docs: link ADR-020; harden firewall guardrail to the service catalog
This commit is contained in:
parent
d311f67098
commit
e24aab28b2
1 changed files with 2 additions and 1 deletions
|
|
@ -169,7 +169,7 @@ Single-contributor, trunk-based (no merge requests / approval gates):
|
|||
- Edit vault-encrypted files directly — decrypt first, re-encrypt after
|
||||
- Force-push or rewrite already-pushed history on `main`
|
||||
- Add a collection to `requirements.yml` without a specific module need in existing role tasks
|
||||
- Open a firewall port anywhere but the `group_vars` firewall definitions — never ad-hoc on a host (ADR-002)
|
||||
- Open a firewall port anywhere but the `group_vars` service catalog — never ad-hoc on a host. If it's not in the catalog, it doesn't exist (ADR-002, ADR-020)
|
||||
- Disable or weaken a baseline control from ADR-002 (SSH hardening, nftables default-deny, fail2ban, auditd)
|
||||
- Expose a service to the LAN/WAN without it sitting behind the reverse proxy with authentication (ADR-002)
|
||||
- Deploy a service that hasn't cleared `docs/security/service-checklist.md` (record any deviation in `docs/security/accepted-risks.md`)
|
||||
|
|
@ -223,6 +223,7 @@ Single-contributor, trunk-based (no merge requests / approval gates):
|
|||
| Hardware & capacity | `docs/decisions/012-hardware-capacity.md` |
|
||||
| Logging & log integrity | `docs/decisions/018-logging.md` |
|
||||
| Tagging & run-targeting | `docs/decisions/019-tagging.md` |
|
||||
| Firewall strategy | `docs/decisions/020-firewall.md` |
|
||||
| Adding a new role | `docs/runbooks/new-role.md` |
|
||||
| Adding a new host | `docs/runbooks/new-host.md` |
|
||||
| Rotating vault secrets | `docs/runbooks/rotate-secrets.md` |
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue