From 49cee191b5113a22a44251f9c20741d41119d834 Mon Sep 17 00:00:00 2001
From: "Rasmus \"Pez\" Wejlgaard" <pez@pez.sh>
Date: Sat, 11 Apr 2026 21:24:11 +0100
Subject: [PATCH] fix: bind mariadb to local ip (#62)

---
 ansible/deploy.yml                           | 1 +
 ansible/inventory/host_vars/copenhagen-a.yml | 2 +-
 ansible/roles/mariadb/files/bind-local.cnf   | 5 +++++
 ansible/roles/mariadb/handlers/main.yml      | 5 +++++
 ansible/roles/mariadb/tasks/main.yml         | 9 +++++++++
 5 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 ansible/roles/mariadb/files/bind-local.cnf
 create mode 100644 ansible/roles/mariadb/handlers/main.yml
 create mode 100644 ansible/roles/mariadb/tasks/main.yml

diff --git a/ansible/deploy.yml b/ansible/deploy.yml
index 78cf7c4..9ff6249 100644
--- a/ansible/deploy.yml
+++ b/ansible/deploy.yml
@@ -88,6 +88,7 @@
   roles:
     - role: docker_services
     - role: systemd_services
+    - role: mariadb
 
 # london-a: Monitoring stack (FreeBSD — Prometheus, Grafana)
 # Note: london-a uses FreeBSD; monitoring roles handle this via conditionals.
diff --git a/ansible/inventory/host_vars/copenhagen-a.yml b/ansible/inventory/host_vars/copenhagen-a.yml
index f89625a..50f4518 100644
--- a/ansible/inventory/host_vars/copenhagen-a.yml
+++ b/ansible/inventory/host_vars/copenhagen-a.yml
@@ -14,7 +14,7 @@ docker_services:
   - minecraft
   - smartctl-exporter
 
-# MaNGOS database backend — managed by apt, not Ansible
+# MaNGOS database backend — installed by apt; config managed by mariadb role
 system_packages_services:
   - mariadb
 
diff --git a/ansible/roles/mariadb/files/bind-local.cnf b/ansible/roles/mariadb/files/bind-local.cnf
new file mode 100644
index 0000000..7f631fe
--- /dev/null
+++ b/ansible/roles/mariadb/files/bind-local.cnf
@@ -0,0 +1,5 @@
+[mysqld]
+# Restrict MariaDB to loopback only.
+# UFW blocks port 3306 externally, but binding to 127.0.0.1 provides
+# defense in depth — the socket never reaches the network stack at all.
+bind-address = 127.0.0.1
diff --git a/ansible/roles/mariadb/handlers/main.yml b/ansible/roles/mariadb/handlers/main.yml
new file mode 100644
index 0000000..a0d9e2b
--- /dev/null
+++ b/ansible/roles/mariadb/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart mariadb
+  ansible.builtin.systemd:
+    name: mariadb
+    state: restarted
diff --git a/ansible/roles/mariadb/tasks/main.yml b/ansible/roles/mariadb/tasks/main.yml
new file mode 100644
index 0000000..015c5d4
--- /dev/null
+++ b/ansible/roles/mariadb/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Deploy MariaDB bind-address config
+  ansible.builtin.copy:
+    src: bind-local.cnf
+    dest: /etc/mysql/mariadb.conf.d/99-bind-local.cnf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart mariadb