feat(bootstrap): add HostEurope hardening playbook and workplan
- workplans/RAIL-BS-WP-0002-hosteurope-bootstrap.md: new workplan for Secure Single-Server Bootstrap at HostEurope (repo goal d7092599). T01-T03 done; T04+T05 require ansible on a box with network access to 92.205.62.239 (hosts.ini is gitignored — recreate on new box). - ansible/harden.yml: new playbook — disables root/password SSH auth, enables UFW (allow 22/tcp 6443/tcp 8472/udp, deny-all default), installs fail2ban with SSH jail, sets HISTCONTROL=ignorespace. - ansible/bootstrap.yml: import_playbook harden.yml runs before k3s. - ansible/hosts.ini.example: add [hosteurope] group template. - QUICKSTART.md: document two-stage bootstrap (harden → k3s). - CLAUDE.md: add goal_guidance handling to session protocol (needs_workplan + alignment_warnings). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
d83bc1049f
commit
19661ca0c6
6 changed files with 326 additions and 3 deletions
|
|
@ -122,7 +122,9 @@ From your local machine:
|
|||
ansible-playbook -i ansible/hosts.ini ansible/bootstrap.yml
|
||||
```
|
||||
|
||||
This installs prerequisites and sets up a single‑node k3s cluster.
|
||||
This runs in two stages:
|
||||
1. **Harden** — disables root/password SSH login, enables UFW (ports 22/6443/8472), installs fail2ban
|
||||
2. **Bootstrap** — installs base packages and a single‑node k3s cluster
|
||||
|
||||
---
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue