From b3e14decb499da109447963cf4a05b28b9efd359 Mon Sep 17 00:00:00 2001 From: sjat Date: Fri, 19 Jun 2026 09:42:49 +0200 Subject: [PATCH] feat(inventory): ubongo gets INPUT-only host firewall + mamba LAN SSH Enables base__firewall_input_only on the control group (forward chain stays permissive so Docker egress + the integration-test libvirt NAT survive) and allows the operator workstations' LAN IPs (mamba 10.20.10.50 + 10.20.10.17; raw leases, backstopped by wt0). Mesh-hardening 2/3. Co-Authored-By: Claude Opus 4.8 (1M context) --- inventories/production/group_vars/control/vars.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/inventories/production/group_vars/control/vars.yml b/inventories/production/group_vars/control/vars.yml index 6f06074..edc7a1d 100644 --- a/inventories/production/group_vars/control/vars.yml +++ b/inventories/production/group_vars/control/vars.yml @@ -19,3 +19,15 @@ base__ai_worker_user: claude # Enrollment only; the host firewall default-deny stays deferred (the mesh-hardening # follow-on), so this brings up wt0 without changing SSH exposure. base__mesh_enabled: true + +# Mesh-hardening 2/3 (2026-06-19, ADR-020/021): apply base's host firewall to ubongo as +# INPUT-only default-deny — harden the inbound surface, leave the forward chain permissive so +# Docker egress + the libvirt-NAT integration harness keep working. sshd is unchanged +# (nftables scopes inbound), so there is no boot-race. Reach ubongo over wt0 (mesh), the +# ssh-from-control self-path (base__firewall_control_addr, group_vars/all = 10.20.10.151), or +# mamba on the LAN. Break-glass: the physical console. (base__firewall_apply defaults true.) +base__firewall_input_only: true +base__firewall_admin_addrs: + - "10.20.10.50" # mamba over the LAN (NetBird off). Raw DHCP lease — revisit with an + # OPNsense reservation when OPNsense-as-code lands; backstopped by wt0. + - "10.20.10.17" # 2nd operator workstation (MAC bc:0f:f3:c8:4a:8a). Raw lease — ditto.