---
# Secure Firewall Role - Default Variables

# Firewall backend (ufw or iptables)
firewall_backend: ufw

# Default policies
firewall_default_input_policy: deny
firewall_default_output_policy: allow
firewall_default_forward_policy: deny

# VPN-only mode: Only allow management access from specified networks/IPs
vpn_only_mode: true

# Management access sources
# Can be:
# - VPN network CIDR (e.g., "10.100.0.0/24" for admin VPN)
# - Single IP (e.g., "185.112.147.205" for ValleyForge public IP)
# - List of both
management_allowed_sources: []
# Example:
# management_allowed_sources:
#   - "10.100.0.0/24"  # Admin VPN network
#   - "185.112.147.205"  # ValleyForge public IP

# Management ports (restricted to management_allowed_sources if vpn_only_mode is true)
management_ports:
  - port: 22
    proto: tcp
    comment: "SSH"
  - port: 80
    proto: tcp
    comment: "HTTP"
  - port: 443
    proto: tcp
    comment: "HTTPS"
  - port: 8080
    proto: tcp
    comment: "Outline Manager"
  - port: 8065
    proto: tcp
    comment: "Mattermost"
  - port: 8443
    proto: tcp
    comment: "Nextcloud HTTPS"

# Public ports (always accessible from internet)
public_ports:
  - port: 51820
    proto: udp
    comment: "WireGuard VPN"

# Rate limiting for SSH
ssh_rate_limit: true
ssh_rate_limit_burst: 10
ssh_rate_limit_rate: "30/minute"

# Logging
firewall_logging: "low"  # off, low, medium, high, full