diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 8ccc1d7e8483b1de94706569a168e1fd5ffb868e..e9fae02d88a0768c5176da1a715826ebf8904fe2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -15,7 +15,7 @@ default:
 variables:
   SCENARIO: "default"
   # ANSIBLE_VAULT_PASSWORD_FILE: "molecule/lza_server_hardening.pass"
-  ANSIBLE_VAULT_PASSWORD_FILE: "../../../lza_server_hardening.pass"
+  ANSIBLE_VAULT_PASSWORD_FILE: "../lza_server_hardening.pass"
     
 
 test-job:
@@ -26,7 +26,7 @@ test-job:
     - echo "CURRENT PATH= '$(pwd)'" 
     # make sure that Ansible Vaults are present and can be decrypted
     - echo "${VAULT_SERVER_HARDENING}" > ${ANSIBLE_VAULT_PASSWORD_FILE}
-    - export ANSIBLE_VAULT_PASSWORD_FILE
+    - export ANSIBLE_VAULT_PASSWORD_FILE="../../${ANSIBLE_VAULT_PASSWORD_FILE}"
     - tree
     - rm -rf ../ansible_vaults/
     - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
diff --git a/tasks/configure_rpcbind.yml b/tasks/configure_rpcbind.yml
index 3a11e2995fab3a676eaa034b2bbd813b0b01ea7f..c8862a7a954a3cac2be7f58c43a394e581c4f594 100644
--- a/tasks/configure_rpcbind.yml
+++ b/tasks/configure_rpcbind.yml
@@ -19,6 +19,7 @@
   ansible.builtin.blockinfile:
     path: "/etc/systemd/system/rpcbind.socket.d/override.conf"
     create: true
+    mode: "0644"
     marker: "### {mark} ANSIBLE MANAGED BLOCK - clear previous settings"
     block: |
       # from `man 5 systemd.socket`:
@@ -34,24 +35,25 @@
   when: rpcbind_installed
   notify: daemon_reload
 
-- name: implement access control in rpcbind socket unit by creating an override - general settings
+- name: implement access control in rpcbind socket unit by creating an override - interface specific settings
   ansible.builtin.blockinfile:
     path: "/etc/systemd/system/rpcbind.socket.d/override.conf"
     create: true
-    marker: ### {mark} ANSIBLE MANAGED BLOCK - allow access for {{ item.source }}
+    mode: "0644"
+    marker: "### {mark} ANSIBLE MANAGED BLOCK - allow access for {{ item.source }}"
     block: |
       ListenStream={{ item.source }}
       ListenDatagram={{ item.source }}
-  loop: "{{ nfs_server_interfaces }}"
+  loop: "{{ vault_nfs_server_interfaces }}"
   when: rpcbind_installed
   notify: daemon_reload
 
 - name: implement rpcbind access control in iptables
   ansible.builtin.iptables:
     action: "insert"
-    chain: "INPUP"
-    comment: "{{ item.comment }}"
+    chain: "INPUT"
+    comment: "allow rpcbind access from {{ item.comment }} for NFSv3"
     source: "{{ item.source }}"
     jump: "ACCEPT"
-  loop: "{{ nfs_server_interfaces }}"
+  loop: "{{ vault_nfs_server_interfaces }}"
   notify: "save iptables rules"