feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002

- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items (packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL) - goss/vars/baseline-vars.yaml: parameterised ports and paths - ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests, runs assertions in TAP format, fetches report to reports/ - ansible/playbooks/verify.yaml: playbook wrapping the goss role - Makefile: add 'make verify' target; update 'make status' with hint - docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap - workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 12:38:48 +01:00
parent 2be5de2a3a
commit 8f5799553e
7 changed files with 242 additions and 5 deletions
--- a/goss/baseline.yaml
+++ b/goss/baseline.yaml
@@ -0,0 +1,68 @@
+# Goss baseline assertions for railiance managed nodes
+# Derived from spec/server-baseline.yaml — keep in sync.
+# Run: goss -g /etc/goss/baseline.yaml validate
+
+package:
+  ufw:
+    installed: true
+  fail2ban:
+    installed: true
+  git:
+    installed: true
+  curl:
+    installed: true
+  vim:
+    installed: true
+  htop:
+    installed: true
+  age:
+    installed: true
+  sops:
+    installed: true
+
+service:
+  ufw:
+    enabled: true
+    running: true
+  fail2ban:
+    enabled: true
+    running: true
+  ssh:
+    enabled: true
+    running: true
+
+file:
+  /etc/ssh/sshd_config:
+    exists: true
+    contains:
+      - /^PermitRootLogin no/i
+      - /^PasswordAuthentication no/i
+      - /^PubkeyAuthentication yes/i
+
+user:
+  admin:
+    exists: true
+    groups:
+      - sudo
+    shell: /bin/bash
+
+command:
+  "ufw status":
+    exit-status: 0
+    stdout:
+      - "Status: active"
+      - /22\/tcp.*ALLOW/
+      - /6443\/tcp.*ALLOW/
+      - /8472\/udp.*ALLOW/
+  "grep NOPASSWD /etc/sudoers.d/admin":
+    exit-status: 0
+    stdout:
+      - "NOPASSWD"
+  "grep -r HISTCONTROL /etc/profile.d/":
+    exit-status: 0
+    stdout:
+      - "ignorespace"
+  "fail2ban-client status sshd":
+    exit-status: 0
+    stdout:
+      - "Status for the jail: sshd"
--- a/goss/vars/baseline-vars.yaml
+++ b/goss/vars/baseline-vars.yaml
@@ -0,0 +1,11 @@
+# Parameterised values used in goss/baseline.yaml
+# Override per host group if defaults differ.
+
+firewall_ports:
+  ssh: "22/tcp"
+  k3s_api: "6443/tcp"
+  flannel_vxlan: "8472/udp"
+
+admin_user: admin
+goss_binary: /usr/local/bin/goss
+goss_tests_dir: /etc/goss