diff --git a/docs/decisions/015-control-host.md b/docs/decisions/015-control-host.md index 8393ab6..4e3527f 100644 --- a/docs/decisions/015-control-host.md +++ b/docs/decisions/015-control-host.md @@ -63,14 +63,15 @@ Manual, on bare metal: 1. Install Debian 13 on the box (one-time, by hand). 2. `git clone` the repo; `make setup`; `make collections`; set up `rbw` + unlock. -3. Join the mesh VPN (choice deferred — see below). +3. Join the mesh VPN — NetBird, self-hosted on `askari` (ADR-016). 4. From then on `ubongo` manages every other host normally; Ansible manages *it* for baseline config via the `control` group (`base` role only). ### Access & security -- Remote access is via the **mesh VPN** (choice deferred). SSH to `ubongo` over the - mesh; nothing is published to the public internet — this stays inside ADR-002. +- Remote access is via the **mesh VPN** — NetBird, self-hosted on `askari` (ADR-016). + SSH to `ubongo` over the mesh; nothing is published to the public internet — this + stays inside ADR-002. - `ubongo` runs the `base` role: SSH hardening, nftables default-deny, fail2ban, auditd, unattended-upgrades. Inbound SSH is allowed **only on the mesh interface**, denied on the physical NIC. @@ -109,10 +110,9 @@ master password. ## Deferred (separate specs / discussions) -1. **Mesh VPN choice** — Tailscale vs NetBird, hosted vs self-hosted. Recovery - dimension: a hosted coordinator keeps the mesh up when the cluster is down; a - self-hosted coordinator must live off-cluster (on `ubongo`), never on the fleet, - or it recreates the chicken-and-egg. +1. **Mesh VPN choice — RESOLVED (ADR-016):** NetBird, self-hosted on `askari` + (off-site, so it survives a homelab outage and stays out of the cluster it + administers). Replaces ADR-007's OPNsense WireGuard. 2. **Browser-E2E verification harness** — Playwright/headless-Chromium, test-user generation, screenshot-back-to-Claude, and the new ADR-008 level. 3. **`rbw` offline-cache verification** — confirm offline decryption before relying