feat: add server baseline spec, status command, and test suite workplan

- Fix duplicate `converge` Makefile target (was causing warnings) - Fix `make status` SSH hardening check (use grep on sshd_config instead of sshd -T which fails without hostkeys) - Add `make status` target with connectivity, UFW, fail2ban, SSH checks - Add spec/server-baseline.yaml — authoritative target-state spec for all managed nodes (firewall, SSH, services, packages, users) - Add workplan RAIL-HO-WP-0002 for Goss test suite and repo boundary ADR Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 11:08:16 +00:00
parent abbc5bab2c
commit 2be5de2a3a
3 changed files with 358 additions and 3 deletions
--- a/spec/server-baseline.yaml
+++ b/spec/server-baseline.yaml
@@ -0,0 +1,86 @@
+# Railiance Managed Node — Baseline Server Specification
+# This file is the authoritative source of truth for the target state of every
+# server managed by railiance-hosts. All convergence roles and test assertions
+# MUST be derivable from this document.
+#
+# When you change something here, update the Ansible roles AND the Goss tests.
+# Format: human-readable YAML, kept technology-neutral.
+
+version: "1.0"
+applies_to: all  # override per node group if needed
+
+# ---------------------------------------------------------------------------
+# Firewall
+# ---------------------------------------------------------------------------
+firewall:
+  engine: ufw
+  status: active
+  default_incoming: deny
+  default_outgoing: allow
+  rules:
+    - name: SSH
+      port: 22
+      proto: tcp
+      action: allow
+    - name: k3s-api
+      port: 6443
+      proto: tcp
+      action: allow
+    - name: flannel-vxlan
+      port: 8472
+      proto: udp
+      action: allow
+
+# ---------------------------------------------------------------------------
+# SSH daemon
+# ---------------------------------------------------------------------------
+ssh:
+  permit_root_login: "no"
+  password_authentication: "no"
+  pubkey_authentication: "yes"
+  challenge_response_authentication: "no"
+
+# ---------------------------------------------------------------------------
+# Services
+# ---------------------------------------------------------------------------
+services:
+  - name: ufw
+    enabled: true
+    running: true
+  - name: fail2ban
+    enabled: true
+    running: true
+  - name: ssh
+    enabled: true
+    running: true
+
+# ---------------------------------------------------------------------------
+# Packages
+# ---------------------------------------------------------------------------
+packages:
+  installed:
+    - ufw
+    - fail2ban
+    - git
+    - curl
+    - vim
+    - htop
+    - age
+    - sops
+
+# ---------------------------------------------------------------------------
+# Users
+# ---------------------------------------------------------------------------
+users:
+  - name: admin
+    shell: /bin/bash
+    sudo: passwordless  # NOPASSWD:ALL in /etc/sudoers.d/
+    ssh_key_auth: true
+
+# ---------------------------------------------------------------------------
+# Security baseline
+# ---------------------------------------------------------------------------
+security:
+  histcontrol: ignorespace  # set in /etc/profile.d/
+  fail2ban_jails:
+    - sshd