Two bugs caught by the live make check/deploy on askari:
- include_tasks with a tag selects the include but NOT its tasks, so --tags hardening
ran nothing. Use apply: {tags:} to propagate (also fixed the firewall include).
- fail2ban service start + restart handler fail in a first-run --check (package not
installed yet); guard both with when: not ansible_check_mode so check is clean.
Applied to askari: SSH hardened, fail2ban active, ping still works (no lockout).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| defaults | ||
| filter_plugins | ||
| handlers | ||
| meta | ||
| molecule/default | ||
| tasks | ||
| templates | ||
| README.md | ||
base
Hardened baseline applied to every boma host. Built incrementally; the first concern
implemented is the host firewall (firewall tag).
Firewall (nftables)
Default-deny inbound + east-west allowlisting + permissive egress, per ADR-020. Rules
are rendered from the shared firewall_catalog / firewall_zones (in group_vars/all)
by the resolve_firewall_rules filter, written to /etc/nftables.conf, syntax-checked
with nft -c at render time, and applied with an auto-rollback safety net
(systemd-run arms a revert that a follow-up task cancels once connectivity is
confirmed). The apply sequence lives in tasks rather than a handler so the confirm/cancel
step is controllable.
/etc/nftables.d/*.nft is included by the ruleset — the extension hook the
docker_host role uses for container forward/NAT rules.
Variables
See defaults/main.yml (base__firewall_*). SSH is accepted only on
base__firewall_mgmt_interface (default wt0, the NetBird overlay — ADR-016); set it to
a reachable interface/source until NetBird is built. Set base__firewall_apply: false to
render + validate without applying (used by Molecule).
Testing
tests/test_firewall_rules.py— pytest units for the resolver.make test ROLE=base— Molecule renders +nft -csyntax-checks (never applies; it shares the host kernel). Enforcement + the apply/rollback path are verified at ADR-008 Level 2 on staging VMs.