Commit graph

  • d1c3eb681a docs(status): coordinator-FQDN pin applied + live on ubongo (2026-06-20) main sjat 2026-06-20 12:01:29 +02:00
  • 1299eef6ea Merge feat/mesh-spof-resilience: accept mesh SPOF (R8) + coordinator DNS-resilience pin sjat 2026-06-20 11:42:49 +02:00
  • 0030b45bbd docs(adr-016): soften the second stale off-site-backup claim (R8 consistency) sjat 2026-06-20 11:42:49 +02:00
  • a483f4e55c fix: address whole-branch review (anchor pin regexp, ADR-016 backup note, verify comment) sjat 2026-06-20 11:41:19 +02:00
  • c09b7fe6a5 docs(security): accept the single-coordinator mesh SPOF (R8) + ADR-016 availability amendment sjat 2026-06-20 11:34:21 +02:00
  • 74e54b359b fix(base): confine /etc/hosts unsafe-write fallback to the Docker Molecule env sjat 2026-06-20 11:31:15 +02:00
  • f83d68d7a0 feat(base): pin the NetBird coordinator FQDN in /etc/hosts (mesh DNS-resilience) sjat 2026-06-20 11:22:40 +02:00
  • 0286c78f36 docs(plan): mesh-hardening SPOF — accept + DNS-resilience implementation plan sjat 2026-06-20 10:49:26 +02:00
  • 3ba22d199a docs(spec): mesh-hardening SPOF — accept single-coordinator SPOF + DNS-resilience pin sjat 2026-06-20 10:42:19 +02:00
  • f10fe8bb60 docs(status): mesh-hardening askari redesign applied + live reboot-validated (2026-06-20) sjat 2026-06-20 09:22:20 +02:00
  • dfc64da2eb feat(makefile): add EXTRA passthrough to check/deploy for ad-hoc ansible args sjat 2026-06-20 09:22:20 +02:00
  • 0194865437 Merge feat/mesh-hardening-askari-redesign: askari INPUT-only redesign + reboot gate sjat 2026-06-19 22:47:03 +02:00
  • d6e80990b2 fix(integration): real wait_for_ip arp-fallback test + document substrate coverage gap sjat 2026-06-19 22:41:11 +02:00
  • d1941c987e feat(integration_test): Ansible-manage virbr-boma nftables input allow sjat 2026-06-19 22:29:45 +02:00
  • dc5cc8933f fix(harness): fall back to --source arp for VM IP discovery (no leaseshelper) sjat 2026-06-19 22:29:35 +02:00
  • 4933186d31 docs(friction): task-3 integration-gate findings (dnsmasq, nftables, hostname) sjat 2026-06-19 19:16:45 +02:00
  • 9f0626040b docs(todo): add note on ubongo↔cluster network topology question sjat 2026-06-19 19:15:18 +02:00
  • 8ca42c389c fix(integration): fix VM boot: hostname, netplan, known_hosts handling sjat 2026-06-19 19:15:07 +02:00
  • 1042f161b6 test(integration): askari_inputonly — INPUT-only default-deny reboot gate sjat 2026-06-19 19:14:55 +02:00
  • d9b8676fce feat(inventory): askari INPUT-only firewall + WAN break-glass + manage over wt0 sjat 2026-06-19 17:18:58 +02:00
  • ab328a2f79 feat(netbird_coordinator): disable geolocation so no-egress startup can't FATAL the control plane sjat 2026-06-19 17:15:33 +02:00
  • 61cbcc6c18 docs(friction): re-asked settled defaults (push + subagent-driven) at plan->execute handoff sjat 2026-06-19 17:11:01 +02:00
  • 6be758bece docs(plan): mesh-hardening redesign — askari implementation plan sjat 2026-06-19 16:32:27 +02:00
  • a178729587 docs(spec): mesh-hardening redesign — askari wt0-primary + WAN break-glass sjat 2026-06-19 16:25:26 +02:00
  • ef5e049e9b docs(status): mesh-hardening 2/3 — ubongo reboot-validated sjat 2026-06-19 16:25:19 +02:00
  • 215060bac1 Merge feat/mesh-hardening-ubongo: ubongo INPUT-only default-deny (mesh-hardening 2/3) sjat 2026-06-19 15:34:31 +02:00
  • fa2c4c6368 docs(status): mesh-hardening 2/3 — ubongo INPUT-only default-deny applied sjat 2026-06-19 15:34:20 +02:00
  • a881185c73 docs(friction): base firewall flush wipes Docker nat (cutover finding) sjat 2026-06-19 15:16:21 +02:00
  • 180af46879 docs(friction): log the Molecule input_only-accept coverage gap sjat 2026-06-19 10:40:29 +02:00
  • 8d8c86fa39 docs(friction): VM-testing standard + libvirt stale-session gotcha sjat 2026-06-19 10:32:09 +02:00
  • 468f8c3a92 fix(integration): match live nft priority filter in the ubongo verify sjat 2026-06-19 10:32:09 +02:00
  • 26bb7e442d fix(integration): pin system python for virt-install (venv PATH hijack) sjat 2026-06-19 10:32:09 +02:00
  • 6ac5afaf67 test(integration): add the 'be ubongo' profile (input-only default-deny) sjat 2026-06-19 09:47:03 +02:00
  • b3e14decb4 feat(inventory): ubongo gets INPUT-only host firewall + mamba LAN SSH sjat 2026-06-19 09:42:49 +02:00
  • b10a33f439 feat(base): input-only forward policy + admin-addr SSH allow sjat 2026-06-19 09:37:06 +02:00
  • 66a9a0af08 docs: ubongo admin-addrs add 10.20.10.17 + flag raw-lease follow-up sjat 2026-06-19 09:26:04 +02:00
  • e14e347047 docs(plan): mesh-hardening 2/3 — ubongo implementation plan sjat 2026-06-19 09:26:04 +02:00
  • 24a1d909c9 docs(spec): mesh-hardening 2/3 — ubongo INPUT-only default-deny sjat 2026-06-19 09:12:58 +02:00
  • 77a20b8d40 docs(runbook): netbird-client mesh-drop / DNS troubleshooting sjat 2026-06-18 22:30:41 +02:00
  • a23ecd708d Merge feat/integration-testing: local VM integration testing (ADR-025, TODO 2.4) sjat 2026-06-18 21:52:59 +02:00
  • bc8592616b fix: address final whole-branch review findings sjat 2026-06-18 21:52:28 +02:00
  • d7bd31babb docs(adr/status): integration-testing harness RED→GREEN validated (ADR-025) sjat 2026-06-18 21:39:30 +02:00
  • cc772ff845 docs(adr/security): record claude NOPASSWD sudo model (ADR-015 amend + R7) sjat 2026-06-18 21:39:20 +02:00
  • 3fe6f68316 feat(base): codify AI-worker NOPASSWD sudo (ADR-015 amended) sjat 2026-06-18 21:36:31 +02:00
  • b1aa0f49d9 fix(integration): verify probes :80 without following redirects sjat 2026-06-18 16:57:47 +02:00
  • 172ae37953 feat(docker_host): container-forward nftables drop-in (reboot-safe Docker forwarding) sjat 2026-06-18 16:57:47 +02:00
  • 051c040343 fix(integration): exclude transient .run/ from linters; --- in generated inventory sjat 2026-06-18 16:44:12 +02:00
  • c7194ca147 feat(integration): allow SSH from the NAT gateway in the askari overlay sjat 2026-06-18 16:35:15 +02:00
  • 35446538df fix(integration-vm): apt-ready VMs + sudo-read serial console diagnostics sjat 2026-06-18 16:35:15 +02:00
  • 83983d739c fix(reverse_proxy): plain {% %} tags so the Caddyfile renders under ansible trim_blocks sjat 2026-06-18 16:35:15 +02:00
  • 941141e270 docs(friction): capture 9 signals from the ADR-025 harness shakedown sjat 2026-06-18 16:30:13 +02:00
  • f27514860e fix(integration-vm): boot test VMs via UEFI sjat 2026-06-18 16:13:35 +02:00
  • 65bacb25fa feat(integration-vm): force DHCP via explicit cloud-init network-config sjat 2026-06-18 15:05:49 +02:00
  • e5256696d6 fix(integration-vm): place VM disk/seed/console in CACHE_DIR for system-qemu sjat 2026-06-18 14:56:35 +02:00
  • 147eb874ea fix(integration-vm): pin LIBVIRT_DEFAULT_URI=qemu:///system sjat 2026-06-18 14:41:31 +02:00
  • ed1187d1c3 fix(integration-vm): point ansible -i at hosts.yml, not the run dir sjat 2026-06-18 13:04:54 +02:00
  • f51ae1a13d docs(runbook): integration-testing runbook + pre-flight cross-links sjat 2026-06-18 12:52:53 +02:00
  • 4732730515 docs: wire ADR-025 into testing/control-host/risks/status/capacity sjat 2026-06-18 12:51:22 +02:00
  • edcc347a95 docs(adr): ADR-025 local VM integration testing sjat 2026-06-18 12:49:52 +02:00
  • d68734267b feat(make): test-integration / test-integration-clean targets sjat 2026-06-18 12:45:38 +02:00
  • 3769c9ebb9 feat(integration): outcome-based verify playbook (DNAT-survives-reboot) sjat 2026-06-18 12:38:22 +02:00
  • 10121e72d3 feat(integration): askari profile, stub overlay, cert-tier files sjat 2026-06-18 12:37:32 +02:00
  • 0989f047eb feat(reverse_proxy): tls-internal + acme_ca knobs for integration/staging (ADR-025) sjat 2026-06-18 12:30:49 +02:00
  • 4fb4cf99c3 fix(integration-vm): boot-id-verified reboot + actionable timeouts + inventory guard (review) sjat 2026-06-18 12:28:06 +02:00
  • 68abd67ce6 feat(integration-vm): teardown, prune, console, full cycle + dispatch sjat 2026-06-18 12:21:06 +02:00
  • 8ea9966d88 feat(integration-vm): reboot, verify run, failure diagnostics sjat 2026-06-18 12:20:52 +02:00
  • d1c91930ac feat(integration-vm): transient inventory + real-playbook apply sjat 2026-06-18 12:20:37 +02:00
  • fdd4df34b1 feat(integration-vm): network + VM boot (overlay, cloud-init seed, virt-install import) sjat 2026-06-18 12:20:25 +02:00
  • af76763c16 feat(integration-vm): golden image fetch + SHA512 verification sjat 2026-06-18 12:19:58 +02:00
  • a8dc3c787a feat(integration-vm): cert-tier + profile + transient inventory rendering sjat 2026-06-18 12:12:23 +02:00
  • 6f53d00b71 feat(integration-vm): cloud-init user-data/meta-data rendering sjat 2026-06-18 12:12:08 +02:00
  • b5d5dffeaf feat(integration-vm): vm naming, RAM guard, lease IP parsing sjat 2026-06-18 12:11:56 +02:00
  • 64767ac187 feat(integration-vm): driver skeleton + CLI dispatch sjat 2026-06-18 12:11:41 +02:00
  • ac6a01296a feat(integration_test): KVM/libvirt substrate role on the control node sjat 2026-06-18 12:03:44 +02:00
  • 65533be4d9 docs(plan): implementation plan for local VM integration testing (2.4) sjat 2026-06-18 11:56:04 +02:00
  • 02e1eb7449 docs(spec): design local VM integration testing on ubongo (2.4) sjat 2026-06-18 11:35:51 +02:00
  • 69faaf5e43 docs(todo): local VM integration testing (2.4) + screenshot hand-off (10.8) sjat 2026-06-17 22:27:26 +02:00
  • 958e35e3c3 docs(friction): capture 6 signals from the mesh-hardening 1/3 incident sjat 2026-06-17 22:21:19 +02:00
  • 847d9885e2 revert: back out mesh-hardening 1/3 on askari after it broke the Docker host sjat 2026-06-17 22:16:17 +02:00
  • b0511179cb feat(tf/offsite): retire askari's WAN :22 (mesh-only SSH) sjat 2026-06-17 20:51:24 +02:00
  • cc21344ab1 feat(inventory): manage askari over wt0 + enable mesh-only SSH sjat 2026-06-17 20:49:15 +02:00
  • 3b30e70ba5 feat(firewall): public zone + askari's public services in the catalog sjat 2026-06-17 20:46:03 +02:00
  • 39d2ad38ca feat(base): opt-in sshd ListenAddress on the mesh IP (fail-closed) sjat 2026-06-17 20:39:23 +02:00
  • dfa363cecd docs(plan): mesh-hardening 1/3 — askari SSH onto wt0 implementation plan sjat 2026-06-17 20:25:59 +02:00
  • 292c204752 docs(spec): mesh-hardening 1/3 — move askari SSH onto wt0 sjat 2026-06-17 20:15:12 +02:00
  • e5a8e5d3b9 docs(roadmap): Phase 1 complete — point Next step at mesh-hardening follow-on sjat 2026-06-17 18:39:08 +02:00
  • 5947ba8756 chore(vault): Forgejo registry_token supplied (operator-minted, encrypted) sjat 2026-06-17 18:37:11 +02:00
  • a0762c563e docs(kaizen): bind-mount gotcha + consume 7 signals into the ledger (2026-06-17) sjat 2026-06-17 17:50:17 +02:00
  • c1323a3f29 feat(make): registry-login via vaulted Forgejo token (kaizen) sjat 2026-06-17 17:50:07 +02:00
  • 39904a778a fix(hooks): scope vault-preflight to staged ansible; catch prose exec re-asks sjat 2026-06-17 17:49:55 +02:00
  • 8f1c7d47ec fix(reverse_proxy,netbird_coordinator): create scaffold dirs in check mode sjat 2026-06-17 17:49:47 +02:00
  • b0c0150db2 feat(scan): repo-scan rename-incomplete check (kaizen) sjat 2026-06-17 17:49:41 +02:00
  • 959f9b30b5 feat(statusline): show context-window usage % in the status line sjat 2026-06-17 17:35:47 +02:00
  • 5d14efc864 docs: Phase 1 complete — clients enrolled + NetBird client runbook sjat 2026-06-17 17:11:32 +02:00
  • 8d2a064542 chore(vault): NetBird setup_key supplied (operator-minted, encrypted) feat/m5-mesh-enrollment sjat 2026-06-17 16:40:58 +02:00
  • 4c8fb9e03b docs: M5 mesh enrollment — ubongo + askari on the mesh sjat 2026-06-17 16:40:02 +02:00
  • d202b89480 feat(base): vault setup_key stub + enable mesh on ubongo + askari sjat 2026-06-17 16:12:28 +02:00
  • 9b3f8f826f test(base): molecule coverage for the mesh concern (manage-off no-op) sjat 2026-06-17 16:11:02 +02:00
  • 44c4978b5f feat(base): NetBird agent enrollment concern (mesh) sjat 2026-06-17 16:04:46 +02:00
  • 98eb09d8ba feat(base): add the 'mesh' concern tag (NetBird agent, ADR-016) sjat 2026-06-17 16:01:33 +02:00