|
|
||
|---|---|---|
| .. | ||
| defaults | ||
| filter_plugins | ||
| handlers | ||
| meta | ||
| molecule/default | ||
| tasks | ||
| README.md | ||
base
Hardened baseline applied to every boma host. Built incrementally; the first concern
implemented is the host firewall (firewall tag).
Firewall (nftables)
Default-deny inbound + east-west allowlisting + permissive egress, per ADR-020. Rules
are rendered from the shared firewall_catalog / firewall_zones (in group_vars/all)
by the resolve_firewall_rules filter, written to /etc/nftables.conf, syntax-checked
with nft -c at render time, and applied with an auto-rollback safety net
(systemd-run arms a revert that a follow-up task cancels once connectivity is
confirmed). The apply sequence lives in tasks rather than a handler so the confirm/cancel
step is controllable.
/etc/nftables.d/*.nft is included by the ruleset — the extension hook the
docker_host role uses for container forward/NAT rules.
Variables
See defaults/main.yml (base__firewall_*). SSH is accepted only on
base__firewall_mgmt_interface (default wt0, the NetBird overlay — ADR-016); set it to
a reachable interface/source until NetBird is built. Set base__firewall_apply: false to
render + validate without applying (used by Molecule).
Testing
tests/test_firewall_rules.py— pytest units for the resolver.make test ROLE=base— Molecule renders +nft -csyntax-checks (never applies; it shares the host kernel). Enforcement + the apply/rollback path are verified at ADR-008 Level 2 on staging VMs.