base__firewall_input_only renders the forward chain policy accept (host-local INPUT filtering only) for hosts that forward container/NAT traffic; defaults false so real service hosts keep the forward default-deny. base__firewall_admin_addrs adds operator-workstation LAN sources to the SSH allow-list alongside wt0 + ssh-from-control. Molecule locks the secure default + the admin rule. Mesh-hardening 2/3 (ADR-020/021). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| fail2ban_sshd.local.j2 | ||
| nftables.conf.j2 | ||
| sshd_hardening.conf.j2 | ||