# Railiance Managed Node — Baseline Server Specification # This file is the authoritative source of truth for the target state of every # server managed by railiance-hosts. All convergence roles and test assertions # MUST be derivable from this document. # # When you change something here, update the Ansible roles AND the Goss tests. # Format: human-readable YAML, kept technology-neutral. version: "1.0" applies_to: all # override per node group if needed # --------------------------------------------------------------------------- # Firewall # --------------------------------------------------------------------------- firewall: engine: ufw status: active default_incoming: deny default_outgoing: allow rules: - name: OpenSSH # UFW app name; resolves to 22/tcp action: allow - name: k3s-api port: 6443 proto: tcp action: allow - name: flannel-vxlan port: 8472 proto: udp action: allow # --------------------------------------------------------------------------- # SSH daemon # --------------------------------------------------------------------------- ssh: permit_root_login: "no" password_authentication: "no" pubkey_authentication: "yes" challenge_response_authentication: "no" # Hardening is applied via drop-in: /etc/ssh/sshd_config.d/10-hardening.conf # The cloud image default sshd_config is left in place; the drop-in overrides it. # --------------------------------------------------------------------------- # Services # --------------------------------------------------------------------------- services: - name: ufw enabled: true running: true - name: fail2ban enabled: true running: true - name: ssh.socket enabled: true running: true # Ubuntu 24.04 uses socket activation: ssh.service is disabled by design, # triggered on demand by ssh.socket. # --------------------------------------------------------------------------- # Packages # --------------------------------------------------------------------------- packages: installed: - ufw - fail2ban - git - curl - vim - htop binaries: # Installed to /usr/local/bin/ by the sops_agent role, not via apt - age - sops # --------------------------------------------------------------------------- # Users # --------------------------------------------------------------------------- users: - name: tegwick shell: /bin/bash sudo: passwordless # NOPASSWD:ALL via /etc/sudoers.d/tegwick — NOT via sudo group ssh_key_auth: true # --------------------------------------------------------------------------- # Security baseline # --------------------------------------------------------------------------- security: histcontrol: ignorespace # set in /etc/profile.d/ fail2ban_jails: - sshd