sjat
6ac5afaf67
A control-group VM that applies base with INPUT-only default-deny (forward policy accept; admin-addr SSH allow). verify.yml is now profile-aware via an integration_profile marker — the askari Docker/DNAT block is gated, and a ubongo block asserts input drop + forward accept + the admin-addr rule. Enables `make test-integration HOST=ubongo`. Mesh-hardening 2/3 (ADR-025). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
13 lines
747 B
YAML
13 lines
747 B
YAML
---
|
|
# Integration-test overlay for the "askari" profile (ADR-025). Passed via `-e @`.
|
|
# Reproduces the 2026-06-17 incident: apply base's nftables default-deny to a Docker host.
|
|
integration_profile: askari
|
|
base__firewall_apply: true
|
|
# Keep a break-glass: sshd stays on all interfaces (never wt0-only in a throwaway VM).
|
|
base__ssh_listen_mesh_only: false
|
|
# The VM is isolated; it must never touch the real mesh.
|
|
base__mesh_enabled: false
|
|
# Allow SSH from the VM's libvirt-NAT gateway (where the driver/ansible connects from),
|
|
# so base's default-deny firewall + the reboot don't lock out the harness. By source IP,
|
|
# so it's interface-independent. Overrides askari's real control addr for the test only.
|
|
base__firewall_control_addr: "192.168.150.1"
|