--- # Manage askari over the NetBird mesh (wt0). Overrides the TF-generated WAN `ansible_host` # in offsite.yml (host_vars are NOT regenerated by tf_to_inventory.py). The WAN :22 path # (Hetzner Cloud Firewall + base__firewall_admin_addrs = ubongo's WAN) stays as the # break-glass; the Hetzner web console is the IP-independent ultimate fallback. # Spec: docs/superpowers/specs/2026-06-19-mesh-hardening-askari-redesign-design.md ansible_host: 100.99.226.39