railiance-infra/spec/server-baseline.yaml

91 lines
2.8 KiB
YAML
Raw Normal View History

# Railiance Managed Node — Baseline Server Specification
# This file is the authoritative source of truth for the target state of every
# server managed by railiance-hosts. All convergence roles and test assertions
# MUST be derivable from this document.
#
# When you change something here, update the Ansible roles AND the Goss tests.
# Format: human-readable YAML, kept technology-neutral.
version: "1.0"
applies_to: all # override per node group if needed
# ---------------------------------------------------------------------------
# Firewall
# ---------------------------------------------------------------------------
firewall:
engine: ufw
status: active
default_incoming: deny
default_outgoing: allow
rules:
- name: OpenSSH # UFW app name; resolves to 22/tcp
action: allow
- name: k3s-api
port: 6443
proto: tcp
action: allow
- name: flannel-vxlan
port: 8472
proto: udp
action: allow
# ---------------------------------------------------------------------------
# SSH daemon
# ---------------------------------------------------------------------------
ssh:
permit_root_login: "no"
password_authentication: "no"
pubkey_authentication: "yes"
challenge_response_authentication: "no"
# Hardening is applied via drop-in: /etc/ssh/sshd_config.d/10-hardening.conf
# The cloud image default sshd_config is left in place; the drop-in overrides it.
# ---------------------------------------------------------------------------
# Services
# ---------------------------------------------------------------------------
services:
- name: ufw
enabled: true
running: true
- name: fail2ban
enabled: true
running: true
- name: ssh.socket
enabled: true
running: true
# Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
# triggered on demand by ssh.socket.
# ---------------------------------------------------------------------------
# Packages
# ---------------------------------------------------------------------------
packages:
installed:
- ufw
- fail2ban
- git
- curl
- vim
- htop
binaries:
# Installed to /usr/local/bin/ by the sops_agent role, not via apt
- age
- sops
# ---------------------------------------------------------------------------
# Users
# ---------------------------------------------------------------------------
users:
- name: tegwick
shell: /bin/bash
sudo: passwordless # NOPASSWD:ALL via /etc/sudoers.d/tegwick — NOT via sudo group
ssh_key_auth: true
# ---------------------------------------------------------------------------
# Security baseline
# ---------------------------------------------------------------------------
security:
histcontrol: ignorespace # set in /etc/profile.d/
fail2ban_jails:
- sshd