coulomb/railiance-infra
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity
Files
2be5de2a3a4175f35d6475c3bbc0e1c9450b7f4e
railiance-infra/spec/server-baseline.yaml
Bernd Worsch 2be5de2a3a feat: add server baseline spec, status command, and test suite workplan 
- Fix duplicate `converge` Makefile target (was causing warnings)
- Fix `make status` SSH hardening check (use grep on sshd_config instead
  of sshd -T which fails without hostkeys)
- Add `make status` target with connectivity, UFW, fail2ban, SSH checks
- Add spec/server-baseline.yaml — authoritative target-state spec for
  all managed nodes (firewall, SSH, services, packages, users)
- Add workplan RAIL-HO-WP-0002 for Goss test suite and repo boundary ADR

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 11:10:27 +00:00

87 lines
2.4 KiB
YAML
Raw Blame History

# Railiance Managed Node — Baseline Server Specification
# This file is the authoritative source of truth for the target state of every
# server managed by railiance-hosts. All convergence roles and test assertions
# MUST be derivable from this document.
#
# When you change something here, update the Ansible roles AND the Goss tests.
# Format: human-readable YAML, kept technology-neutral.
version: "1.0"
applies_to: all # override per node group if needed
# ---------------------------------------------------------------------------
# Firewall
# ---------------------------------------------------------------------------
firewall:
engine: ufw
status: active
default_incoming: deny
default_outgoing: allow
rules:
- name: SSH
port: 22
proto: tcp
action: allow
- name: k3s-api
port: 6443
proto: tcp
action: allow
- name: flannel-vxlan
port: 8472
proto: udp
action: allow
# ---------------------------------------------------------------------------
# SSH daemon
# ---------------------------------------------------------------------------
ssh:
permit_root_login: "no"
password_authentication: "no"
pubkey_authentication: "yes"
challenge_response_authentication: "no"
# ---------------------------------------------------------------------------
# Services
# ---------------------------------------------------------------------------
services:
- name: ufw
enabled: true
running: true
- name: fail2ban
enabled: true
running: true
- name: ssh
enabled: true
running: true
# ---------------------------------------------------------------------------
# Packages
# ---------------------------------------------------------------------------
packages:
installed:
- ufw
- fail2ban
- git
- curl
- vim
- htop
- age
- sops
# ---------------------------------------------------------------------------
# Users
# ---------------------------------------------------------------------------
users:
- name: admin
shell: /bin/bash
sudo: passwordless # NOPASSWD:ALL in /etc/sudoers.d/
ssh_key_auth: true
# ---------------------------------------------------------------------------
# Security baseline
# ---------------------------------------------------------------------------
security:
histcontrol: ignorespace # set in /etc/profile.d/
fail2ban_jails:
- sshd
Reference in New Issue View Git Blame Copy Permalink