--- # Integration overlay (ADR-025) — the askari mesh-hardening REDESIGN (2026-06-19). # Validates INPUT-only default-deny on a Docker host: input policy drop, forward policy # accept (Docker-safe), SSH via the admin-addr break-glass, reboot-survivable. integration_profile: askari_inputonly base__firewall_apply: true base__firewall_input_only: true # No sshd ListenAddress change — never wt0-only in a throwaway VM. base__ssh_listen_mesh_only: false # Isolated VM: never touch the real mesh. base__mesh_enabled: false # The non-mesh SSH break-glass = the admin-addr path the real design uses. Point it at the # VM's libvirt-NAT gateway (where the harness connects from), by source IP so it is # interface-independent and the default-deny + reboot don't lock out the driver. This # mirrors askari's real base__firewall_admin_addrs (ubongo's WAN) in the test topology. base__firewall_admin_addrs: - 192.168.150.1