--- # Workstation-class control node (ubongo, ADR-015) — developer-environment users. # The operator and the dedicated AI-worker user both get the dev_env role (dotfiles, # zsh/tmux/nvim), so `sudo -iu claude` lands in the same clean shell. dev_env__users: - sjat - claude # Connection: ubongo is the manually-provisioned control node (ADR-009/ADR-015 exception), # not a Terraform VM bootstrapped with the `ansible` service user that group_vars/all # assumes. Manage it as the operator account. Overrides the all-group default for this # group only. ansible_user: sjat # ubongo's AI-worker; passwordless sudo for the claude user (ADR-015 amended). base__ai_worker_user: claude # ubongo is a NetBird mesh peer (ADR-016, M5) — enrol the agent via base's `mesh` concern. # Enrollment only; the host firewall default-deny stays deferred (the mesh-hardening # follow-on), so this brings up wt0 without changing SSH exposure. base__mesh_enabled: true # Mesh-hardening 2/3 (2026-06-19, ADR-020/021): apply base's host firewall to ubongo as # INPUT-only default-deny — harden the inbound surface, leave the forward chain permissive so # Docker egress + the libvirt-NAT integration harness keep working. sshd is unchanged # (nftables scopes inbound), so there is no boot-race. Reach ubongo over wt0 (mesh), the # ssh-from-control self-path (base__firewall_control_addr, group_vars/all = 10.20.10.151), or # mamba on the LAN. Break-glass: the physical console. (base__firewall_apply defaults true.) base__firewall_input_only: true # DNS-resilience (ADR-016 availability / R8): pin the coordinator FQDN to askari's stable WAN # IP in /etc/hosts so a local-DNS hiccup (the 2026-06-18 incident class) can't strand ubongo's # mesh. askari (offsite_hosts) is exempt — it reaches the coordinator locally. base__mesh_coordinator_pin: "77.42.120.136" base__firewall_admin_addrs: - "10.20.10.50" # mamba over the LAN (NetBird off). Raw DHCP lease — revisit with an # OPNsense reservation when OPNsense-as-code lands; backstopped by wt0. - "10.20.10.17" # 2nd operator workstation (MAC bc:0f:f3:c8:4a:8a). Raw lease — ditto.