boma/inventories/production/group_vars/all/vars.yml
sjat deec75de0f feat(base): ssh hardening + fail2ban (hardening concern, ADR-002)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 16:42:56 +02:00

42 lines
1.2 KiB
YAML

---
# Variables applied to all managed hosts
# Secrets belong in vault.yml alongside this file — never here
# Ansible connection
ansible_user: ansible
ansible_python_interpreter: /usr/bin/python3
# SSH authorised keys — add one entry per person
# Format: "ssh-ed25519 AAAA... user@host"
base__ssh_authorised_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSx1TFLJ9H8vCe5ZJSu7MYmAiH0/OC8evloQjGR0Bqw claude@ubongo"
# Timezone
base__timezone: Europe/Copenhagen
# Domain
base__domain: baobab.band
base__internal_zone: boma.baobab.band
# DNS — internal resolvers on srv VLAN
base__dns_servers:
- 10.20.0.10
- 10.20.0.11
# NTP
base__ntp_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
# Network — srv VLAN (where all managed VMs live)
network__srv_gateway: 10.20.0.1
network__srv_subnet: 10.20.0.0/24
# Services base directory (for Docker Compose deployments)
services__base_dir: /opt/services
# Unattended upgrades — security patches only
base__unattended_upgrades_enabled: true
# Management plane — activates the dormant ssh-from-control firewall rule
base__firewall_control_addr: "10.20.10.151" # ubongo (control node) LAN address — ADR-021 ssh-from-control source