## ADDED Requirements ### Requirement: Ansible inventory defines relay and landing server groups The inventory SHALL define two host groups: `relay` and `landing`, each containing the respective server's connection details (IP, SSH user, SSH key). #### Scenario: Inventory is valid - **WHEN** the inventory file is parsed by Ansible - **THEN** two groups `relay` and `landing` are available, each with at least one host ### Requirement: Base packages are installed on all servers The base role SHALL install essential packages: `curl`, `wget`, `vim`, `htop`, `unzip`, `ufw`, `fail2ban`, `unattended-upgrades`. #### Scenario: Fresh server provisioning - **WHEN** the base role runs on a fresh Ubuntu/Debian server - **THEN** all listed packages are installed and available ### Requirement: SSH is hardened The base role SHALL configure SSH to disable password authentication, disable root login, and only allow key-based authentication. #### Scenario: SSH hardening applied - **WHEN** the base role completes - **THEN** `/etc/ssh/sshd_config` has `PasswordAuthentication no`, `PermitRootLogin no`, and `PubkeyAuthentication yes` - **THEN** the sshd service is restarted ### Requirement: UFW firewall is configured with default deny The base role SHALL enable UFW with a default deny incoming policy and allow SSH (port 22). #### Scenario: Firewall base rules - **WHEN** the base role completes - **THEN** UFW is active with default deny incoming - **THEN** SSH port 22 is allowed #### Scenario: Proxy ports are allowed per server role - **WHEN** the base role runs on a relay server - **THEN** the relay proxy port is allowed through UFW - **WHEN** the base role runs on a landing server - **THEN** both the chained and direct proxy ports are allowed through UFW ### Requirement: fail2ban protects SSH The base role SHALL configure fail2ban to monitor SSH login attempts and ban IPs after repeated failures. #### Scenario: fail2ban is active - **WHEN** the base role completes - **THEN** fail2ban is running with an SSH jail enabled ### Requirement: Automatic security updates are enabled The base role SHALL enable unattended-upgrades for security patches. #### Scenario: Unattended upgrades configured - **WHEN** the base role completes - **THEN** unattended-upgrades is configured to auto-install security updates