fix: correct Goss test suite to match actual server state
Fixes found by running make verify against Railiance01: - Fix playbook_dir paths (ansible/playbooks/ is 2 levels from repo root) - age/sops are binary installs, not apt packages — use command checks - Admin user is tegwick, not admin; sudoers at /etc/sudoers.d/tegwick - sudo granted via sudoers file, not group membership — remove group assert - Ubuntu 24.04 socket-activates SSH; assert ssh.socket not ssh.service - SSH hardening lives in sshd_config.d/10-hardening.conf, not main config - UFW SSH rule uses app name "OpenSSH", not port 22/tcp - Replace /regex/i patterns with plain strings (Goss file.contents) - Update spec/server-baseline.yaml to match all findings All 27 assertions now pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -18,9 +18,7 @@ firewall:
|
||||
default_incoming: deny
|
||||
default_outgoing: allow
|
||||
rules:
|
||||
- name: SSH
|
||||
port: 22
|
||||
proto: tcp
|
||||
- name: OpenSSH # UFW app name; resolves to 22/tcp
|
||||
action: allow
|
||||
- name: k3s-api
|
||||
port: 6443
|
||||
@@ -39,6 +37,8 @@ ssh:
|
||||
password_authentication: "no"
|
||||
pubkey_authentication: "yes"
|
||||
challenge_response_authentication: "no"
|
||||
# Hardening is applied via drop-in: /etc/ssh/sshd_config.d/10-hardening.conf
|
||||
# The cloud image default sshd_config is left in place; the drop-in overrides it.
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Services
|
||||
@@ -50,9 +50,11 @@ services:
|
||||
- name: fail2ban
|
||||
enabled: true
|
||||
running: true
|
||||
- name: ssh
|
||||
- name: ssh.socket
|
||||
enabled: true
|
||||
running: true
|
||||
# Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
|
||||
# triggered on demand by ssh.socket.
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Packages
|
||||
@@ -65,6 +67,8 @@ packages:
|
||||
- curl
|
||||
- vim
|
||||
- htop
|
||||
binaries:
|
||||
# Installed to /usr/local/bin/ by the sops_agent role, not via apt
|
||||
- age
|
||||
- sops
|
||||
|
||||
@@ -72,9 +76,9 @@ packages:
|
||||
# Users
|
||||
# ---------------------------------------------------------------------------
|
||||
users:
|
||||
- name: admin
|
||||
- name: tegwick
|
||||
shell: /bin/bash
|
||||
sudo: passwordless # NOPASSWD:ALL in /etc/sudoers.d/
|
||||
sudo: passwordless # NOPASSWD:ALL via /etc/sudoers.d/tegwick — NOT via sudo group
|
||||
ssh_key_auth: true
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user