sjat
9b5851ba4b
- dev_env .zshrc: drop the rclone alias (not installed) and guard the direnv
hook with `command -v direnv` so a missing direnv doesn't error every shell (O16)
- dev_env oh-my-posh: tag the zen.toml theme deploy `config` (it renders config to
disk like the per_user dotfiles); the include now carries packages+config so a
`--tags config` run re-renders the theme while the binary install stays packages
only (O17). Verified via `molecule converge -- --tags config`.
- drop the non-vocabulary `tags: [verify]` from molecule verify playbooks across
base/docker_host/public_dns/reverse_proxy (check-tags exempts molecule anyway) (O25)
- reverse_proxy templates: add the `{{ ansible_managed }}` header (ADR-024 §1.2) (O26)
make lint green; dev_env + reverse_proxy molecule green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
59 lines
2.1 KiB
YAML
59 lines
2.1 KiB
YAML
---
|
|
- name: Verify
|
|
hosts: all
|
|
become: true
|
|
gather_facts: false
|
|
tasks:
|
|
- name: Read the rendered ruleset
|
|
ansible.builtin.slurp:
|
|
src: /etc/nftables.conf
|
|
register: ruleset
|
|
|
|
- name: Decode it
|
|
ansible.builtin.set_fact:
|
|
nft: "{{ ruleset.content | b64decode }}"
|
|
|
|
- name: Assert default-deny input policy and management plane
|
|
ansible.builtin.assert:
|
|
that:
|
|
- "'type filter hook input priority 0; policy drop;' in nft"
|
|
- "'ct state established,related accept' in nft"
|
|
- "'iifname \"wt0\" tcp dport 22 accept' in nft"
|
|
- "'ip saddr 10.10.0.99 tcp dport 22 accept' in nft"
|
|
fail_msg: >-
|
|
input chain is missing default-deny, the wt0 SSH allow,
|
|
or the ssh-from-control management-plane rule
|
|
|
|
- name: Assert the lan->reverse_proxy:443 ingress rule (zone source)
|
|
ansible.builtin.assert:
|
|
that:
|
|
- "'10.30.0.0/24' in nft"
|
|
- "'tcp dport 443 accept' in nft"
|
|
fail_msg: "missing lan->443 rule for reverse_proxy"
|
|
|
|
- name: Assert the srv->photoprism:2342 ingress rule (zone source)
|
|
ansible.builtin.assert:
|
|
that:
|
|
- "'10.20.0.0/24' in nft"
|
|
- "'tcp dport 2342 accept' in nft"
|
|
fail_msg: "missing srv->2342 rule for photoprism"
|
|
|
|
- name: Assert the docker_host extension hook is present
|
|
ansible.builtin.assert:
|
|
that:
|
|
- "'include \"/etc/nftables.d/*.nft\"' in nft"
|
|
fail_msg: "missing drop-in include hook"
|
|
|
|
- name: Syntax-check the rendered ruleset (no apply)
|
|
ansible.builtin.command: nft -c -f /etc/nftables.conf
|
|
changed_when: false
|
|
|
|
- name: Sshd drop-in present and config valid
|
|
ansible.builtin.command: sshd -t
|
|
changed_when: false
|
|
- name: PasswordAuthentication is disabled
|
|
ansible.builtin.command: grep -q '^PasswordAuthentication no' /etc/ssh/sshd_config.d/10-boma.conf
|
|
changed_when: false
|
|
- name: Fail2ban sshd jail configured
|
|
ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local
|
|
changed_when: false
|