---
- name: Converge
  hosts: all
  become: true
  gather_facts: true
  vars:
    base__firewall_apply: false
    base__firewall_control_addr: 10.10.0.99   # test control-node LAN address
    base__firewall_admin_addrs:
      - "10.30.0.77"   # fixture: an operator-workstation LAN source (admin-addr SSH allow)
    # Exercise the mesh concern's include path with the live actions gated off, so it
    # runs hermetically (no coordinator/key needed) and must be a clean no-op.
    base__mesh_enabled: true
    base__mesh_manage: false
    base__mesh_setup_key: "dummy-molecule-key"
    base__mesh_coordinator_pin: "203.0.113.9"   # fixture IP (TEST-NET-3); pins FQDN from base__mesh_management_url
    base__ssh_listen_mesh_only: true
    base__ssh_listen_addr: "100.99.0.1"   # fixture mesh IP (no wt0 in the container)
    firewall_zones:
      lan: 10.30.0.0/24
      srv: 10.20.0.0/24
      mgmt: 10.10.0.0/24
      public: 0.0.0.0/0
    firewall_catalog:
      reverse_proxy:
        host: instance
        ingress:
          - { from: lan, port: 443, proto: tcp }
      photoprism:
        host: instance
        ingress:
          - { from: srv, port: 2342, proto: tcp }
      netbird_stun:
        host: instance
        ingress:
          - { from: public, port: 3478, proto: udp }
  roles:
    - role: base