ホーム エクスプローラ ヘルプ
サインイン
kotoyuuko
/
ansible-proxy-chain
1
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: 7d72410741
ブランチ タグ
ansible-proxy-c...
/
openspec
/
changes
/
archive
/
2026-04-22-chain-proxy-setup
/
specs
/
server-base
/
spec.md

spec.md 2.3 KB
履歴 Raw

ADDED Requirements

Requirement: Ansible inventory defines relay and landing server groups

The inventory SHALL define two host groups: relay and landing, each containing the respective server's connection details (IP, SSH user, SSH key).

Scenario: Inventory is valid

  • WHEN the inventory file is parsed by Ansible
  • THEN two groups relay and landing are available, each with at least one host

Requirement: Base packages are installed on all servers

The base role SHALL install essential packages: curl, wget, vim, htop, unzip, ufw, fail2ban, unattended-upgrades.

Scenario: Fresh server provisioning

  • WHEN the base role runs on a fresh Ubuntu/Debian server
  • THEN all listed packages are installed and available

Requirement: SSH is hardened

The base role SHALL configure SSH to disable password authentication, disable root login, and only allow key-based authentication.

Scenario: SSH hardening applied

  • WHEN the base role completes
  • THEN /etc/ssh/sshd_config has PasswordAuthentication no, PermitRootLogin no, and PubkeyAuthentication yes
  • THEN the sshd service is restarted

Requirement: UFW firewall is configured with default deny

The base role SHALL enable UFW with a default deny incoming policy and allow SSH (port 22).

Scenario: Firewall base rules

  • WHEN the base role completes
  • THEN UFW is active with default deny incoming
  • THEN SSH port 22 is allowed

Scenario: Proxy ports are allowed per server role

  • WHEN the base role runs on a relay server
  • THEN the relay proxy port is allowed through UFW
  • WHEN the base role runs on a landing server
  • THEN both the chained and direct proxy ports are allowed through UFW

Requirement: fail2ban protects SSH

The base role SHALL configure fail2ban to monitor SSH login attempts and ban IPs after repeated failures.

Scenario: fail2ban is active

  • WHEN the base role completes
  • THEN fail2ban is running with an SSH jail enabled

Requirement: Automatic security updates are enabled

The base role SHALL enable unattended-upgrades for security patches.

Scenario: Unattended upgrades configured

  • WHEN the base role completes
  • THEN unattended-upgrades is configured to auto-install security updates