# vm-edge — Identity + Infra plane, public IP, root auth dependency.
# See INFRASTRUCTURE.md §1, §2.

[vm]
name = "vm-edge"
env = "prod"
flavor = "m2.small"     # 2 vCPU, 8 GB RAM
public_ip = true
region = "DUS2"
private_network = "platform-prod"
private_ip_cidr = "10.0.1.0/24"

[vm.disk]
block_volume_gb = 50    # pg-keycloak + pg-infisical + Gitea repos (slow growth)

[vm.firewall]
# vm-edge is the only host accepting public traffic. Everything else is
# behind the private network.
ingress_public = [
  { proto = "tcp", ports = [80, 443], source = "0.0.0.0/0", purpose = "orca-proxy HTTP/HTTPS" },
  { proto = "tcp", ports = [53],     source = "0.0.0.0/0", purpose = "PowerDNS (TCP)" },
  { proto = "udp", ports = [53],     source = "0.0.0.0/0", purpose = "PowerDNS (UDP)" },
]
ingress_private = [
  { proto = "tcp", ports = "all", source = "10.0.0.0/16", purpose = "intra-platform" },
]