# offsite environment — non-secret values. Copy to terraform.tfvars and fill in. # # Secret is exported as an env var (never in this file); the make tf-* targets do this # automatically for TF_ENV=offsite, sourcing vault.hetzner.token: # export TF_VAR_hcloud_token="...from vault.hetzner.token..." # # State is local (see backend.tf). ansible_ssh_pubkey = "ssh-ed25519 AAAA... ansible@ubongo" # The Hetzner Cloud Firewall filters PUBLIC traffic, so this is ubongo's WAN/egress # IP (the perimeter analog of OPNsense, ADR-020) — NOT its LAN address. Find it with # `curl -s ifconfig.me` from ubongo. Narrows to the NetBird `wt0` path once M5 lands. ssh_admin_cidrs = ["203.0.113.10/32"] # placeholder — ubongo's WAN/egress IP