diff --git a/infra/ansible/inventory/prod.yml b/infra/ansible/inventory/prod.yml
index 3b5df6501..b79693373 100644
--- a/infra/ansible/inventory/prod.yml
+++ b/infra/ansible/inventory/prod.yml
@@ -14,8 +14,10 @@
 all:
   hosts:
     veza-prod:
-      ansible_host: 10.0.20.150
-      ansible_user: ansible
+      # Same R720 as staging at v1.0 — separate Incus network keeps
+      # blast radius contained. Move to a dedicated host post-v1.1.
+      ansible_host: srv-102v
+      ansible_user: senke
       ansible_python_interpreter: /usr/bin/python3
   children:
     incus_hosts:
diff --git a/infra/ansible/inventory/staging.yml b/infra/ansible/inventory/staging.yml
index cc42dab3e..2a034ccfa 100644
--- a/infra/ansible/inventory/staging.yml
+++ b/infra/ansible/inventory/staging.yml
@@ -30,8 +30,10 @@
 all:
   hosts:
     veza-staging:
-      ansible_host: 10.0.20.150
-      ansible_user: ansible
+      # SSH config alias `srv-102v` resolves to the operator's R720 host.
+      # Override per-operator in host_vars/ if your alias differs.
+      ansible_host: srv-102v
+      ansible_user: senke
       ansible_python_interpreter: /usr/bin/python3
   children:
     incus_hosts:
diff --git a/scripts/bootstrap/bootstrap-local.sh b/scripts/bootstrap/bootstrap-local.sh
index 6b024659b..35ca1c210 100755
--- a/scripts/bootstrap/bootstrap-local.sh
+++ b/scripts/bootstrap/bootstrap-local.sh
@@ -423,10 +423,29 @@ phase_5_haproxy() {
     done
     ok "collections present"
 
+    # Compute SSH target the same way phase 4 does.
+    local ssh_target
+    if [[ -n "${R720_USER:-}" ]]; then
+        ssh_target="${R720_USER}@${R720_HOST}"
+    else
+        ssh_target="${R720_HOST}"
+    fi
+
+    # Detect if NOPASSWD sudo is configured ; if not, pass --ask-become-pass.
+    local become_flag=()
+    if ssh "$ssh_target" "sudo -n /bin/true" >/dev/null 2>&1; then
+        ok "passwordless sudo on R720 — running ansible without -K"
+    else
+        info "sudo on R720 needs a password — passing --ask-become-pass"
+        info "  → ansible will prompt 'BECOME password:' below ; type your sudo password"
+        become_flag=(--ask-become-pass)
+    fi
+
     info "running ansible-playbook playbooks/haproxy.yml (5–10 min)"
     if ! ansible-playbook -i inventory/staging.yml playbooks/haproxy.yml \
-            --vault-password-file .vault-pass; then
-        TALAS_HINT="check the ansible output above ; common issues : Incus profile missing, port 80 blocked from Internet, DNS not yet propagated"
+            --vault-password-file .vault-pass \
+            "${become_flag[@]}"; then
+        TALAS_HINT="check the ansible output above ; common issues : Incus profile missing, port 80 blocked from Internet, DNS not yet propagated, sudo password rejected"
         die "ansible-playbook haproxy.yml failed"
     fi