From 617a57894eea8069d106cbbbce8a8f71f07117e2 Mon Sep 17 00:00:00 2001 From: mg Date: Thu, 24 Nov 2022 18:07:04 +0100 Subject: [PATCH] Firewall NFS-Server (#436) Co-authored-by: Michael Grote Reviewed-on: https://git.mgrote.net/mg/homeserver/pulls/436 --- host_vars/k3s-nfs2.grote.lan.yaml | 55 +++++++++++++++++++ inventory | 2 +- .../geerlingguy.nfs_server/defaults/main.yml | 2 + roles/geerlingguy.nfs_server/tasks/main.yml | 8 +++ 4 files changed, 66 insertions(+), 1 deletion(-) diff --git a/host_vars/k3s-nfs2.grote.lan.yaml b/host_vars/k3s-nfs2.grote.lan.yaml index f40b7dbc..3d31e159 100644 --- a/host_vars/k3s-nfs2.grote.lan.yaml +++ b/host_vars/k3s-nfs2.grote.lan.yaml @@ -4,6 +4,8 @@ - /srv/nfs 192.168.2.40(rw,no_subtree_check,no_root_squash) #k3s3 - /srv/nfs 192.168.2.41(rw,no_subtree_check,no_root_squash) #k3s2 - /srv/nfs 192.168.2.42(rw,no_subtree_check,no_root_squash) #k3s1 + nfs_port: 33333 + ### mgrote.munin-node munin_node_plugins: @@ -35,3 +37,56 @@ ### mgrote.restic restic_folders_to_backup: "/ /srv/nfs" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben + + + ### oefenweb.ufw + ufw_rules: + - rule: allow + to_port: 22 + protocol: tcp + comment: 'ssh' + from_ip: 0.0.0.0/0 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.144/24 + # k3s1 + - rule: allow + from_ip: 192.168.2.40 + comment: 'nfs' + to_port: 2049 + - rule: allow + from_ip: 192.168.2.40 + comment: 'nfs' + to_port: 111 + - rule: allow + from_ip: 192.168.2.40 + comment: 'nfs' + to_port: "{{ nfs_port }}" + # k3s2 + - rule: allow + from_ip: 192.168.2.41 + comment: 'nfs' + to_port: 2049 + - rule: allow + from_ip: 192.168.2.41 + comment: 'nfs' + to_port: 111 + - rule: allow + from_ip: 192.168.2.41 + comment: 'nfs' + to_port: "{{ nfs_port }}" + # k3s3 + - rule: allow + from_ip: 192.168.2.42 + comment: 'nfs' + to_port: 2049 + - rule: allow + from_ip: 192.168.2.42 + comment: 'nfs' + to_port: 111 + - rule: allow + from_ip: 192.168.2.42 + comment: 'nfs' + to_port: "{{ nfs_port }}" diff --git a/inventory b/inventory index 70557e69..8dd70ce3 100644 --- a/inventory +++ b/inventory @@ -23,7 +23,7 @@ all: k3s1.grote.lan: k3s2.grote.lan: k3s3.grote.lan: - k3snfs: + nfs: hosts: k3s-nfs2.grote.lan: vmtest: diff --git a/roles/geerlingguy.nfs_server/defaults/main.yml b/roles/geerlingguy.nfs_server/defaults/main.yml index 0bc919fb..69bd938c 100644 --- a/roles/geerlingguy.nfs_server/defaults/main.yml +++ b/roles/geerlingguy.nfs_server/defaults/main.yml @@ -3,3 +3,5 @@ nfs_exports: [] nfs_rpcbind_state: started nfs_rpcbind_enabled: true + +nfs_port: 33333 diff --git a/roles/geerlingguy.nfs_server/tasks/main.yml b/roles/geerlingguy.nfs_server/tasks/main.yml index 41000309..377b5a59 100644 --- a/roles/geerlingguy.nfs_server/tasks/main.yml +++ b/roles/geerlingguy.nfs_server/tasks/main.yml @@ -31,6 +31,14 @@ mode: 0644 notify: reload nfs +- name: set port +# https://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs + ansible.builtin.lineinfile: + path: /etc/default/nfs-kernel-server + regexp: 'RPCMOUNTDOPTS=--manage-gids' + line: RPCMOUNTDOPTS="--port {{ nfs_port }}" + notify: reload nfs + - name: Ensure nfs is running. service: "name={{ nfs_server_daemon }} state=started enabled=yes" when: nfs_exports|length