boma/roles/base/defaults/main.yml

---
# Host firewall (nftables) behaviour knobs. Shared topology (firewall_catalog/
# firewall_zones) lives in group_vars/all, not here. See docs/decisions/020-firewall.md.
base__firewall_mgmt_interface: wt0   # SSH accepted only on this iface (NetBird, ADR-016)
base__firewall_control_addr: ""      # control-node LAN address (ubongo); SSH allowed from it
                                     # as the guaranteed-management-plane `ssh-from-control`
                                     # source (ADR-021). Empty = no rule. Set in group_vars
                                     # once ubongo exists.
base__firewall_ssh_port: 22
base__firewall_rollback_timeout: 45  # seconds before the auto-revert fires on a bad apply
base__firewall_confirm_timeout: 20   # seconds to re-establish a fresh connection post-apply
base__firewall_dropin_dir: /etc/nftables.d
base__firewall_apply: true           # set false to render+validate without applying (CI/Molecule)
base__firewall_input_only: false     # true → the forward chain is `policy accept` (host-local
                                     # INPUT filtering only). For hosts that forward/route
                                     # container or NAT traffic (the control node's Docker +
                                     # libvirt-NAT) where a forward default-deny would break
                                     # them. Real service hosts keep this false (forward drop).
base__firewall_admin_addrs: []       # extra LAN source IPs allowed to SSH, besides wt0 +
                                     # ssh-from-control. For an operator workstation reaching
                                     # the host over the LAN (no mesh). Key-gated. (ADR-021)

# SSH hardening + fail2ban (ADR-002) — `hardening` concern.
base__ssh_password_authentication: "no"
base__ssh_permit_root_login: "no"
base__fail2ban_maxretry: 5
base__fail2ban_bantime: 1h
base__fail2ban_findtime: 10m
# base__ssh_authorised_keys lives in group_vars/all/vars.yml (per-person control keys).
base__ssh_authorised_keys: []

# SSH listen-on-mesh (mesh-hardening 1/3, ADR-016/021). Opt-in: when true, sshd binds
# ListenAddress to this host's mesh IP only (not the WAN). The IP comes from the live wt0
# fact (ansible_facts.wt0.ipv4.address); base__ssh_listen_addr overrides it. ip_nonlocal_bind
# lets sshd bind the mesh IP before wt0 exists at boot. Fails closed: the play asserts a
# non-empty address rather than silently listening on all interfaces.
base__ssh_listen_mesh_only: false
base__ssh_listen_addr: ""

# The automation/AI-worker user granted passwordless sudo (ADR-015 amended / ADR-021).
# Empty = no AI-worker sudo. Set per-group (e.g. group_vars/control: claude). The user's
# password should be locked so NOPASSWD is its only sudo path; actions are auditd-attributed.
base__ai_worker_user: ""

# NetBird mesh agent enrollment (ADR-016). Opt-in: default off so applying `base` to a
# host not on the mesh is a no-op for this concern. The live actions (apt install over
# the network, `netbird up` against the coordinator) are additionally gated by
# base__mesh_manage so Molecule can exercise the wiring without a coordinator.
base__mesh_enabled: false
base__mesh_manage: true
base__mesh_management_url: "https://netbird.askari.wingu.me"
base__mesh_setup_key: "{{ vault.netbird.setup_key }}"
base__mesh_version: "0.72.4"   # match the coordinator; exact apt pin confirmed on-host at deploy

# DNS-resilience (ADR-016 availability / accepted-risk R8): when set to the coordinator's
# stable IP, pin the coordinator FQDN (derived from base__mesh_management_url) in /etc/hosts
# so a managed mesh host survives a local-DNS hiccup (the 2026-06-18 incident class). Empty
# = no pin. The coordinator host itself (askari/offsite_hosts) is exempt — leave it empty.
base__mesh_coordinator_pin: ""