--- # Shared firewall topology — single source of truth for the host nftables layer # (base role) and OPNsense (future). See docs/decisions/020-firewall.md. # Zone → subnet (from ADR-007). firewall_zones: mgmt: 10.10.0.0/24 srv: 10.20.0.0/24 lan: 10.30.0.0/24 iot: 10.40.0.0/24 guest: 10.50.0.0/24 # Service catalog: → placement (host | group | hosts) + ingress[]. # Empty until services are built; hosts still get default-deny + the management plane. firewall_catalog: {}