From a9287427e3e7cd81cddb4c0f2111208e6a08904e Mon Sep 17 00:00:00 2001 From: sjat Date: Sat, 6 Jun 2026 16:00:01 +0200 Subject: [PATCH] docs(todo): mark 3.5 firewall strategy decided (ADR-020) --- docs/TODO.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/TODO.md b/docs/TODO.md index c8699c8..3714379 100644 --- a/docs/TODO.md +++ b/docs/TODO.md @@ -23,7 +23,12 @@ translate-don't-transplant — V4 is a source only of gotchas + working config snippets, re-derived on boma's terms; never structure/requirements/values. 4. Decide what each node runs — base packages plus which apps/services. - 5. Decide the firewall strategy (which firewall, ruleset, per-host vs central). + 5. ~~Decide the firewall strategy (which firewall, ruleset, per-host vs central).~~ + DECIDED (ADR-020): two layers — OPNsense (perimeter + inter-VLAN) + host nftables + (default-deny inbound + east-west allowlist, permissive egress). Single source of + truth: a `group_vars` service catalog with symbolic sources; each layer renders + its own slice. Builds deferred to follow-up specs (host nftables in `base`, then + OPNsense-as-code). 6. Wire up the monitoring stack. Logging topology DECIDED (ADR-018): cluster Loki (all logs) + off-site security subset on `askari` + Grafana on-cluster (not the whole stack on `askari`). Still to design/build: Prometheus + metric exporters,