<?xml version="1.0"?>
<opnsense>
<trigger_initial_wizard/>
<theme>opnsense</theme>
<system>
<optimization>normal</optimization>
<hostname>{{OPNSENSE_HOSTNAME}}</hostname>
<domain>{{DOMAIN}}</domain>
<dnsallowoverride>1</dnsallowoverride>
<dnsallowoverride_exclude/>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>{{ROOT_PASSWORD_HASH}}</password>
<uid>0</uid>
<!-- BASE64-encoded authorized_keys. OPNsense base64_decode()s this and writes it to
~/.ssh/authorized_keys (verified in upstream src/etc/inc/auth.inc:
`$keys = base64_decode($user['authorizedkeys']);`). Without it, applying this
config would leave the edge with NO key-based access at all. -->
<authorizedkeys>{{ROOT_AUTHORIZED_KEYS_B64}}</authorizedkeys>
</user>
<timezone>Etc/UTC</timezone>
<timeservers>{{NTP_UPSTREAM_SERVERS}}</timeservers>
<webgui>
<protocol>https</protocol>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu/>
<ipv6allow>1</ipv6allow>
<bogons>
<interval>monthly</interval>
</bogons>
<pf_share_forward>1</pf_share_forward>
<!-- SSH. Element names verified against upstream src/www/system_advanced_admin.php:
`enabled` is the literal STRING "enabled"; `permitrootlogin` and `passwordauth` are
PRESENCE-checked (isset), so omitting passwordauth means password auth is OFF.
D-112(c) makes SSH the management path for this edge, so it MUST be on. The previous
template had only the group element (no enable, no key), so applying it would have
DISABLED sshd and installed no key, leaving management reachable only via console.
Key-only auth is deliberate; the serial console remains the break-glass fallback. -->
<ssh>
<enabled>enabled</enabled>
<permitrootlogin>1</permitrootlogin>
<group>admins</group>
</ssh>
</system>
<interfaces>
<wan>
<enable>1</enable>
<if>{{WAN_IF}}</if>
<mtu/>
<ipaddr>{{WAN_IPADDR}}</ipaddr>
<subnet>{{WAN_SUBNET_BITS}}</subnet>
<gateway>WAN_GW</gateway>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
</wan>
<lan>
<enable>1</enable>
<if>{{LAN_IF}}</if>
<ipaddr>{{LAN_IPADDR}}</ipaddr>
<subnet>{{LAN_SUBNET_BITS}}</subnet>
</lan>
</interfaces>
<gateways>
<gateway_item>
<interface>wan</interface>
<gateway>{{WAN_GATEWAY}}</gateway>
<name>WAN_GW</name>
<weight>1</weight>
<ipprotocol>inet</ipprotocol>
<descr>simulated ISP uplink gateway (D-100)</descr>
</gateway_item>
</gateways>
<staticroutes>
{{ROUTE1_BLOCK}}
{{ROUTE2_BLOCK}}
</staticroutes>
<unbound>
<enable>1</enable>
</unbound>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
</filter>
<rrd>
<enable/>
</rrd>
<ntpd>
<prefer>{{NTP_PREFER_SERVER}}</prefer>
<ispool>{{NTP_UPSTREAM_SERVERS}}</ispool>
</ntpd>
<OPNsense>
<Firewall>
<Filter>
<rules>
<rule>
<enabled>1</enabled>
<statetype>keep</statetype>
<sequence>1</sequence>
<action>pass</action>
<quick>1</quick>
<interface>lan</interface>
<direction>in</direction>
<ipprotocol>inet</ipprotocol>
<protocol>any</protocol>
<source_net>lan</source_net>
<destination_net>any</destination_net>
<description>Default allow LAN to any rule</description>
</rule>
<rule>
<enabled>1</enabled>
<statetype>keep</statetype>
<sequence>11</sequence>
<action>pass</action>
<quick>1</quick>
<interface>lan</interface>
<direction>in</direction>
<ipprotocol>inet6</ipprotocol>
<protocol>any</protocol>
<source_net>lan</source_net>
<destination_net>any</destination_net>
<description>Default allow LAN IPv6 to any rule</description>
</rule>
<!-- Edge is a normal simulated-ISP router (DOCFIX-185). Outbound is
allowed by the LAN allow-any rules above + default outbound NAT;
WAN inbound is default-deny (plus blockpriv/blockbogons on the wan
interface). The earlier D-107 WAN-egress-control rules (NTP-only +
mirror-only + default-deny-out, and the MIRROR_* tokens) were
REMOVED: they modeled an egress-airgap that does not match this
project's real transport model. Each site (both DCs and Office)
has its own simulated-ISP internet uplink; the dark fiber is
East-West/replication only, NOT an internet path. D-107's
node-level artifact posture (per-DC mirror; nodes not pulling
directly from the public internet) is a separate DC-node/routing
concern, not the edge's WAN egress. -->
</rules>
<snatrules/>
<npt/>
<onetoone/>
</Filter>
</Firewall>
</OPNsense>
</opnsense>