# Firewall Configuration
#
# Security groups are managed manually in Proxmox UI:
#   Datacenter → Firewall → Security Group
#
# Groups:
#   - base-egress: HTTP, HTTPS, DNS, NTP (default for VMs)
#   - restricted: UDP 4242 only (Nebula tunnels, no internet)
#
# VMs reference these groups via the firewall_security_group variable.
# East-west segmentation (VM-to-VM) is handled by Nebula groups.