<?xml version="1.0"?>
<opnsense>
  <trigger_initial_wizard/>
  <theme>opnsense</theme>
  <system>
    <optimization>normal</optimization>
    <hostname>{{OPNSENSE_HOSTNAME}}</hostname>
    <domain>{{DOMAIN}}</domain>
    <dnsallowoverride>1</dnsallowoverride>
    <dnsallowoverride_exclude/>
    <group>
      <name>admins</name>
      <description>System Administrators</description>
      <scope>system</scope>
      <gid>1999</gid>
      <member>0</member>
      <priv>page-all</priv>
    </group>
    <user>
      <name>root</name>
      <descr>System Administrator</descr>
      <scope>system</scope>
      <groupname>admins</groupname>
      <password>{{ROOT_PASSWORD_HASH}}</password>
      <uid>0</uid>
      <!-- BASE64-encoded authorized_keys. OPNsense base64_decode()s this and writes it to
           ~/.ssh/authorized_keys (verified in upstream src/etc/inc/auth.inc:
           `$keys = base64_decode($user['authorizedkeys']);`). Without it, applying this
           config would leave the edge with NO key-based access at all. -->
      <authorizedkeys>{{ROOT_AUTHORIZED_KEYS_B64}}</authorizedkeys>
    </user>
    <timezone>Etc/UTC</timezone>
    <timeservers>{{NTP_UPSTREAM_SERVERS}}</timeservers>
    <webgui>
      <protocol>https</protocol>
    </webgui>
    <disablenatreflection>yes</disablenatreflection>
    <usevirtualterminal>1</usevirtualterminal>
    <disableconsolemenu/>
    <ipv6allow>1</ipv6allow>
    <bogons>
      <interval>monthly</interval>
    </bogons>
    <pf_share_forward>1</pf_share_forward>
    <!-- SSH. Element names verified against upstream src/www/system_advanced_admin.php:
         `enabled` is the literal STRING "enabled"; `permitrootlogin` and `passwordauth` are
         PRESENCE-checked (isset), so omitting passwordauth means password auth is OFF.
         D-112(c) makes SSH the management path for this edge, so it MUST be on. The previous
         template had only the group element (no enable, no key), so applying it would have
         DISABLED sshd and installed no key, leaving management reachable only via console.
         Key-only auth is deliberate; the serial console remains the break-glass fallback. -->
    <ssh>
      <enabled>enabled</enabled>
      <permitrootlogin>1</permitrootlogin>
      <group>admins</group>
    </ssh>
  </system>
  <interfaces>
    <wan>
      <enable>1</enable>
      <if>{{WAN_IF}}</if>
      <mtu/>
      <ipaddr>{{WAN_IPADDR}}</ipaddr>
      <subnet>{{WAN_SUBNET_BITS}}</subnet>
      <gateway>WAN_GW</gateway>
      <blockpriv>1</blockpriv>
      <blockbogons>1</blockbogons>
    </wan>
    <lan>
      <enable>1</enable>
      <if>{{LAN_IF}}</if>
      <ipaddr>{{LAN_IPADDR}}</ipaddr>
      <subnet>{{LAN_SUBNET_BITS}}</subnet>
    </lan>
  </interfaces>
  <gateways>
    <gateway_item>
      <interface>wan</interface>
      <gateway>{{WAN_GATEWAY}}</gateway>
      <name>WAN_GW</name>
      <weight>1</weight>
      <ipprotocol>inet</ipprotocol>
      <descr>simulated ISP uplink gateway (D-100)</descr>
    </gateway_item>
  </gateways>
  <staticroutes>
{{ROUTE1_BLOCK}}
{{ROUTE2_BLOCK}}
  </staticroutes>
  <unbound>
    <enable>1</enable>
  </unbound>
  <nat>
    <outbound>
      <mode>automatic</mode>
    </outbound>
  </nat>
  <filter>
  </filter>
  <rrd>
    <enable/>
  </rrd>
  <ntpd>
    <prefer>{{NTP_PREFER_SERVER}}</prefer>
    <ispool>{{NTP_UPSTREAM_SERVERS}}</ispool>
  </ntpd>
  <OPNsense>
    <Firewall>
      <Filter>
        <rules>
          <rule>
            <enabled>1</enabled>
            <statetype>keep</statetype>
            <sequence>1</sequence>
            <action>pass</action>
            <quick>1</quick>
            <interface>lan</interface>
            <direction>in</direction>
            <ipprotocol>inet</ipprotocol>
            <protocol>any</protocol>
            <source_net>lan</source_net>
            <destination_net>any</destination_net>
            <description>Default allow LAN to any rule</description>
          </rule>
          <rule>
            <enabled>1</enabled>
            <statetype>keep</statetype>
            <sequence>11</sequence>
            <action>pass</action>
            <quick>1</quick>
            <interface>lan</interface>
            <direction>in</direction>
            <ipprotocol>inet6</ipprotocol>
            <protocol>any</protocol>
            <source_net>lan</source_net>
            <destination_net>any</destination_net>
            <description>Default allow LAN IPv6 to any rule</description>
          </rule>
          <!-- Edge is a normal simulated-ISP router (DOCFIX-185). Outbound is
               allowed by the LAN allow-any rules above + default outbound NAT;
               WAN inbound is default-deny (plus blockpriv/blockbogons on the wan
               interface). The earlier D-107 WAN-egress-control rules (NTP-only +
               mirror-only + default-deny-out, and the MIRROR_* tokens) were
               REMOVED: they modeled an egress-airgap that does not match this
               project's real transport model. Each site (both DCs and Office)
               has its own simulated-ISP internet uplink; the dark fiber is
               East-West/replication only, NOT an internet path. D-107's
               node-level artifact posture (per-DC mirror; nodes not pulling
               directly from the public internet) is a separate DC-node/routing
               concern, not the edge's WAN egress. -->
        </rules>
        <snatrules/>
        <npt/>
        <onetoone/>
      </Filter>
    </Firewall>
  </OPNsense>
</opnsense>
