sjat
6ac5afaf67
A control-group VM that applies base with INPUT-only default-deny (forward policy accept; admin-addr SSH allow). verify.yml is now profile-aware via an integration_profile marker — the askari Docker/DNAT block is gated, and a ubongo block asserts input drop + forward accept + the admin-addr rule. Enables `make test-integration HOST=ubongo`. Mesh-hardening 2/3 (ADR-025). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
18 lines
1.1 KiB
YAML
18 lines
1.1 KiB
YAML
---
|
|
# Integration-test overlay for the "ubongo" profile (ADR-025). Passed via `-e @`.
|
|
# Exercises mesh-hardening 2/3: base's INPUT-only default-deny on the control node — input
|
|
# chain default-deny, forward chain left permissive (Docker/libvirt-NAT safe), no sshd
|
|
# ListenAddress change (so no boot-race).
|
|
integration_profile: ubongo
|
|
base__firewall_apply: true
|
|
base__firewall_input_only: true # forward chain renders `policy accept`
|
|
base__firewall_admin_addrs:
|
|
- "192.168.150.98" # two representative LAN sources — exercises the
|
|
- "192.168.150.99" # admin-addr loop with a multi-entry list (like ubongo)
|
|
# Never wt0-only; never touch the real mesh from a throwaway VM.
|
|
base__ssh_listen_mesh_only: false
|
|
base__mesh_enabled: false
|
|
# Allow SSH from the libvirt-NAT gateway (where the driver/ansible connect from) so the
|
|
# default-deny apply + the reboot don't lock out the harness. By source IP (interface-
|
|
# independent). This is the harness's lifeline; the admin-addr above is only exercised.
|
|
base__firewall_control_addr: "192.168.150.1"
|