pez-infra/ansible/roles
Rasmus Wejlgaard ede9193996 Restrict london-b Samba (445) to LAN + Tailscale, off public internet
Samba on london-b was allowed on 445/tcp from anywhere via UFW, exposing
SMB/CIFS to the public internet. Tailscale already reaches it through the
tailscale0 allow-all rule, so scope the explicit rule to the local London
LAN (192.168.1.0/24) instead of the world.

The common UFW task only ever adds allow rules, so it gained support for an
optional per-port from_ip, plus a follow-up task that deletes the superseded
world-open variant of any source-restricted port — otherwise the old
'445 ALLOW Anywhere' rule would linger on the host and defeat the change.

PESO-145
2026-06-07 11:32:37 +01:00
..
backup/tasks Add backup role to deploy hdd-backup.sh and cron to london-b (#16) 2026-03-29 15:09:01 +01:00
caddy bug: add retry to restarting caddy (#97) 2026-05-05 20:42:52 +01:00
common Restrict london-b Samba (445) to LAN + Tailscale, off public internet 2026-06-07 11:32:37 +01:00
docker fix: cleanup freebsd and alpine stuff (#105) 2026-05-12 22:43:12 +01:00
docker_services/tasks fix: stop masking failed service deploys; trim dead config (#119) 2026-06-04 18:41:24 +01:00
dotfiles/tasks fix remaining yaml lint nitpicks 2026-03-28 13:13:37 +00:00
mariadb fix: bind mariadb to local ip (#62) 2026-04-11 21:24:11 +01:00
media_stack chore: retire readarr service, replaced by bookshelf (#123) 2026-06-06 15:50:37 +01:00
proxmox_ve fix: add smb mount (#107) 2026-05-14 20:49:25 +01:00
status_page capture helsinki-a status page cron in repo (#17) 2026-03-29 15:39:35 +01:00
systemd_services fix: stop masking failed service deploys; trim dead config (#119) 2026-06-04 18:41:24 +01:00
zfs fix: cleanup freebsd and alpine stuff (#105) 2026-05-12 22:43:12 +01:00