18 lines
919 B
YAML
18 lines
919 B
YAML
|
|
---
|
||
|
|
# Integration overlay (ADR-025) — the askari mesh-hardening REDESIGN (2026-06-19).
|
||
|
|
# Validates INPUT-only default-deny on a Docker host: input policy drop, forward policy
|
||
|
|
# accept (Docker-safe), SSH via the admin-addr break-glass, reboot-survivable.
|
||
|
|
integration_profile: askari_inputonly
|
||
|
|
base__firewall_apply: true
|
||
|
|
base__firewall_input_only: true
|
||
|
|
# No sshd ListenAddress change — never wt0-only in a throwaway VM.
|
||
|
|
base__ssh_listen_mesh_only: false
|
||
|
|
# Isolated VM: never touch the real mesh.
|
||
|
|
base__mesh_enabled: false
|
||
|
|
# The non-mesh SSH break-glass = the admin-addr path the real design uses. Point it at the
|
||
|
|
# VM's libvirt-NAT gateway (where the harness connects from), by source IP so it is
|
||
|
|
# interface-independent and the default-deny + reboot don't lock out the driver. This
|
||
|
|
# mirrors askari's real base__firewall_admin_addrs (ubongo's WAN) in the test topology.
|
||
|
|
base__firewall_admin_addrs:
|
||
|
|
- 192.168.150.1
|