pez-infra/ansible/inventory/host_vars
Rasmus "Pez" Wejlgaard 3871dc8f90
Restrict london-b Samba (445) to LAN + Tailscale, off public internet (#124)
Samba on london-b was allowed on 445/tcp from anywhere via UFW, exposing
SMB/CIFS to the public internet. Tailscale already reaches it through the
tailscale0 allow-all rule, so scope the explicit rule to the local London
LAN (192.168.1.0/24) instead of the world.

The common UFW task only ever adds allow rules, so it gained support for an
optional per-port from_ip, plus a follow-up task that deletes the superseded
world-open variant of any source-restricted port — otherwise the old
'445 ALLOW Anywhere' rule would linger on the host and defeat the change.

PESO-145
2026-06-07 11:37:45 +01:00
..
copenhagen-a.yml template prometheus config (#67) 2026-04-21 20:44:37 +01:00
copenhagen-c.yml template prometheus config (#67) 2026-04-21 20:44:37 +01:00
helsinki-a.yml Migration to Grafana Cloud, nuremberg-a reinstalled, london-a reinsta… (#93) 2026-05-03 14:00:22 +01:00
london-a.yml fix: update config for london-a for new proxmox install (#101) 2026-05-09 19:22:34 +01:00
london-b.yml Restrict london-b Samba (445) to LAN + Tailscale, off public internet (#124) 2026-06-07 11:37:45 +01:00
london-c.yml fix: adding octopus_exporter compose (#69) 2026-04-25 12:38:12 +01:00
nuremberg-a.yml Migration to Grafana Cloud, nuremberg-a reinstalled, london-a reinsta… (#93) 2026-05-03 14:00:22 +01:00