sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/roles/base/templates
History
Exact
sjat b10a33f439 feat(base): input-only forward policy + admin-addr SSH allow 
base__firewall_input_only renders the forward chain policy accept (host-local
INPUT filtering only) for hosts that forward container/NAT traffic; defaults
false so real service hosts keep the forward default-deny. base__firewall_admin_addrs
adds operator-workstation LAN sources to the SSH allow-list alongside wt0 +
ssh-from-control. Molecule locks the secure default + the admin rule.
Mesh-hardening 2/3 (ADR-020/021).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-19 09:37:06 +02:00
..
fail2ban_sshd.local.j2 feat(base): ssh hardening + fail2ban (hardening concern, ADR-002) 2026-06-14 16:42:56 +02:00
nftables.conf.j2 feat(base): input-only forward policy + admin-addr SSH allow 2026-06-19 09:37:06 +02:00
sshd_hardening.conf.j2 feat(base): opt-in sshd ListenAddress on the mesh IP (fail-closed) 2026-06-17 20:43:08 +02:00