coulomb/railiance-infra
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity
Files
4afc2a0fd66ea81e4a4c62893ead1598f2107cbb
railiance-infra/spec/server-baseline.yaml
Bernd Worsch 4afc2a0fd6 fix: correct Goss test suite to match actual server state 
Fixes found by running make verify against Railiance01:

- Fix playbook_dir paths (ansible/playbooks/ is 2 levels from repo root)
- age/sops are binary installs, not apt packages — use command checks
- Admin user is tegwick, not admin; sudoers at /etc/sudoers.d/tegwick
- sudo granted via sudoers file, not group membership — remove group assert
- Ubuntu 24.04 socket-activates SSH; assert ssh.socket not ssh.service
- SSH hardening lives in sshd_config.d/10-hardening.conf, not main config
- UFW SSH rule uses app name "OpenSSH", not port 22/tcp
- Replace /regex/i patterns with plain strings (Goss file.contents)
- Update spec/server-baseline.yaml to match all findings

All 27 assertions now pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 15:50:06 +00:00

91 lines
2.8 KiB
YAML
Raw Blame History

# Railiance Managed Node — Baseline Server Specification
# This file is the authoritative source of truth for the target state of every
# server managed by railiance-hosts. All convergence roles and test assertions
# MUST be derivable from this document.
#
# When you change something here, update the Ansible roles AND the Goss tests.
# Format: human-readable YAML, kept technology-neutral.
version: "1.0"
applies_to: all # override per node group if needed
# ---------------------------------------------------------------------------
# Firewall
# ---------------------------------------------------------------------------
firewall:
engine: ufw
status: active
default_incoming: deny
default_outgoing: allow
rules:
- name: OpenSSH # UFW app name; resolves to 22/tcp
action: allow
- name: k3s-api
port: 6443
proto: tcp
action: allow
- name: flannel-vxlan
port: 8472
proto: udp
action: allow
# ---------------------------------------------------------------------------
# SSH daemon
# ---------------------------------------------------------------------------
ssh:
permit_root_login: "no"
password_authentication: "no"
pubkey_authentication: "yes"
challenge_response_authentication: "no"
# Hardening is applied via drop-in: /etc/ssh/sshd_config.d/10-hardening.conf
# The cloud image default sshd_config is left in place; the drop-in overrides it.
# ---------------------------------------------------------------------------
# Services
# ---------------------------------------------------------------------------
services:
- name: ufw
enabled: true
running: true
- name: fail2ban
enabled: true
running: true
- name: ssh.socket
enabled: true
running: true
# Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
# triggered on demand by ssh.socket.
# ---------------------------------------------------------------------------
# Packages
# ---------------------------------------------------------------------------
packages:
installed:
- ufw
- fail2ban
- git
- curl
- vim
- htop
binaries:
# Installed to /usr/local/bin/ by the sops_agent role, not via apt
- age
- sops
# ---------------------------------------------------------------------------
# Users
# ---------------------------------------------------------------------------
users:
- name: tegwick
shell: /bin/bash
sudo: passwordless # NOPASSWD:ALL via /etc/sudoers.d/tegwick — NOT via sudo group
ssh_key_auth: true
# ---------------------------------------------------------------------------
# Security baseline
# ---------------------------------------------------------------------------
security:
histcontrol: ignorespace # set in /etc/profile.d/
fail2ban_jails:
- sshd
Reference in New Issue View Git Blame Copy Permalink