sjat
9e0c264658
- ADR-007: document ubongo on the legacy V4 net at 10.20.10.151 (transitional, outside the planned srv /24 until the LAN is re-cut) (O10); single authoritative boma.baobab.band -> boma.wingu.me transition note already added earlier - terraform tfvars.example + variables.tf (both envs): pve01 -> pve0 and <host>.boma.baobab.band per ADR-007 naming (O11) - ADR-012/013/015/016/017/018: convert "See also:" prose to `## Related` sections placed after Consequences, matching ADR-014/019-023 (O13) - docs/README + inventories/README: list the missing subdirs / offsite_hosts + offsite.yml merge behaviour (O14, O29 note) - ADR-009: drop the retired `nyumbani` example; use vaultwarden.wingu.me split-horizon (O19) - ROADMAP M2: askari shipped as cx23/x86 (CAX11/ARM out of stock) (O20) - ADR-020: 80/443/3478 opened in M4a (past tense); coordinator role is M4b (O21) - netbird -> netbird_coordinator across ROADMAP M4b, the M4b plan, ADR-024 (O23) - ADR-024: align the M1 DNS-01 wildcard scope wording with ROADMAP (O24) - capacity-scan.py: read the inventory directory so offsite.yml (askari) is seen (O28) - tf_to_inventory.py: generated header now warns it overwrites the manual control node (O9) - tests/tags.yml: proxy concern comment Traefik -> Caddy (missed in the O3 sweep) O9's existing stub hosts.yml header stays as-is (generator-owned, hook-protected); the fix lives in the generator for the next regeneration. make lint + pytest (57) green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
42 lines
1.2 KiB
YAML
42 lines
1.2 KiB
YAML
---
|
|
# Variables applied to all managed hosts
|
|
# Secrets belong in vault.yml alongside this file — never here
|
|
|
|
# Ansible connection
|
|
ansible_user: ansible
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
|
|
# SSH authorised keys — add one entry per person
|
|
# Format: "ssh-ed25519 AAAA... user@host"
|
|
base__ssh_authorised_keys:
|
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSx1TFLJ9H8vCe5ZJSu7MYmAiH0/OC8evloQjGR0Bqw claude@ubongo"
|
|
|
|
# Timezone
|
|
base__timezone: Europe/Copenhagen
|
|
|
|
# Domain
|
|
base__domain: baobab.band
|
|
base__internal_zone: boma.baobab.band
|
|
|
|
# DNS — internal resolvers on srv VLAN
|
|
base__dns_servers:
|
|
- 10.20.0.10
|
|
- 10.20.0.11
|
|
|
|
# NTP
|
|
base__ntp_servers:
|
|
- 0.pool.ntp.org
|
|
- 1.pool.ntp.org
|
|
|
|
# Network — srv VLAN (where all managed VMs live)
|
|
network__srv_gateway: 10.20.0.1
|
|
network__srv_subnet: 10.20.0.0/24
|
|
|
|
# Services base directory (for Docker Compose deployments)
|
|
services__base_dir: /opt/services
|
|
|
|
# Unattended upgrades — security patches only
|
|
base__unattended_upgrades_enabled: true
|
|
|
|
# Management plane — activates the dormant ssh-from-control firewall rule
|
|
base__firewall_control_addr: "10.20.10.151" # ubongo — legacy V4 addr (ADR-007); ADR-021 ssh-from-control
|