Remove unused Prometheus alerting config (#10)

* Configure UFW firewall rules in common Ansible role

Add UFW configuration to the common role for Debian hosts:
- Default deny incoming, allow outgoing
- Allow all traffic on tailscale0 interface (mesh comms)
- Allow SSH port 22 as safety net
- Per-host allowed ports via ufw_allowed_ports variable
- Enable UFW after rules are applied

helsinki-a gets ports 80/443 for reverse proxy traffic.
Other Debian hosts only need Tailscale + SSH.

Closes PESO-79

* Remove unused alerting and rule_files from prometheus.yml

Alerting is handled by Grafana, not Prometheus Alertmanager.
The empty alertmanagers and rule_files sections were just noise.

Resolves PESO-74

ansible/inventory/host_vars/helsinki-a.yml

@@ -9,3 +9,7 @@ docker_services:
   - authelia
   - forgejo
   - bitwarden
+
+ufw_allowed_ports:
+  - { port: 80, proto: tcp, comment: "HTTP" }
+  - { port: 443, proto: tcp, comment: "HTTPS" }

ansible/inventory/host_vars/nuremberg-a.yml

@@ -3,3 +3,5 @@ host_role: mail
 host_description: "Mail server (poste.io)"
 host_location: "Hetzner Cloud"
 ansible_python_interpreter: /usr/bin/python3
+# NOTE: Alpine host — UFW tasks are Debian-only.
+# Firewall rules for mail ports (25,465,587,993,143,80,443) managed separately.

ansible/roles/common/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+# UFW firewall defaults
+# Override ufw_allowed_ports in host_vars for public-facing services.
+ufw_enabled: true
+ufw_allowed_ports: []
+#   - { port: 80, proto: tcp, comment: "HTTP" }
+#   - { port: 443, proto: tcp, comment: "HTTPS" }

ansible/roles/common/handlers/main.yml

@@ -3,3 +3,7 @@
   ansible.builtin.service:
     name: sshd
     state: restarted
+
+- name: Reload ufw
+  community.general.ufw:
+    state: reloaded

ansible/roles/common/tasks/main.yml

@@ -100,3 +100,65 @@
     state: started
     enabled: true
   when: ansible_facts["os_family"] == "Debian"
+
+# --- UFW firewall (Debian only) ---
+
+- name: Set UFW default deny incoming
+  community.general.ufw:
+    direction: incoming
+    default: deny
+  when:
+    - ansible_facts["os_family"] == "Debian"
+    - ufw_enabled | bool
+  notify: Reload ufw
+
+- name: Set UFW default allow outgoing
+  community.general.ufw:
+    direction: outgoing
+    default: allow
+  when:
+    - ansible_facts["os_family"] == "Debian"
+    - ufw_enabled | bool
+  notify: Reload ufw
+
+- name: Allow all traffic on Tailscale interface
+  community.general.ufw:
+    rule: allow
+    interface_or_direction: in
+    interface: tailscale0
+    comment: "Tailscale mesh - allow all"
+  when:
+    - ansible_facts["os_family"] == "Debian"
+    - ufw_enabled | bool
+  notify: Reload ufw
+
+- name: Allow SSH (safety net)
+  community.general.ufw:
+    rule: allow
+    port: '22'
+    proto: tcp
+    comment: "SSH"
+  when:
+    - ansible_facts["os_family"] == "Debian"
+    - ufw_enabled | bool
+  notify: Reload ufw
+
+- name: Allow host-specific ports
+  community.general.ufw:
+    rule: allow
+    port: "{{ item.port | string }}"
+    proto: "{{ item.proto | default('tcp') }}"
+    comment: "{{ item.comment | default(omit) }}"
+  loop: "{{ ufw_allowed_ports }}"
+  when:
+    - ansible_facts["os_family"] == "Debian"
+    - ufw_enabled | bool
+    - ufw_allowed_ports | length > 0
+  notify: Reload ufw
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled
+  when:
+    - ansible_facts["os_family"] == "Debian"
+    - ufw_enabled | bool

ansible/services/prometheus/prometheus.yml

@@ -8,13 +8,6 @@ global:
   scrape_interval: 15s
   evaluation_interval: 15s
 
-alerting:
-  alertmanagers:
-    - static_configs:
-        - targets: []
-
-rule_files: []
-
 scrape_configs:
   - job_name: "prometheus"
     static_configs: