Sub-project 2 of the mesh-hardening follow-on (the post-incident roadmap ordering puts ubongo first). Harden the control node's inbound surface via base's nftables firewall as INPUT-only default-deny: the forward chain stays permissive (new base__firewall_input_only knob) so Docker egress + the libvirt-NAT integration harness keep working, and there is no sshd ListenAddress change — sidestepping the ip_nonlocal_bind boot-race that sank askari. SSH allowed from wt0, ssh-from-control (Ansible self), and mamba on the LAN (new base__firewall_admin_addrs). Harness-validated before an operator-supervised cutover; the physical console is the permanent break-glass. Design maps to the four relevant 2026-06-17 incident lessons (FRICTION signals 1/2/3/6). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| plans | ||
| specs | ||