--- # Shared firewall topology — single source of truth for the host nftables layer # (base role) and OPNsense (future). See docs/decisions/020-firewall.md. # Zone → subnet (from ADR-007). `public` = the WAN (anywhere) for deliberately public # off-site services (askari); home/cluster services use the internal zones only. firewall_zones: mgmt: 10.10.0.0/24 srv: 10.20.0.0/24 lan: 10.30.0.0/24 iot: 10.40.0.0/24 guest: 10.50.0.0/24 public: 0.0.0.0/0 # Service catalog: → placement (host | group | hosts) + ingress[]. # askari's public surface (ADR-024 Caddy + ADR-016 NetBird STUN). NOTE: the host # nftables template renders IPv4 source rules only; askari is reached via its A record # (no AAAA), so IPv4-only public rules are sufficient (see the spec's IPv6 note). firewall_catalog: reverse_proxy: host: askari ingress: - { from: public, port: 80, proto: tcp } - { from: public, port: 443, proto: tcp } netbird_stun: host: askari ingress: - { from: public, port: 3478, proto: udp }