--- # Variables applied to all managed hosts # Secrets belong in vault.yml alongside this file — never here # Ansible connection ansible_user: ansible ansible_python_interpreter: /usr/bin/python3 # SSH authorised keys — add one entry per person # Format: "ssh-ed25519 AAAA... user@host" base__ssh_authorised_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSx1TFLJ9H8vCe5ZJSu7MYmAiH0/OC8evloQjGR0Bqw claude@ubongo" # Timezone base__timezone: Europe/Copenhagen # Domain base__domain: baobab.band base__internal_zone: boma.baobab.band # DNS — internal resolvers on srv VLAN base__dns_servers: - 10.20.0.10 - 10.20.0.11 # NTP base__ntp_servers: - 0.pool.ntp.org - 1.pool.ntp.org # Network — srv VLAN (where all managed VMs live) network__srv_gateway: 10.20.0.1 network__srv_subnet: 10.20.0.0/24 # Services base directory (for Docker Compose deployments) services__base_dir: /opt/services # Unattended upgrades — security patches only base__unattended_upgrades_enabled: true # Management plane — activates the dormant ssh-from-control firewall rule base__firewall_control_addr: "10.20.10.151" # ubongo — legacy V4 addr (ADR-007); ADR-021 ssh-from-control