diff --git a/inventories/production/group_vars/offsite_hosts/vars.yml b/inventories/production/group_vars/offsite_hosts/vars.yml index aa17d71..df8724f 100644 --- a/inventories/production/group_vars/offsite_hosts/vars.yml +++ b/inventories/production/group_vars/offsite_hosts/vars.yml @@ -1,6 +1,8 @@ --- # Off-site hosts (askari). askari runs the NetBird coordinator AND is a mesh peer -# (ADR-016, M5) — enrol the agent via base's `mesh` concern. Enrollment only; the -# host firewall default-deny + moving askari's SSH onto wt0 stay deferred to the -# mesh-hardening follow-on. +# (ADR-016, M5). Mesh-hardening 1/3 (2026-06-17): SSH is moved onto wt0 — sshd binds the +# mesh IP only (base__ssh_listen_mesh_only) and the base nftables default-deny applies +# (base__firewall_apply defaults true; SSH allowed on wt0 via base__firewall_mgmt_interface, +# public services via the catalog). base__mesh_enabled stays true (precondition from M5). base__mesh_enabled: true +base__ssh_listen_mesh_only: true diff --git a/inventories/production/host_vars/askari.yml b/inventories/production/host_vars/askari.yml new file mode 100644 index 0000000..9d9f7ac --- /dev/null +++ b/inventories/production/host_vars/askari.yml @@ -0,0 +1,6 @@ +--- +# Manage askari over the NetBird mesh (wt0), not its WAN IP. This OVERRIDES the +# TF-generated inventories/production/offsite.yml (ansible_host = 77.42.120.136); host_vars +# outrank the generated inventory and are NOT touched by `make tf-inventory-offsite`. +# Mesh-hardening 1/3 — once SSH is wt0-only, the WAN IP is no longer reachable for SSH. +ansible_host: 100.99.226.39 # askari's wt0 address (NetBird, M5)