try to clarify nfs export intents

Author: sjpb

environments/common/inventory/group_vars/all/nfs.yml

@@ -5,9 +5,11 @@
 
 nfs_server_default: "{{ groups['control'] | first }}" # avoid using hostvars for compute-init
 
-# only allow the nfs group IPs to mount nfs exports:
-nfs_export_clients_default: "{{ groups['nfs'] | map('extract', hostvars, 'ansible_host') | join(' ') }}"
-nfs_export_clients: "{{ nfs_export_clients_default }}"
+# create a space-separated list of nfs group IPs:
+_nfs_node_ips: "{{ groups['nfs'] | map('extract', hostvars, 'ansible_host') | join(' ') }}"
+
+# default *all* entries in nfs_configurations to only permitting mounts from above IPs:
+nfs_export_clients: "{{ _nfs_node_ips }}"
 
 nfs_configurations:
   - comment: Export /exports/home from Slurm control node as /home
@@ -22,7 +24,7 @@ nfs_configurations:
     # NB: this is stackhpc.nfs role defaults but are set here to prevent being
     # accidently overriden via default options
     nfs_export_options: 'rw,secure,root_squash'
-    # prevent other IPs mounting the share:
+    # prevent non-cluster IPs mounting the share:
     # NB: this is set as default for all shares above but is repeated here
-    # to prevevent being accidently overriden when adding shares
-    nfs_export_clients: "{{ nfs_export_clients_default }}"
+    # in case nfs_export_clients is overriden
+    nfs_export_clients: "{{ _nfs_node_ips }}"