docs(todo): mark 3.5 firewall strategy decided (ADR-020)
This commit is contained in:
parent
e24aab28b2
commit
a9287427e3
1 changed files with 6 additions and 1 deletions
|
|
@ -23,7 +23,12 @@
|
||||||
translate-don't-transplant — V4 is a source only of gotchas + working config
|
translate-don't-transplant — V4 is a source only of gotchas + working config
|
||||||
snippets, re-derived on boma's terms; never structure/requirements/values.
|
snippets, re-derived on boma's terms; never structure/requirements/values.
|
||||||
4. Decide what each node runs — base packages plus which apps/services.
|
4. Decide what each node runs — base packages plus which apps/services.
|
||||||
5. Decide the firewall strategy (which firewall, ruleset, per-host vs central).
|
5. ~~Decide the firewall strategy (which firewall, ruleset, per-host vs central).~~
|
||||||
|
DECIDED (ADR-020): two layers — OPNsense (perimeter + inter-VLAN) + host nftables
|
||||||
|
(default-deny inbound + east-west allowlist, permissive egress). Single source of
|
||||||
|
truth: a `group_vars` service catalog with symbolic sources; each layer renders
|
||||||
|
its own slice. Builds deferred to follow-up specs (host nftables in `base`, then
|
||||||
|
OPNsense-as-code).
|
||||||
6. Wire up the monitoring stack. Logging topology DECIDED (ADR-018): cluster Loki
|
6. Wire up the monitoring stack. Logging topology DECIDED (ADR-018): cluster Loki
|
||||||
(all logs) + off-site security subset on `askari` + Grafana on-cluster (not the
|
(all logs) + off-site security subset on `askari` + Grafana on-cluster (not the
|
||||||
whole stack on `askari`). Still to design/build: Prometheus + metric exporters,
|
whole stack on `askari`). Still to design/build: Prometheus + metric exporters,
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue