# Goss baseline assertions for railiance managed nodes
# Derived from spec/server-baseline.yaml — keep in sync.
# Run: goss -g /etc/goss/baseline.yaml validate

package:
  ufw:
    installed: true
  fail2ban:
    installed: true
  git:
    installed: true
  curl:
    installed: true
  vim:
    installed: true
  htop:
    installed: true

# age and sops are binary installs, not apt packages — checked via command below

service:
  ufw:
    enabled: true
    running: true
  fail2ban:
    enabled: true
    running: true
  # Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
  # ssh.socket keeps it running. Assert the socket is enabled.
  ssh.socket:
    enabled: true
    running: true

file:
  /etc/ssh/sshd_config.d/10-hardening.conf:
    exists: true
    contents:
      - "PermitRootLogin no"
      - "PasswordAuthentication no"
      - "PubkeyAuthentication yes"

user:
  tegwick:
    exists: true
    # sudo access is via /etc/sudoers.d/tegwick (NOPASSWD), not group membership
    shell: /bin/bash

command:
  "ufw status":
    exit-status: 0
    stdout:
      - "Status: active"
      - /OpenSSH.*ALLOW/
      - /6443\/tcp.*ALLOW/
      - /8472\/udp.*ALLOW/
  "grep NOPASSWD /etc/sudoers.d/tegwick":
    exit-status: 0
    stdout:
      - "NOPASSWD"
  "grep -r HISTCONTROL /etc/profile.d/":
    exit-status: 0
    stdout:
      - "ignorespace"
  "fail2ban-client status sshd":
    exit-status: 0
    stdout:
      - "Status for the jail: sshd"
  "test -x /usr/local/bin/age":
    exit-status: 0
  "test -x /usr/local/bin/sops":
    exit-status: 0