boma/roles/base
sjat 9b5851ba4b chore(roles): role/test hygiene from review (O16,O17,O25,O26)
- dev_env .zshrc: drop the rclone alias (not installed) and guard the direnv
  hook with `command -v direnv` so a missing direnv doesn't error every shell (O16)
- dev_env oh-my-posh: tag the zen.toml theme deploy `config` (it renders config to
  disk like the per_user dotfiles); the include now carries packages+config so a
  `--tags config` run re-renders the theme while the binary install stays packages
  only (O17). Verified via `molecule converge -- --tags config`.
- drop the non-vocabulary `tags: [verify]` from molecule verify playbooks across
  base/docker_host/public_dns/reverse_proxy (check-tags exempts molecule anyway) (O25)
- reverse_proxy templates: add the `{{ ansible_managed }}` header (ADR-024 §1.2) (O26)

make lint green; dev_env + reverse_proxy molecule green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 19:31:23 +02:00
..
defaults test(base): Molecule coverage for ssh hardening + fail2ban 2026-06-14 16:47:42 +02:00
filter_plugins fix(base): firewall resolver fails fast on empty/malformed sources; cover hosts: + proto default 2026-06-06 18:56:04 +02:00
handlers fix(base): propagate hardening tag to included tasks; check-mode-safe fail2ban 2026-06-14 16:54:23 +02:00
meta feat(base): scaffold role + meta/README (firewall concern incoming) 2026-06-06 18:48:35 +02:00
molecule/default chore(roles): role/test hygiene from review (O16,O17,O25,O26) 2026-06-14 19:31:23 +02:00
tasks fix(base): propagate hardening tag to included tasks; check-mode-safe fail2ban 2026-06-14 16:54:23 +02:00
templates feat(base): ssh hardening + fail2ban (hardening concern, ADR-002) 2026-06-14 16:42:56 +02:00
README.md feat(base): scaffold role + meta/README (firewall concern incoming) 2026-06-06 18:48:35 +02:00

base

Hardened baseline applied to every boma host. Built incrementally; the first concern implemented is the host firewall (firewall tag).

Firewall (nftables)

Default-deny inbound + east-west allowlisting + permissive egress, per ADR-020. Rules are rendered from the shared firewall_catalog / firewall_zones (in group_vars/all) by the resolve_firewall_rules filter, written to /etc/nftables.conf, syntax-checked with nft -c at render time, and applied with an auto-rollback safety net (systemd-run arms a revert that a follow-up task cancels once connectivity is confirmed). The apply sequence lives in tasks rather than a handler so the confirm/cancel step is controllable.

/etc/nftables.d/*.nft is included by the ruleset — the extension hook the docker_host role uses for container forward/NAT rules.

Variables

See defaults/main.yml (base__firewall_*). SSH is accepted only on base__firewall_mgmt_interface (default wt0, the NetBird overlay — ADR-016); set it to a reachable interface/source until NetBird is built. Set base__firewall_apply: false to render + validate without applying (used by Molecule).

Testing

  • tests/test_firewall_rules.py — pytest units for the resolver.
  • make test ROLE=base — Molecule renders + nft -c syntax-checks (never applies; it shares the host kernel). Enforcement + the apply/rollback path are verified at ADR-008 Level 2 on staging VMs.