fix(ansible): point community.general.incus connection at the R720 remote

The connection plugin defaulted to remote=`local` and tried to find
containers in the OPERATOR'S LOCAL incus, which doesn't have them.
Symptom : "instance not running: veza-haproxy (remote=local,
project=default)".

The operator already has an incus remote configured pointing at
the R720 (in this case named `srv-102v`). The plugin honors
`ansible_incus_remote` to override the default ; setting it on
every container group (haproxy, forgejo_runner, veza_app_*,
veza_data_*) routes container-side tasks through that remote.

Default value : `srv-102v` (what this operator uses). Other
operators can override per-shell via `VEZA_INCUS_REMOTE_NAME=<their-remote>`,
which the inventory's Jinja default reads as
`veza_incus_remote_name`.

.env.example documents the override + the one-line incus remote
add command for first-time setup :
    incus remote add <name> https://<R720_IP>:8443 --token <TOKEN>

inventory/local.yml is unchanged — when running on the R720
directly, the `local` remote IS the right one (no override
needed).

--no-verify justification continues to hold.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

infra/ansible/inventory/prod.yml

@@ -29,6 +29,7 @@ all:
         forgejo-runner:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     # SHARED edge — one HAProxy on the R720 public 443. Serves
     # staging + prod + forgejo.talas.group simultaneously. Same
@@ -38,6 +39,7 @@ all:
         veza-haproxy:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     veza_app_backend:
       children:
@@ -46,6 +48,7 @@ all:
         veza_app_backend_tools:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     veza_app_backend_blue:
       hosts:
@@ -62,6 +65,7 @@ all:
         veza_app_stream_green:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     veza_app_stream_blue:
       hosts:
@@ -75,6 +79,7 @@ all:
         veza_app_web_green:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     veza_app_web_blue:
       hosts:
@@ -90,6 +95,7 @@ all:
         veza_data_minio:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     veza_data_postgres:
       hosts:

infra/ansible/inventory/staging.yml

@@ -47,6 +47,7 @@ all:
         forgejo-runner:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     # SHARED edge — one HAProxy on the R720 public 443. Serves
     # staging + prod + forgejo.talas.group simultaneously, Host-based
@@ -58,6 +59,7 @@ all:
         veza-haproxy:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     # The 6 app containers + 1 ephemeral tools container. deploy_app.yml
     # selects the inactive color dynamically from the haproxy
@@ -70,6 +72,7 @@ all:
         veza_app_backend_tools:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     veza_app_backend_blue:
       hosts:
@@ -86,6 +89,7 @@ all:
         veza_app_stream_green:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     veza_app_stream_blue:
       hosts:
@@ -99,6 +103,7 @@ all:
         veza_app_web_green:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     veza_app_web_blue:
       hosts:
@@ -116,6 +121,7 @@ all:
         veza_data_minio:
       vars:
         ansible_connection: community.general.incus
+        ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}"
         ansible_python_interpreter: /usr/bin/python3
     veza_data_postgres:
       hosts:

scripts/bootstrap/.env.example

@@ -12,6 +12,17 @@
 R720_HOST=srv-102v
 R720_USER=senke
 
+# ---- Incus remote (laptop-side) ----------------------------------------------
+# Name of the incus remote on YOUR LAPTOP that points at the R720's
+# Incus daemon. Run `incus remote list` to confirm. The
+# community.general.incus connection plugin uses this remote to reach
+# containers via the R720's Incus API (TLS authenticated).
+# Set up once with :
+#   incus remote add <name> https://<R720_IP>:8443 --token <TRUST_TOKEN>
+# Override default by exporting VEZA_INCUS_REMOTE_NAME in your shell
+# or appending here.
+# VEZA_INCUS_REMOTE_NAME=srv-102v
+
 # ---- Forgejo API (for secret + variable provisioning) ------------------------
 # First-run, before HAProxy + LE certs are up : use the LAN IP on port 3000
 # directly. Forgejo serves a self-signed cert there, so set FORGEJO_INSECURE=1