feat(bootstrap): add HostEurope hardening playbook and workplan

- workplans/RAIL-BS-WP-0002-hosteurope-bootstrap.md: new workplan for
  Secure Single-Server Bootstrap at HostEurope (repo goal d7092599).
  T01-T03 done; T04+T05 require ansible on a box with network access to
  92.205.62.239 (hosts.ini is gitignored — recreate on new box).

- ansible/harden.yml: new playbook — disables root/password SSH auth,
  enables UFW (allow 22/tcp 6443/tcp 8472/udp, deny-all default),
  installs fail2ban with SSH jail, sets HISTCONTROL=ignorespace.

- ansible/bootstrap.yml: import_playbook harden.yml runs before k3s.

- ansible/hosts.ini.example: add [hosteurope] group template.

- QUICKSTART.md: document two-stage bootstrap (harden → k3s).

- CLAUDE.md: add goal_guidance handling to session protocol
  (needs_workplan + alignment_warnings).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
tegwick 2026-03-08 22:50:51 +01:00
parent d83bc1049f
commit 19661ca0c6
6 changed files with 326 additions and 3 deletions

View file

@ -122,7 +122,9 @@ From your local machine:
ansible-playbook -i ansible/hosts.ini ansible/bootstrap.yml
```
This installs prerequisites and sets up a singlenode k3s cluster.
This runs in two stages:
1. **Harden** — disables root/password SSH login, enables UFW (ports 22/6443/8472), installs fail2ban
2. **Bootstrap** — installs base packages and a singlenode k3s cluster
---