From 91eae53605b348585dd5421c67d1bff109aa89b2 Mon Sep 17 00:00:00 2001
From: Damien Coles <damien.coles@gmail.com>
Date: Tue, 10 Feb 2026 10:31:31 -0500
Subject: [PATCH] ad isolation

---
 README.md                              | 1 +
 ansible/templates/nebula-config.yml.j2 | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/README.md b/README.md
index c1b57d1..4dc21bc 100644
--- a/README.md
+++ b/README.md
@@ -158,6 +158,7 @@ VMs only accept traffic from the Proxmox host (for Ansible) and the Nebula overl
 |-------|---------|
 | `admin` | Full access (your devices) |
 | `infrastructure` | Core services |
+| `ad` | Windows AD domain machines |
 | `projects` | Application workloads |
 | `games` | Isolated game servers |
 
diff --git a/ansible/templates/nebula-config.yml.j2 b/ansible/templates/nebula-config.yml.j2
index 0bfe52c..a8a0e78 100644
--- a/ansible/templates/nebula-config.yml.j2
+++ b/ansible/templates/nebula-config.yml.j2
@@ -61,6 +61,11 @@ firewall:
       proto: any
       group: projects
 
+    # AD domain machines can reach infrastructure (DNS forwarding, etc.)
+    - port: any
+      proto: any
+      group: ad
+
     # Allow ICMP from anyone (ping)
     - port: any
       proto: icmp