# Goss baseline assertions for railiance managed nodes # Derived from spec/server-baseline.yaml — keep in sync. # Run: goss -g /etc/goss/baseline.yaml validate package: ufw: installed: true fail2ban: installed: true git: installed: true curl: installed: true vim: installed: true htop: installed: true age: installed: true sops: installed: true service: ufw: enabled: true running: true fail2ban: enabled: true running: true ssh: enabled: true running: true file: /etc/ssh/sshd_config: exists: true contains: - /^PermitRootLogin no/i - /^PasswordAuthentication no/i - /^PubkeyAuthentication yes/i user: admin: exists: true groups: - sudo shell: /bin/bash command: "ufw status": exit-status: 0 stdout: - "Status: active" - /22\/tcp.*ALLOW/ - /6443\/tcp.*ALLOW/ - /8472\/udp.*ALLOW/ "grep NOPASSWD /etc/sudoers.d/admin": exit-status: 0 stdout: - "NOPASSWD" "grep -r HISTCONTROL /etc/profile.d/": exit-status: 0 stdout: - "ignorespace" "fail2ban-client status sshd": exit-status: 0 stdout: - "Status for the jail: sshd"