fix: bind mariadb to local ip

ansible/deploy.yml

@@ -88,6 +88,7 @@
   roles:
     - role: docker_services
     - role: systemd_services
+    - role: mariadb
 
 # london-a: Monitoring stack (FreeBSD — Prometheus, Grafana)
 # Note: london-a uses FreeBSD; monitoring roles handle this via conditionals.

ansible/inventory/host_vars/copenhagen-a.yml

@@ -14,6 +14,6 @@ docker_services:
   - minecraft
   - smartctl-exporter
 
-# MaNGOS database backend — managed by apt, not Ansible
+# MaNGOS database backend — installed by apt; config managed by mariadb role
 system_packages_services:
   - mariadb

ansible/roles/mariadb/files/bind-local.cnf

@@ -0,0 +1,5 @@
+[mysqld]
+# Restrict MariaDB to loopback only.
+# UFW blocks port 3306 externally, but binding to 127.0.0.1 provides
+# defense in depth — the socket never reaches the network stack at all.
+bind-address = 127.0.0.1

ansible/roles/mariadb/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart mariadb
+  ansible.builtin.systemd:
+    name: mariadb
+    state: restarted

ansible/roles/mariadb/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Deploy MariaDB bind-address config
+  ansible.builtin.copy:
+    src: bind-local.cnf
+    dest: /etc/mysql/mariadb.conf.d/99-bind-local.cnf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart mariadb