sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/inventories
History
sjat b3e14decb4 feat(inventory): ubongo gets INPUT-only host firewall + mamba LAN SSH 
Enables base__firewall_input_only on the control group (forward chain stays
permissive so Docker egress + the integration-test libvirt NAT survive) and
allows the operator workstations' LAN IPs (mamba 10.20.10.50 + 10.20.10.17;
raw leases, backstopped by wt0). Mesh-hardening 2/3.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-19 09:42:49 +02:00
..
production feat(inventory): ubongo gets INPUT-only host firewall + mamba LAN SSH 2026-06-19 09:42:49 +02:00
staging feat(base): shared firewall catalog/zones + firewall defaults 2026-06-06 18:49:40 +02:00
README.md docs: reconcile lower-severity review findings (O9-O24) 2026-06-14 19:31:40 +02:00

README.md

inventories/

Ansible inventories, one directory per environment (staging/, production/). Defines which hosts exist and their group membership; group_vars/ and host_vars/ hold per-group and per-host configuration.

  • hosts.yml is generated from Terraform outputs by make tf-inventory — do not hand-edit. The control node is the one manual exception.
  • offsite.yml (in production/) is a second generated inventory file, written by make tf-inventory-offsite from the offsite Terraform env; it holds the offsite_hosts group (askari). Ansible merges it with hosts.yml, so both can declare the same group names harmlessly (the offsite generator emits all four groups, most empty).
  • Host groups: all, control, docker_hosts, proxmox_hosts, offsite_hosts.
  • Terraform→inventory data flow and the data contract: ADR-009.
  • Addressing conventions (subnets, ranges): ADR-007.
  • Layout and host groups: see CLAUDE.md ("Inventory structure").