma's terms; never structure/requirements/values. 4. Decide what each node runs — base packages plus which apps/services. - 5. Decide the firewall strategy (which firewall, ruleset, per-host vs central). + 5. ~~Decide the firewall strategy (which firewall, ruleset, per-host vs central).~~ + DECIDED (ADR-020): two layers — OPNsense (perimeter + inter-VLAN) + host nftables + (default-deny inbound + east-west allowlist, permissive egress). Single source of + truth: a `group_vars` service catalog with symbolic sources; each layer renders + its own slice. Builds deferred to follow-up specs (host nftables in `base`, then + OPNsense-as-code). 6. Wire up the monitoring stack. Logging topology DECIDED (ADR-018): cluster Loki (all logs) + off-site security subset on `askari` + Grafana on-cluster (not the whole stack on `askari`). Still to design/build: Prometheus + metric exporters,