Firewall NFS-Server (#436)
Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: #436
This commit is contained in:
parent
b1ab442fbc
commit
617a57894e
4 changed files with 66 additions and 1 deletions
|
|
@ -4,6 +4,8 @@
|
||||||
- /srv/nfs 192.168.2.40(rw,no_subtree_check,no_root_squash) #k3s3
|
- /srv/nfs 192.168.2.40(rw,no_subtree_check,no_root_squash) #k3s3
|
||||||
- /srv/nfs 192.168.2.41(rw,no_subtree_check,no_root_squash) #k3s2
|
- /srv/nfs 192.168.2.41(rw,no_subtree_check,no_root_squash) #k3s2
|
||||||
- /srv/nfs 192.168.2.42(rw,no_subtree_check,no_root_squash) #k3s1
|
- /srv/nfs 192.168.2.42(rw,no_subtree_check,no_root_squash) #k3s1
|
||||||
|
nfs_port: 33333
|
||||||
|
|
||||||
|
|
||||||
### mgrote.munin-node
|
### mgrote.munin-node
|
||||||
munin_node_plugins:
|
munin_node_plugins:
|
||||||
|
|
@ -35,3 +37,56 @@
|
||||||
|
|
||||||
### mgrote.restic
|
### mgrote.restic
|
||||||
restic_folders_to_backup: "/ /srv/nfs" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben
|
restic_folders_to_backup: "/ /srv/nfs" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben
|
||||||
|
|
||||||
|
|
||||||
|
### oefenweb.ufw
|
||||||
|
ufw_rules:
|
||||||
|
- rule: allow
|
||||||
|
to_port: 22
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'ssh'
|
||||||
|
from_ip: 0.0.0.0/0
|
||||||
|
- rule: allow
|
||||||
|
to_port: 4949
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'munin'
|
||||||
|
from_ip: 192.168.2.144/24
|
||||||
|
# k3s1
|
||||||
|
- rule: allow
|
||||||
|
from_ip: 192.168.2.40
|
||||||
|
comment: 'nfs'
|
||||||
|
to_port: 2049
|
||||||
|
- rule: allow
|
||||||
|
from_ip: 192.168.2.40
|
||||||
|
comment: 'nfs'
|
||||||
|
to_port: 111
|
||||||
|
- rule: allow
|
||||||
|
from_ip: 192.168.2.40
|
||||||
|
comment: 'nfs'
|
||||||
|
to_port: "{{ nfs_port }}"
|
||||||
|
# k3s2
|
||||||
|
- rule: allow
|
||||||
|
from_ip: 192.168.2.41
|
||||||
|
comment: 'nfs'
|
||||||
|
to_port: 2049
|
||||||
|
- rule: allow
|
||||||
|
from_ip: 192.168.2.41
|
||||||
|
comment: 'nfs'
|
||||||
|
to_port: 111
|
||||||
|
- rule: allow
|
||||||
|
from_ip: 192.168.2.41
|
||||||
|
comment: 'nfs'
|
||||||
|
to_port: "{{ nfs_port }}"
|
||||||
|
# k3s3
|
||||||
|
- rule: allow
|
||||||
|
from_ip: 192.168.2.42
|
||||||
|
comment: 'nfs'
|
||||||
|
to_port: 2049
|
||||||
|
- rule: allow
|
||||||
|
from_ip: 192.168.2.42
|
||||||
|
comment: 'nfs'
|
||||||
|
to_port: 111
|
||||||
|
- rule: allow
|
||||||
|
from_ip: 192.168.2.42
|
||||||
|
comment: 'nfs'
|
||||||
|
to_port: "{{ nfs_port }}"
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ all:
|
||||||
k3s1.grote.lan:
|
k3s1.grote.lan:
|
||||||
k3s2.grote.lan:
|
k3s2.grote.lan:
|
||||||
k3s3.grote.lan:
|
k3s3.grote.lan:
|
||||||
k3snfs:
|
nfs:
|
||||||
hosts:
|
hosts:
|
||||||
k3s-nfs2.grote.lan:
|
k3s-nfs2.grote.lan:
|
||||||
vmtest:
|
vmtest:
|
||||||
|
|
|
||||||
|
|
@ -3,3 +3,5 @@ nfs_exports: []
|
||||||
|
|
||||||
nfs_rpcbind_state: started
|
nfs_rpcbind_state: started
|
||||||
nfs_rpcbind_enabled: true
|
nfs_rpcbind_enabled: true
|
||||||
|
|
||||||
|
nfs_port: 33333
|
||||||
|
|
|
||||||
|
|
@ -31,6 +31,14 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
notify: reload nfs
|
notify: reload nfs
|
||||||
|
|
||||||
|
- name: set port
|
||||||
|
# https://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /etc/default/nfs-kernel-server
|
||||||
|
regexp: 'RPCMOUNTDOPTS=--manage-gids'
|
||||||
|
line: RPCMOUNTDOPTS="--port {{ nfs_port }}"
|
||||||
|
notify: reload nfs
|
||||||
|
|
||||||
- name: Ensure nfs is running.
|
- name: Ensure nfs is running.
|
||||||
service: "name={{ nfs_server_daemon }} state=started enabled=yes"
|
service: "name={{ nfs_server_daemon }} state=started enabled=yes"
|
||||||
when: nfs_exports|length
|
when: nfs_exports|length
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue