boma/roles/base/tasks
sjat 39d2ad38ca feat(base): opt-in sshd ListenAddress on the mesh IP (fail-closed)
base__ssh_listen_mesh_only binds sshd to the live wt0 IP only, with
ip_nonlocal_bind to beat the post-boot bind race and a fail-closed assert so an
unresolved address never silently listens on all interfaces. Molecule covers
the render + sysctl. Mesh-hardening 1/3 (ADR-016/021).

Environmental checkpoint applied: the molecule-debian13 container image lacks
procps (no sysctl binary). Added molecule/default/prepare.yml to install procps
and sysctls: {net.ipv4.ip_nonlocal_bind: "0"} to molecule.yml platform so the
ansible.posix.sysctl task can write and read back the value hermetically.
Sysctl file format is net.ipv4.ip_nonlocal_bind=1 (no spaces); verify.yml
grep pattern updated to match ansible.posix.sysctl's actual output.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 20:43:08 +02:00
..
fail2ban.yml fix(base): propagate hardening tag to included tasks; check-mode-safe fail2ban 2026-06-14 16:54:23 +02:00
firewall.yml fix(base): make rollback snapshot restorable (flush-prefixed) 2026-06-06 19:15:38 +02:00
main.yml feat(base): NetBird agent enrollment concern (mesh) 2026-06-17 16:08:23 +02:00
mesh.yml feat(base): NetBird agent enrollment concern (mesh) 2026-06-17 16:08:23 +02:00
ssh.yml feat(base): opt-in sshd ListenAddress on the mesh IP (fail-closed) 2026-06-17 20:43:08 +02:00