feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items
(packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL)
- goss/vars/baseline-vars.yaml: parameterised ports and paths
- ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests,
runs assertions in TAP format, fetches report to reports/
- ansible/playbooks/verify.yaml: playbook wrapping the goss role
- Makefile: add 'make verify' target; update 'make status' with hint
- docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap
- workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 12:38:48 +01:00
|
|
|
# Goss baseline assertions for railiance managed nodes
|
|
|
|
|
# Derived from spec/server-baseline.yaml — keep in sync.
|
|
|
|
|
# Run: goss -g /etc/goss/baseline.yaml validate
|
|
|
|
|
|
|
|
|
|
package:
|
|
|
|
|
ufw:
|
|
|
|
|
installed: true
|
|
|
|
|
fail2ban:
|
|
|
|
|
installed: true
|
|
|
|
|
git:
|
|
|
|
|
installed: true
|
|
|
|
|
curl:
|
|
|
|
|
installed: true
|
|
|
|
|
vim:
|
|
|
|
|
installed: true
|
|
|
|
|
htop:
|
|
|
|
|
installed: true
|
2026-03-09 15:50:06 +00:00
|
|
|
|
|
|
|
|
# age and sops are binary installs, not apt packages — checked via command below
|
feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items
(packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL)
- goss/vars/baseline-vars.yaml: parameterised ports and paths
- ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests,
runs assertions in TAP format, fetches report to reports/
- ansible/playbooks/verify.yaml: playbook wrapping the goss role
- Makefile: add 'make verify' target; update 'make status' with hint
- docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap
- workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 12:38:48 +01:00
|
|
|
|
|
|
|
|
service:
|
|
|
|
|
ufw:
|
|
|
|
|
enabled: true
|
|
|
|
|
running: true
|
|
|
|
|
fail2ban:
|
|
|
|
|
enabled: true
|
|
|
|
|
running: true
|
2026-03-09 15:50:06 +00:00
|
|
|
# Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
|
|
|
|
|
# ssh.socket keeps it running. Assert the socket is enabled.
|
|
|
|
|
ssh.socket:
|
feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items
(packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL)
- goss/vars/baseline-vars.yaml: parameterised ports and paths
- ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests,
runs assertions in TAP format, fetches report to reports/
- ansible/playbooks/verify.yaml: playbook wrapping the goss role
- Makefile: add 'make verify' target; update 'make status' with hint
- docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap
- workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 12:38:48 +01:00
|
|
|
enabled: true
|
|
|
|
|
running: true
|
|
|
|
|
|
|
|
|
|
file:
|
2026-03-09 15:50:06 +00:00
|
|
|
/etc/ssh/sshd_config.d/10-hardening.conf:
|
feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items
(packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL)
- goss/vars/baseline-vars.yaml: parameterised ports and paths
- ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests,
runs assertions in TAP format, fetches report to reports/
- ansible/playbooks/verify.yaml: playbook wrapping the goss role
- Makefile: add 'make verify' target; update 'make status' with hint
- docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap
- workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 12:38:48 +01:00
|
|
|
exists: true
|
2026-03-09 15:50:06 +00:00
|
|
|
contents:
|
|
|
|
|
- "PermitRootLogin no"
|
|
|
|
|
- "PasswordAuthentication no"
|
|
|
|
|
- "PubkeyAuthentication yes"
|
feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items
(packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL)
- goss/vars/baseline-vars.yaml: parameterised ports and paths
- ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests,
runs assertions in TAP format, fetches report to reports/
- ansible/playbooks/verify.yaml: playbook wrapping the goss role
- Makefile: add 'make verify' target; update 'make status' with hint
- docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap
- workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 12:38:48 +01:00
|
|
|
|
|
|
|
|
user:
|
2026-03-09 15:50:06 +00:00
|
|
|
tegwick:
|
feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items
(packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL)
- goss/vars/baseline-vars.yaml: parameterised ports and paths
- ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests,
runs assertions in TAP format, fetches report to reports/
- ansible/playbooks/verify.yaml: playbook wrapping the goss role
- Makefile: add 'make verify' target; update 'make status' with hint
- docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap
- workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 12:38:48 +01:00
|
|
|
exists: true
|
2026-03-09 15:50:06 +00:00
|
|
|
# sudo access is via /etc/sudoers.d/tegwick (NOPASSWD), not group membership
|
feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items
(packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL)
- goss/vars/baseline-vars.yaml: parameterised ports and paths
- ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests,
runs assertions in TAP format, fetches report to reports/
- ansible/playbooks/verify.yaml: playbook wrapping the goss role
- Makefile: add 'make verify' target; update 'make status' with hint
- docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap
- workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 12:38:48 +01:00
|
|
|
shell: /bin/bash
|
|
|
|
|
|
|
|
|
|
command:
|
|
|
|
|
"ufw status":
|
|
|
|
|
exit-status: 0
|
|
|
|
|
stdout:
|
|
|
|
|
- "Status: active"
|
2026-03-09 15:50:06 +00:00
|
|
|
- /OpenSSH.*ALLOW/
|
feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items
(packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL)
- goss/vars/baseline-vars.yaml: parameterised ports and paths
- ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests,
runs assertions in TAP format, fetches report to reports/
- ansible/playbooks/verify.yaml: playbook wrapping the goss role
- Makefile: add 'make verify' target; update 'make status' with hint
- docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap
- workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 12:38:48 +01:00
|
|
|
- /6443\/tcp.*ALLOW/
|
|
|
|
|
- /8472\/udp.*ALLOW/
|
2026-03-09 15:50:06 +00:00
|
|
|
"grep NOPASSWD /etc/sudoers.d/tegwick":
|
feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items
(packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL)
- goss/vars/baseline-vars.yaml: parameterised ports and paths
- ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests,
runs assertions in TAP format, fetches report to reports/
- ansible/playbooks/verify.yaml: playbook wrapping the goss role
- Makefile: add 'make verify' target; update 'make status' with hint
- docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap
- workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 12:38:48 +01:00
|
|
|
exit-status: 0
|
|
|
|
|
stdout:
|
|
|
|
|
- "NOPASSWD"
|
|
|
|
|
"grep -r HISTCONTROL /etc/profile.d/":
|
|
|
|
|
exit-status: 0
|
|
|
|
|
stdout:
|
|
|
|
|
- "ignorespace"
|
|
|
|
|
"fail2ban-client status sshd":
|
|
|
|
|
exit-status: 0
|
|
|
|
|
stdout:
|
|
|
|
|
- "Status for the jail: sshd"
|
2026-03-09 15:50:06 +00:00
|
|
|
"test -x /usr/local/bin/age":
|
|
|
|
|
exit-status: 0
|
|
|
|
|
"test -x /usr/local/bin/sops":
|
|
|
|
|
exit-status: 0
|