boma/inventories/production/host_vars/askari.yml

---
# Manage askari over the NetBird mesh (wt0), not its WAN IP. This OVERRIDES the
# TF-generated inventories/production/offsite.yml (ansible_host = 77.42.120.136); host_vars
# outrank the generated inventory and are NOT touched by `make tf-inventory-offsite`.
# Mesh-hardening 1/3 — once SSH is wt0-only, the WAN IP is no longer reachable for SSH.
ansible_host: 100.99.226.39   # askari's wt0 address (NetBird, M5)
feat(inventory): manage askari over wt0 + enable mesh-only SSH host_vars/askari.yml points ansible_host at the wt0 IP (overriding the generated offsite.yml); offsite_hosts sets base__ssh_listen_mesh_only. Mesh-hardening 1/3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-17 20:49:15 +02:00			`---`
			`# Manage askari over the NetBird mesh (wt0), not its WAN IP. This OVERRIDES the`
			`# TF-generated inventories/production/offsite.yml (ansible_host = 77.42.120.136); host_vars`
			# outrank the generated inventory and are NOT touched by `make tf-inventory-offsite`.
			`# Mesh-hardening 1/3 — once SSH is wt0-only, the WAN IP is no longer reachable for SSH.`
			`ansible_host: 100.99.226.39 # askari's wt0 address (NetBird, M5)`