boma/tests/integration/profiles/askari_inputonly.json at 4933186d31af6712a9cd034192aa64da0b5c5347 - sjat/boma - Forgejo: Beyond coding. We forge.

sjat/boma

sjat 1042f161b6 test(integration): askari_inputonly — INPUT-only default-deny reboot gate

Adds the ADR-025 integration-test profile that proves the askari
mesh-hardening REDESIGN (INPUT-only default-deny, forward ACCEPT for Docker)
is reboot-safe on a throwaway KVM VM before the live cut-over.

Profile applies base (firewall + sshd) and offsite (docker_host +
reverse_proxy). Post-reboot verify checks: input policy drop, forward
policy accept, admin-addr break-glass SSH (192.168.150.1), Docker up,
and a published port answered from the controller. GREEN on 2026-06-19.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-06-19 19:14:55 +02:00

10 lines

267 B

JSON

Raw Blame History

 {
   "groups": ["offsite_hosts"],
   "applies": [
     {"playbook": "site.yml", "tags": ["base"]},
     {"playbook": "offsite.yml", "tags": ["docker_host", "reverse_proxy"]}
   ],
   "extra_vars_files": ["overrides/askari_inputonly.yml"],
   "mem_mib": 3072,
   "vcpus": 2
 }