boma/inventories/production/group_vars/control/vars.yml

---
# Workstation-class control node (ubongo, ADR-015) — developer-environment users.
# The operator and the dedicated AI-worker user both get the dev_env role (dotfiles,
# zsh/tmux/nvim), so `sudo -iu claude` lands in the same clean shell.
dev_env__users:
  - sjat
  - claude

# Connection: ubongo is the manually-provisioned control node (ADR-009/ADR-015 exception),
# not a Terraform VM bootstrapped with the `ansible` service user that group_vars/all
# assumes. Manage it as the operator account. Overrides the all-group default for this
# group only.
ansible_user: sjat

# ubongo's AI-worker; passwordless sudo for the claude user (ADR-015 amended).
base__ai_worker_user: claude

# ubongo is a NetBird mesh peer (ADR-016, M5) — enrol the agent via base's `mesh` concern.
# Enrollment only; the host firewall default-deny stays deferred (the mesh-hardening
# follow-on), so this brings up wt0 without changing SSH exposure.
base__mesh_enabled: true

# Mesh-hardening 2/3 (2026-06-19, ADR-020/021): apply base's host firewall to ubongo as
# INPUT-only default-deny — harden the inbound surface, leave the forward chain permissive so
# Docker egress + the libvirt-NAT integration harness keep working. sshd is unchanged
# (nftables scopes inbound), so there is no boot-race. Reach ubongo over wt0 (mesh), the
# ssh-from-control self-path (base__firewall_control_addr, group_vars/all = 10.20.10.151), or
# mamba on the LAN. Break-glass: the physical console. (base__firewall_apply defaults true.)
base__firewall_input_only: true
base__firewall_admin_addrs:
  - "10.20.10.50"   # mamba over the LAN (NetBird off). Raw DHCP lease — revisit with an
                    # OPNsense reservation when OPNsense-as-code lands; backstopped by wt0.
  - "10.20.10.17"   # 2nd operator workstation (MAC bc:0f:f3:c8:4a:8a). Raw lease — ditto.