2026-06-18 12:37:32 +02:00
|
|
|
---
|
|
|
|
|
# Integration-test overlay for the "askari" profile (ADR-025). Passed via `-e @`.
|
|
|
|
|
# Reproduces the 2026-06-17 incident: apply base's nftables default-deny to a Docker host.
|
|
|
|
|
base__firewall_apply: true
|
|
|
|
|
# Keep a break-glass: sshd stays on all interfaces (never wt0-only in a throwaway VM).
|
|
|
|
|
base__ssh_listen_mesh_only: false
|
|
|
|
|
# The VM is isolated; it must never touch the real mesh.
|
|
|
|
|
base__mesh_enabled: false
|
2026-06-18 16:35:15 +02:00
|
|
|
# Allow SSH from the VM's libvirt-NAT gateway (where the driver/ansible connects from),
|
|
|
|
|
# so base's default-deny firewall + the reboot don't lock out the harness. By source IP,
|
|
|
|
|
# so it's interface-independent. Overrides askari's real control addr for the test only.
|
|
|
|
|
base__firewall_control_addr: "192.168.150.1"
|