--- # Integration-test overlay for the "ubongo" profile (ADR-025). Passed via `-e @`. # Exercises mesh-hardening 2/3: base's INPUT-only default-deny on the control node — input # chain default-deny, forward chain left permissive (Docker/libvirt-NAT safe), no sshd # ListenAddress change (so no boot-race). integration_profile: ubongo base__firewall_apply: true base__firewall_input_only: true # forward chain renders `policy accept` base__firewall_admin_addrs: - "192.168.150.98" # two representative LAN sources — exercises the - "192.168.150.99" # admin-addr loop with a multi-entry list (like ubongo) # Never wt0-only; never touch the real mesh from a throwaway VM. base__ssh_listen_mesh_only: false base__mesh_enabled: false # Allow SSH from the libvirt-NAT gateway (where the driver/ansible connect from) so the # default-deny apply + the reboot don't lock out the harness. By source IP (interface- # independent). This is the harness's lifeline; the admin-addr above is only exercised. base__firewall_control_addr: "192.168.150.1"