- dev_env .zshrc: drop the rclone alias (not installed) and guard the direnv
hook with `command -v direnv` so a missing direnv doesn't error every shell (O16)
- dev_env oh-my-posh: tag the zen.toml theme deploy `config` (it renders config to
disk like the per_user dotfiles); the include now carries packages+config so a
`--tags config` run re-renders the theme while the binary install stays packages
only (O17). Verified via `molecule converge -- --tags config`.
- drop the non-vocabulary `tags: [verify]` from molecule verify playbooks across
base/docker_host/public_dns/reverse_proxy (check-tags exempts molecule anyway) (O25)
- reverse_proxy templates: add the `{{ ansible_managed }}` header (ADR-024 §1.2) (O26)
make lint green; dev_env + reverse_proxy molecule green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| defaults | ||
| filter_plugins | ||
| handlers | ||
| meta | ||
| molecule/default | ||
| tasks | ||
| templates | ||
| README.md | ||
base
Hardened baseline applied to every boma host. Built incrementally; the first concern
implemented is the host firewall (firewall tag).
Firewall (nftables)
Default-deny inbound + east-west allowlisting + permissive egress, per ADR-020. Rules
are rendered from the shared firewall_catalog / firewall_zones (in group_vars/all)
by the resolve_firewall_rules filter, written to /etc/nftables.conf, syntax-checked
with nft -c at render time, and applied with an auto-rollback safety net
(systemd-run arms a revert that a follow-up task cancels once connectivity is
confirmed). The apply sequence lives in tasks rather than a handler so the confirm/cancel
step is controllable.
/etc/nftables.d/*.nft is included by the ruleset — the extension hook the
docker_host role uses for container forward/NAT rules.
Variables
See defaults/main.yml (base__firewall_*). SSH is accepted only on
base__firewall_mgmt_interface (default wt0, the NetBird overlay — ADR-016); set it to
a reachable interface/source until NetBird is built. Set base__firewall_apply: false to
render + validate without applying (used by Molecule).
Testing
tests/test_firewall_rules.py— pytest units for the resolver.make test ROLE=base— Molecule renders +nft -csyntax-checks (never applies; it shares the host kernel). Enforcement + the apply/rollback path are verified at ADR-008 Level 2 on staging VMs.