feat(integration): askari profile, stub overlay, cert-tier files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/integration/certs/internal.yml

@@ -0,0 +1,2 @@
+---
+reverse_proxy__tls_internal: true

tests/integration/certs/le-prod-wildcard.yml

@@ -0,0 +1,6 @@
+---
+# On-demand only. Records an accepted risk (ADR-025 / accepted-risks.md): the prod
+# Gandi PAT reaches an ephemeral VM and transient TXT records land in the real wingu.me.
+reverse_proxy__tls_internal: false
+reverse_proxy__acme_dns_provider: gandi
+reverse_proxy__acme_ca: ""

tests/integration/certs/le-staging.yml

@@ -0,0 +1,4 @@
+---
+reverse_proxy__tls_internal: false
+reverse_proxy__acme_dns_provider: gandi
+reverse_proxy__acme_ca: "https://acme-staging-v02.api.letsencrypt.org/directory"

tests/integration/overrides/askari.yml

@@ -0,0 +1,8 @@
+---
+# Integration-test overlay for the "askari" profile (ADR-025). Passed via `-e @`.
+# Reproduces the 2026-06-17 incident: apply base's nftables default-deny to a Docker host.
+base__firewall_apply: true
+# Keep a break-glass: sshd stays on all interfaces (never wt0-only in a throwaway VM).
+base__ssh_listen_mesh_only: false
+# The VM is isolated; it must never touch the real mesh.
+base__mesh_enabled: false

tests/integration/profiles/askari.json

@@ -0,0 +1,10 @@
+{
+  "groups": ["offsite_hosts"],
+  "applies": [
+    {"playbook": "site.yml", "tags": ["base"]},
+    {"playbook": "offsite.yml", "tags": ["docker_host", "reverse_proxy"]}
+  ],
+  "extra_vars_files": ["overrides/askari.yml"],
+  "mem_mib": 3072,
+  "vcpus": 2
+}