sjat
b10a33f439
base__firewall_input_only renders the forward chain policy accept (host-local INPUT filtering only) for hosts that forward container/NAT traffic; defaults false so real service hosts keep the forward default-deny. base__firewall_admin_addrs adds operator-workstation LAN sources to the SSH allow-list alongside wt0 + ssh-from-control. Molecule locks the secure default + the admin rule. Mesh-hardening 2/3 (ADR-020/021). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
37 lines
1.2 KiB
YAML
37 lines
1.2 KiB
YAML
---
|
|
- name: Converge
|
|
hosts: all
|
|
become: true
|
|
gather_facts: true
|
|
vars:
|
|
base__firewall_apply: false
|
|
base__firewall_control_addr: 10.10.0.99 # test control-node LAN address
|
|
base__firewall_admin_addrs:
|
|
- "10.30.0.77" # fixture: an operator-workstation LAN source (admin-addr SSH allow)
|
|
# Exercise the mesh concern's include path with the live actions gated off, so it
|
|
# runs hermetically (no coordinator/key needed) and must be a clean no-op.
|
|
base__mesh_enabled: true
|
|
base__mesh_manage: false
|
|
base__mesh_setup_key: "dummy-molecule-key"
|
|
base__ssh_listen_mesh_only: true
|
|
base__ssh_listen_addr: "100.99.0.1" # fixture mesh IP (no wt0 in the container)
|
|
firewall_zones:
|
|
lan: 10.30.0.0/24
|
|
srv: 10.20.0.0/24
|
|
mgmt: 10.10.0.0/24
|
|
public: 0.0.0.0/0
|
|
firewall_catalog:
|
|
reverse_proxy:
|
|
host: instance
|
|
ingress:
|
|
- { from: lan, port: 443, proto: tcp }
|
|
photoprism:
|
|
host: instance
|
|
ingress:
|
|
- { from: srv, port: 2342, proto: tcp }
|
|
netbird_stun:
|
|
host: instance
|
|
ingress:
|
|
- { from: public, port: 3478, proto: udp }
|
|
roles:
|
|
- role: base
|