boma/inventories
sjat 3b30e70ba5 feat(firewall): public zone + askari's public services in the catalog
Adds a public (0.0.0.0/0) zone and askari's Caddy (80/443) + NetBird STUN
(3478/udp) ingress so the base nftables default-deny does not drop the live
public services when applied to askari. Molecule + filter unit test cover the
public-zone rendering. Mesh-hardening 1/3 (ADR-020/024/016).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 20:46:03 +02:00
..
production feat(firewall): public zone + askari's public services in the catalog 2026-06-17 20:46:03 +02:00
staging feat(base): shared firewall catalog/zones + firewall defaults 2026-06-06 18:49:40 +02:00
README.md docs: reconcile lower-severity review findings (O9-O24) 2026-06-14 19:31:40 +02:00

inventories/

Ansible inventories, one directory per environment (staging/, production/). Defines which hosts exist and their group membership; group_vars/ and host_vars/ hold per-group and per-host configuration.

  • hosts.yml is generated from Terraform outputs by make tf-inventory — do not hand-edit. The control node is the one manual exception.
  • offsite.yml (in production/) is a second generated inventory file, written by make tf-inventory-offsite from the offsite Terraform env; it holds the offsite_hosts group (askari). Ansible merges it with hosts.yml, so both can declare the same group names harmlessly (the offsite generator emits all four groups, most empty).
  • Host groups: all, control, docker_hosts, proxmox_hosts, offsite_hosts.
  • Terraform→inventory data flow and the data contract: ADR-009.
  • Addressing conventions (subnets, ranges): ADR-007.
  • Layout and host groups: see CLAUDE.md ("Inventory structure").