ad isolation

2026-02-10 10:31:31 -05:00 · 2026-02-10 10:31:31 -05:00 · 91eae53605
commit 91eae53605
parent 6127347b07
2 changed files with 6 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -158,6 +158,7 @@ VMs only accept traffic from the Proxmox host (for Ansible) and the Nebula overl
 |-------|---------|
 | `admin` | Full access (your devices) |
 | `infrastructure` | Core services |
+| `ad` | Windows AD domain machines |
 | `projects` | Application workloads |
 | `games` | Isolated game servers |

--- a/ansible/templates/nebula-config.yml.j2
+++ b/ansible/templates/nebula-config.yml.j2
@ -61,6 +61,11 @@ firewall:
      proto: any
      group: projects

+    # AD domain machines can reach infrastructure (DNS forwarding, etc.)
+    - port: any
+      proto: any
+      group: ad
+
    # Allow ICMP from anyone (ping)
    - port: any
      proto: icmp