# Railiance Managed Node — Baseline Server Specification
# This file is the authoritative source of truth for the target state of every
# server managed by railiance-hosts. All convergence roles and test assertions
# MUST be derivable from this document.
#
# When you change something here, update the Ansible roles AND the Goss tests.
# Format: human-readable YAML, kept technology-neutral.

version: "1.0"
applies_to: all  # override per node group if needed

# ---------------------------------------------------------------------------
# Firewall
# ---------------------------------------------------------------------------
firewall:
  engine: ufw
  status: active
  default_incoming: deny
  default_outgoing: allow
  rules:
    - name: SSH
      port: 22
      proto: tcp
      action: allow
    - name: k3s-api
      port: 6443
      proto: tcp
      action: allow
    - name: flannel-vxlan
      port: 8472
      proto: udp
      action: allow

# ---------------------------------------------------------------------------
# SSH daemon
# ---------------------------------------------------------------------------
ssh:
  permit_root_login: "no"
  password_authentication: "no"
  pubkey_authentication: "yes"
  challenge_response_authentication: "no"

# ---------------------------------------------------------------------------
# Services
# ---------------------------------------------------------------------------
services:
  - name: ufw
    enabled: true
    running: true
  - name: fail2ban
    enabled: true
    running: true
  - name: ssh
    enabled: true
    running: true

# ---------------------------------------------------------------------------
# Packages
# ---------------------------------------------------------------------------
packages:
  installed:
    - ufw
    - fail2ban
    - git
    - curl
    - vim
    - htop
    - age
    - sops

# ---------------------------------------------------------------------------
# Users
# ---------------------------------------------------------------------------
users:
  - name: admin
    shell: /bin/bash
    sudo: passwordless  # NOPASSWD:ALL in /etc/sudoers.d/
    ssh_key_auth: true

# ---------------------------------------------------------------------------
# Security baseline
# ---------------------------------------------------------------------------
security:
  histcontrol: ignorespace  # set in /etc/profile.d/
  fail2ban_jails:
    - sshd