feat(base): vault setup_key stub + enable mesh on ubongo + askari

vault.netbird.setup_key: CHANGEME (operator mints a reusable scoped key after the
dashboard /setup). base__mesh_enabled: true for control (ubongo) + offsite_hosts
(askari) so the base 'mesh' concern enrols them. Enrollment only — no firewall change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

inventories/production/group_vars/all/vault.yml

@@ -1,70 +1,85 @@
 $ANSIBLE_VAULT;1.1;AES256
-30613536623331613935326162646664303565646530376564343633313431636165626431313264
-3034343032356461306137346162626637663139653033650a346164393839343264633062663030
-34623764363631356239363737393265613961323633316239653032633532623032636632316132
-6633306637653839660a656161643030626562653062303762616162393836383635323461303337
-64336339633161643664306666306530333363653362313731613231396133346433666437346231
-61306232646235396161383634363265623432373737353036656664326630313335313463323462
-65383832313066633539643632326563336438616261623630316230643239323435613337303361
-30383039653531396264613237396138363836616163626366363063383634323335383038386362
-34343064656365336530666435636465393966373434633230373534353261656566656138356636
-35303032396365346136383837633134343037343332393863363832616139633964396638643833
-30323834303737346266383237643530306366653262633131663332613937626632363732613932
-39313864613038356262323465393062636535663138633738376163363930313132323735383565
-66353964633230613266663433313234383961666464636561343364303536306334336536373836
-63363366333136623137346537623230393935656334396565303231663833386338666636663833
-65656633663335316162343438396264663738343861393237353537393432333035393331626566
-31383534623339346338646434613230336566363063333137343636666238303637626637363263
-30663131636634623861623232303031633862343538386232653637613866376231336465393535
-33343164346661626361623136383230393365396636356266656637366537613331343330643532
-30653333346235303338396336303965656232323165643465653235616666636631336633613132
-30316161626236663365613133336430643030323164366563613633666362666239333164306662
-62623163343162373261653332636333373462323635633364356531396538316134356234663861
-33363766343666303135356165626136626164666630386161393062636662383835653731373830
-65653335373664316638376239633137393537343362346535343138656265323836653332616630
-33623938626139343662626639386536626134396663653930373532343865386565356336303334
-35343134323765653764613132656430333362373535613662336234366164313965666362613733
-66626663353030626332326433623734643961646336613937346637333439333731633438336339
-64653537326131623061316239323132663231653863393230653439646266633764633934366563
-63656136376531393761306331383866656338306432333966636166643831323065353866313336
-39636232306362386439663866653238626532316339346432373933316565386265303739663764
-61626337313963363365666438363837353732353938613962303832343639306135363864333536
-64306634303235396163663837323931383031616335396438383636336264346361316439326133
-64363231636434396166343530643037373232386336623433393436356236643938386331376237
-30613164616532356163303430333861613863643132303565346461613433343634353036666638
-33333533646263636362393865633166353962653137353831346366336235326465333436333230
-62633339313364663765613361316264346161356334313866656436643666393631376433313333
-62373361313633663037643038333233346461383732613939343935353635373738326566333838
-37313338336532383938303762303062373138353436626462323439356663626431366563633863
-38636234383164626636633566643963366466666334323131336166623837313933343262323834
-32643134336137616462353862336533653062313664346138383762356663343861386134393361
-63303763346161656465626465666463356631336539333234623931373764323638623331396234
-65333036653131353737376663633134633238666535636661383530333032333466643438333163
-33333231393134393165363036353262323836363965323037396531373865656363366534636263
-34633131616637323432396162646466316166373639313731626364633234393339333333373663
-38363164353262376338333933383732393631626532313861633465646231666335396233376266
-66313165633165313566646266663265633730316330643261373838343665613035373662323365
-35333836336235396237333934653766333732383533373732353633383931323232663731393965
-39623161613131626562663632373031663234656438316363373462316137646236323438663031
-36613666383863623033383231333338613537333565653633616635366463313062613263343938
-31633839376164383261333465326538373439653265373665323063623366616366356138666265
-34666164393165386566346533396638623464383937623539346234303730626463636435333434
-36313466306166333264346533623132306262646538316335343936373862363931303366643765
-65396132306664393435643531646637633939616636663933393138383137633536656362386165
-35653337326537633539626332333565643831633339393866616164653862306333393531336130
-30383561366431303030376436643434643466323562323730633638643663613339386239646562
-31353266386164343832376464303962363665316261383031633534333333333766656530306664
-31633931653231653530343763383738336333323161663031646331333638356233343661656463
-63316234333430643730663661363662373030653730613762663464393937393962373064623631
-38343864313764633737303838616133383636666130396339316138346162386438306664306363
-32333438383033626235656133356335623834656637386633333839343134363137363266636536
-36303235393264653462353833323030333263666464663864623964363738393166613439313639
-62656538343662343665356339326364613032363334376232666434613836346638333464623266
-65346236393161663562323865613437633863396437383233363532396136336534376431613937
-35383231323430323462343861666564663734666564393131313932333831643035303036613430
-30313636613939616336323534636131393761356534306332343735616136333531366339343936
-65393536393636666639633236303234653766306263393237653437353632373430653438633736
-63633139323732653566663062373537376463383439643336383434646533353762623636323031
-65323233306666323630366164366331646632303263333665336432396262383138643432666365
-37633336663362323132646438363832346438653361346438303630636131646638323461376534
-36663333353962636266643336373963623564326366333736393936396333326262
+35346130316664643165636265383537313465363866373430373635613732376235663864313565
+6338396266333865303534643331653531343233343630620a356438386537373663393936626537
+39366363623561383463613262323135643533656132376661636430623530653233316538326435
+6534373734656566310a376533303434616437303339623635633761373136396132303461636665
+63643332653663646532313239656232353461393739393230613934313238363561663431613339
+30343833366661323161323832313537353930623534326230303634303938396330643339376534
+61353038346664396434323765313465343431633337643836636137386137366138653762356233
+37383836386562356236653831363939396132376338623866383139303638616331303563643033
+65643439336264646635313139326663626232363930363764626234306563663435626566386336
+36623535343962656365343638616461623135663663303939336162623035646165653833393639
+38663232306238626136376361343363383866633065356266633439366234373737396136363132
+37316561353739373733373239623466313062386163393836326662386161616538373138393037
+34643363346432666661646637646664326236356130653935343462653731633630613739313662
+66303830336334353665643134396462643862326263316266396239636430303133376335383839
+38336131656333333431646433313232626338656632323162663564383665643939663939333438
+37323764383737343439383764623064633037306131366330323463643162396230353431653262
+33393233353034383761326335366263373232323332306437303634353937323165376665366366
+31613530336161393138376139663839326135316563346263373231633465333430303733333464
+31626630353035356334666631656435383437353235616336353930633330313233363563376238
+35393330353430643965336661356334613062336563333138333634323037333539386365396234
+34303335323863653230393361633764633730643332313233306565373134316236313836313363
+63313362383635376461613665356362666264663634343565343235356436343536316536633231
+35333838633738383639376237386261356637643263633838336635376631626337386634643034
+32613435343061616662613061313065363733613639616161356464636162323131666261346538
+38363630386163333162343263323835313633643531613131393666393037626561666132326235
+33646532393763393633373836623839383466346535346330353462666132333164623238393464
+33343133663838303239333365326464326433393961623233303939333534376232333838663434
+39643330616139373862323062373462393061376461663061366363623637376139353465653130
+36373364626333633964346436653565646466646265623533343235393432366531346435313262
+39316164313537663561313032633330366265316162303536303663333930343763623537663166
+66633866326365636633313233396439393131336462613537323162653135386231633335353236
+38346463663764363365396236383535326562373862353362353637613064393335373433333365
+31643830386262633035343062616665646166386434386538373963643835653762393466386339
+30386531656163616533303361333162666366323139636130303865623530636130306331666261
+31323238353633313436366663373061393564616262653164663736646237336537326139363432
+39343835396538303936613438346239623866643135623761376565393530336136316361636236
+34376439386665653434333131656637343838316533333731343966356237643161383334323765
+35366237363662303666333539666562616439323463383962376337633239326439643131656133
+66643561643630393837313839376434643163393135656630376166333932343739386464323734
+35356565323037633635643430326333316135666666303433616134613135323063366135646435
+38373532313432336637303262373736363062653136663166666139643363343033653065656539
+66646265613361373563613433616362626333376663666432636339653738653530613239386561
+31306261363562343039646564373163623032376561383563663534393162353262646333653534
+62313161316633376530656465323365363730356339643437313463343038623366643162376234
+32363936613564386261626637333562653834623238396465303931356633663664313163643738
+38623864353963663864303665366566396363366532343465666234306164626136373133666435
+39376133343034613430356235666562353737306536376239386562663934633735653165393664
+36353333656439653763366165373636343139336436656531326438363336396161376539623666
+62343235663537366530613163663666303464376538383666326563643763343635303538353762
+35616334653863323462353833343337393961356664363466346530626664303535646331366263
+63333564636163323239663238663663333532356637646331333463343337383830346365386430
+63363730306238323730356562656439636239653133396631623565363762383061613639626537
+63333561383061663632326162373466303761363866653232356137356261663330316333333132
+63373066323265373163643961383666633065316233383235386365636630313735306264623937
+30633762633335353663306263653538313537346532616363653832313563626231346162663333
+37663062613963393366666437393736656231613631663939373365396462303632666332616165
+33383334626634393838623264616662666337386561386465663632623131376163613334653439
+62323262393134636631663338326437663933383330666533316430643039666233366663626236
+63623734653337323335656162643733306239653730613163646639366532363564666532386534
+62343231616163623439303533633461626433303737646437333533356539313662353239313061
+64396537656165393562336261346338383966366661353163656331393837653530646162376565
+37373235323837643430306537633038626363316437303637326666653262383630646332303162
+63316430393861356566393035373864363262653636383233303336366635306362336634373739
+34616234633037393966303134633731656336643837666537333862663038323335633931303234
+37336565643165333762323763323634376533633464633064323363363765653532353637336239
+64303134373535336633356332333033336638616237613037623233643436383062643062613162
+30326133366436636330623565356463653636353665626635636130343365316538663336646266
+33323236643364363561363132373566353638356264353937336336326162363565613035346630
+62353231633262393663663134663830396463313166303563313538376264333934323839633133
+37346535653539613139326131656531333139333930643730616264623330336436306632343639
+33626235316264303561613566383439643665323937383232323239626638303939323732656636
+32633932626239373730336336666132626636303734343766336638643361613633323063663331
+33393135353865313639323332386464626262366131633762633438663832333931346232616630
+34326265306466303063626335396431636366656361326461666562313439613639306365636633
+33343735343666626662363461623135313835323130656262303364366236383562613037363734
+36653962306365343935366534303933643031356463646462663832373738303035366538333061
+39326135396136626437396261363934623464353035363034383961656236386432623238623564
+32613330613535326663383330346631306230363265663164636338313730316639366335313030
+31646163303031356130366330396136313036376239353331303132363766366637363737303861
+65633933613231623664653664646436656261653332613631613033386331663833663230633463
+37653865366466386661323938383262656662666639343464306163663534363062633663663063
+32653131333330393266383165363735323333313339383730633438623861363631323035366534
+65633235636662396166666261353137363163313034383930363330386665656435376139383233
+38386332663263663030

inventories/production/group_vars/control/vars.yml

@@ -11,3 +11,8 @@ dev_env__users:
 # assumes. Manage it as the operator account. Overrides the all-group default for this
 # group only.
 ansible_user: sjat
+
+# ubongo is a NetBird mesh peer (ADR-016, M5) — enrol the agent via base's `mesh` concern.
+# Enrollment only; the host firewall default-deny stays deferred (the mesh-hardening
+# follow-on), so this brings up wt0 without changing SSH exposure.
+base__mesh_enabled: true

inventories/production/group_vars/offsite_hosts/vars.yml

@@ -0,0 +1,6 @@
+---
+# Off-site hosts (askari). askari runs the NetBird coordinator AND is a mesh peer
+# (ADR-016, M5) — enrol the agent via base's `mesh` concern. Enrollment only; the
+# host firewall default-deny + moving askari's SSH onto wt0 stay deferred to the
+# mesh-hardening follow-on.
+base__mesh_enabled: true

roles/base/README.md

@@ -27,3 +27,30 @@ render + validate without applying (used by Molecule).
 - `make test ROLE=base` — Molecule renders + `nft -c` syntax-checks (never applies; it
   shares the host kernel). Enforcement + the apply/rollback path are verified at ADR-008
   Level 2 on staging VMs.
+
+## Mesh enrollment (NetBird agent)
+
+Enrols the host as a NetBird *agent* on the self-hosted mesh (ADR-016): installs the
+pinned `netbird` daemon from the upstream APT repo (keyring in `/etc/apt/keyrings`,
+mirroring the `docker_host` repo idiom) and runs `netbird up` against the coordinator
+with a setup key. Tagged `mesh`.
+
+**Additive only — this concern makes no firewall change.** SSH is already gated to the
+NetBird overlay interface by the `firewall` concern (`base__firewall_mgmt_interface`,
+default `wt0`); enrolling a host simply brings that interface up. No port is opened here.
+
+Enrolment is **opt-in**: `base__mesh_enabled` defaults to `false`, so applying `base` to
+a host not on the mesh is a no-op for this concern. Re-enrolment is guarded on
+`netbird status` reporting `Management: Connected`, so re-runs are idempotent. The setup
+key is sourced from `vault.netbird.setup_key` and passed with `no_log` (it lands on the
+process argv).
+
+### Variables
+
+| Variable                     | Default                              | Purpose |
+|------------------------------|--------------------------------------|---------|
+| `base__mesh_enabled`         | `false`                              | Opt-in switch — include the concern at all. Set per-host/group to enrol. |
+| `base__mesh_manage`          | `true`                               | Test gate — when `false`, skips the live network/daemon tasks (apt install, status check, `netbird up`) so Molecule can exercise the wiring without a coordinator. |
+| `base__mesh_management_url`  | `https://netbird.askari.wingu.me`    | Coordinator (management) URL. |
+| `base__mesh_setup_key`       | `{{ vault.netbird.setup_key }}`      | Enrolment setup key, from vault. |
+| `base__mesh_version`         | `"0.72.4"`                           | Pinned agent version (matches the coordinator). The exact apt version string is confirmed on-host at deploy. |

roles/base/defaults/main.yml

@@ -20,3 +20,13 @@ base__fail2ban_bantime: 1h
 base__fail2ban_findtime: 10m
 # base__ssh_authorised_keys lives in group_vars/all/vars.yml (per-person control keys).
 base__ssh_authorised_keys: []
+
+# NetBird mesh agent enrollment (ADR-016). Opt-in: default off so applying `base` to a
+# host not on the mesh is a no-op for this concern. The live actions (apt install over
+# the network, `netbird up` against the coordinator) are additionally gated by
+# base__mesh_manage so Molecule can exercise the wiring without a coordinator.
+base__mesh_enabled: false
+base__mesh_manage: true
+base__mesh_management_url: "https://netbird.askari.wingu.me"
+base__mesh_setup_key: "{{ vault.netbird.setup_key }}"
+base__mesh_version: "0.72.4"   # match the coordinator; exact apt pin confirmed on-host at deploy

roles/base/molecule/default/converge.yml

@@ -6,6 +6,11 @@
   vars:
     base__firewall_apply: false
     base__firewall_control_addr: 10.10.0.99   # test control-node LAN address
+    # Exercise the mesh concern's include path with the live actions gated off, so it
+    # runs hermetically (no coordinator/key needed) and must be a clean no-op.
+    base__mesh_enabled: true
+    base__mesh_manage: false
+    base__mesh_setup_key: "dummy-molecule-key"
     firewall_zones:
       lan: 10.30.0.0/24
       srv: 10.20.0.0/24

roles/base/molecule/default/verify.yml

@@ -57,3 +57,16 @@
     - name: Fail2ban sshd jail configured
       ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local
       changed_when: false
+
+    # mesh concern: enabled but manage=false must be a clean no-op (no install/enrol)
+    - name: Check whether netbird got installed
+      ansible.builtin.command: which netbird
+      register: _nb
+      changed_when: false
+      failed_when: false
+    - name: Assert mesh manage=false installed nothing
+      ansible.builtin.assert:
+        that:
+          - _nb.rc != 0
+        fail_msg: "netbird must not be installed when base__mesh_manage is false"
+        success_msg: "mesh concern is a clean no-op under manage=false"

roles/base/tasks/main.yml

@@ -22,3 +22,11 @@
     apply:
       tags: [hardening]
   tags: [hardening]
+
+- name: NetBird mesh enrollment
+  ansible.builtin.include_tasks:
+    file: mesh.yml
+    apply:
+      tags: [mesh]
+  when: base__mesh_enabled | bool
+  tags: [mesh]

roles/base/tasks/mesh.yml

@@ -0,0 +1,66 @@
+---
+# NetBird agent enrollment (ADR-016). Additive only — no firewall change here.
+- name: Install NetBird apt prerequisites
+  ansible.builtin.apt:
+    name: [ca-certificates, curl, gnupg]
+    state: present
+    update_cache: true
+  when: base__mesh_manage | bool
+  tags: [mesh]
+
+- name: Ensure /etc/apt/keyrings exists
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: "0755"
+  when: base__mesh_manage | bool
+  tags: [mesh]
+
+- name: Add the NetBird APT GPG key
+  ansible.builtin.get_url:
+    url: https://pkgs.netbird.io/debian/public.key
+    dest: /etc/apt/keyrings/netbird.asc
+    mode: "0644"
+  when: base__mesh_manage | bool
+  tags: [mesh]
+
+- name: Add the NetBird APT repository
+  ansible.builtin.apt_repository:
+    repo: >-
+      deb [signed-by=/etc/apt/keyrings/netbird.asc]
+      https://pkgs.netbird.io/debian stable main
+    filename: netbird
+    state: present
+  when: base__mesh_manage | bool
+  tags: [mesh]
+
+# The apt pin string can't be confirmed from docs — it might be a bare "0.72.4" or
+# carry a packaging suffix. The live deploy task confirms the exact on-host string.
+- name: Install the NetBird agent (pinned)
+  ansible.builtin.apt:
+    name: "netbird={{ base__mesh_version }}"
+    state: present
+    update_cache: true
+  when: base__mesh_manage | bool
+  tags: [mesh]
+
+- name: Check current NetBird connection status
+  ansible.builtin.command: netbird status
+  register: _netbird_status
+  changed_when: false
+  failed_when: false
+  when: base__mesh_manage | bool
+  tags: [mesh]
+
+- name: Enrol this host in the mesh
+  ansible.builtin.command: >-
+    netbird up
+    --management-url {{ base__mesh_management_url }}
+    --setup-key {{ base__mesh_setup_key }}
+  register: _netbird_up
+  changed_when: _netbird_up.rc == 0
+  when:
+    - base__mesh_manage | bool
+    - "'Management: Connected' not in (_netbird_status.stdout | default(''))"
+  no_log: true   # setup key is on the argv
+  tags: [mesh]

tests/tags.yml

@@ -20,6 +20,7 @@ concerns:
   - config       # render templated config/compose files to disk — no restart
   - deploy       # bring services up / restart (compose up -d)
   - proxy        # reverse-proxy + TLS registration (Caddy routes, Authentik)
+  - mesh         # NetBird agent enrollment (ADR-016)
 
 # Ansible built-in special tags. Narrow use only:
 #   always — cheap preflight assertions (run regardless of --tags)