# vm-control — Control plane (portal, tenant-registry, ERPNext, Stalwart).
# See INFRASTRUCTURE.md §1, §2, §6.

[vm]
name = "vm-control"
env = "prod"
flavor = "m2.medium"    # 4 vCPU, 16 GB RAM
public_ip = false        # only reachable via vm-edge orca-proxy
region = "DUS2"
private_network = "platform-prod"
private_ip_cidr = "10.0.2.0/24"

[vm.disk]
block_volume_gb = 250   # MariaDB (ERPNext) + Stalwart mail spool, medium growth

[vm.firewall]
ingress_public = []      # no public ingress
ingress_private = [
  { proto = "tcp", ports = "all", source = "10.0.0.0/16", purpose = "intra-platform" },
]