From b9daf2a0adc914625ae38a05128291804898daea Mon Sep 17 00:00:00 2001 From: sjat Date: Thu, 11 Jun 2026 10:33:18 +0200 Subject: [PATCH] plan: record ubongo build outcome (done/deferred/follow-ups) Co-Authored-By: Claude Opus 4.8 (1M context) --- .../plans/2026-06-11-ubongo-build.md | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/docs/superpowers/plans/2026-06-11-ubongo-build.md b/docs/superpowers/plans/2026-06-11-ubongo-build.md index c2a411a..c748ff3 100644 --- a/docs/superpowers/plans/2026-06-11-ubongo-build.md +++ b/docs/superpowers/plans/2026-06-11-ubongo-build.md @@ -124,3 +124,27 @@ claude 2.1.173. Terraform is absent on `fisi` (TF un-init'd) — install deferre - **Full `base` hardening** — SSH/fail2ban/auditd concerns not built (only `firewall`). - **Recovery wiring (G)** — TF-state backup to `mamba`, rbw mirror — no TF state yet (TF un-init'd). `mamba` as break-glass clone tracked separately. + +--- + +## Outcome (2026-06-11) + +`STATUS.md` is the live source of truth; this is the session record. + +**Done:** A (toolchain — Docker 29.5.3, rbw 1.15.0, Claude Code 2.1.173; Node deferred), +B (dedicated `claude` user — docker group, no sudo), C (repo cloned, `make setup` + +`collections`, git identity; plugins install on first interactive launch), D (vault via +rbw + **offline-cache decryption verified**), E1/E2 (inventory + `ssh-from-control` +knob), F1 (key-only SSH), F2 (temp NOPASSWD removed), H1–H4 (docs reconciled). + +**Deferred, with reason:** +- **E3 — apply `base` to `ubongo`:** would push nftables default-deny with SSH allowed + *only on the mesh interface*, but no mesh exists yet → would deny inbound SSH on `eno1` + and strand the box. Wait for NetBird (ADR-016). `base` is also firewall-concern-only. +- **F3 — OPNsense DHCP reservation** for `10.20.10.151` (MAC `88:a4:c2:e0:ee:da`): operator action. +- **Mesh enrollment, full `base` hardening, recovery wiring (G):** out of scope (above). + +**Follow-ups flagged:** (1) `ubongo` sits in `10.20.10.0/24`, which doesn't match +ADR-007's zone map (`srv: 10.20.0.0/24`) — network-design drift to reconcile. (2) The +hardware reference previously assumed `ubongo` had 1 TB NVMe for an ADR-022 "restore-verify" +role; the real disk is 256 GB — check ADR-022 doesn't bank on the larger size.