Firewall NFS-Server (#436)

Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: #436
2022-11-24 18:07:04 +01:00 · 2022-11-24 18:07:04 +01:00 · 617a57894e
commit 617a57894e
parent b1ab442fbc
4 changed files with 66 additions and 1 deletions
--- a/host_vars/k3s-nfs2.grote.lan.yaml
+++ b/host_vars/k3s-nfs2.grote.lan.yaml
@ -4,6 +4,8 @@
    - /srv/nfs 192.168.2.40(rw,no_subtree_check,no_root_squash) #k3s3
    - /srv/nfs 192.168.2.41(rw,no_subtree_check,no_root_squash) #k3s2
    - /srv/nfs 192.168.2.42(rw,no_subtree_check,no_root_squash) #k3s1
+  nfs_port: 33333
+

  ### mgrote.munin-node
  munin_node_plugins:
@ -35,3 +37,56 @@

  ### mgrote.restic
  restic_folders_to_backup: "/ /srv/nfs" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben
+
+
+  ### oefenweb.ufw
+  ufw_rules:
+    - rule: allow
+      to_port: 22
+      protocol: tcp
+      comment: 'ssh'
+      from_ip: 0.0.0.0/0
+    - rule: allow
+      to_port: 4949
+      protocol: tcp
+      comment: 'munin'
+      from_ip: 192.168.2.144/24
+      # k3s1
+    - rule: allow
+      from_ip: 192.168.2.40
+      comment: 'nfs'
+      to_port: 2049
+    - rule: allow
+      from_ip: 192.168.2.40
+      comment: 'nfs'
+      to_port: 111
+    - rule: allow
+      from_ip: 192.168.2.40
+      comment: 'nfs'
+      to_port: "{{ nfs_port }}"
+      # k3s2
+    - rule: allow
+      from_ip: 192.168.2.41
+      comment: 'nfs'
+      to_port: 2049
+    - rule: allow
+      from_ip: 192.168.2.41
+      comment: 'nfs'
+      to_port: 111
+    - rule: allow
+      from_ip: 192.168.2.41
+      comment: 'nfs'
+      to_port: "{{ nfs_port }}"
+      # k3s3
+    - rule: allow
+      from_ip: 192.168.2.42
+      comment: 'nfs'
+      to_port: 2049
+    - rule: allow
+      from_ip: 192.168.2.42
+      comment: 'nfs'
+      to_port: 111
+    - rule: allow
+      from_ip: 192.168.2.42
+      comment: 'nfs'
+      to_port: "{{ nfs_port }}"
--- a/2
+++ b/2
@ -23,7 +23,7 @@ all:
        k3s1.grote.lan:
        k3s2.grote.lan:
        k3s3.grote.lan:
-    k3snfs:
+    nfs:
      hosts:
        k3s-nfs2.grote.lan:
    vmtest:
--- a/roles/geerlingguy.nfs_server/defaults/main.yml
+++ b/roles/geerlingguy.nfs_server/defaults/main.yml
@ -3,3 +3,5 @@ nfs_exports: []

 nfs_rpcbind_state: started
 nfs_rpcbind_enabled: true
+
+nfs_port: 33333
--- a/roles/geerlingguy.nfs_server/tasks/main.yml
+++ b/roles/geerlingguy.nfs_server/tasks/main.yml
@ -31,6 +31,14 @@
    mode: 0644
  notify: reload nfs

+- name: set port
+# https://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs
+  ansible.builtin.lineinfile:
+    path: /etc/default/nfs-kernel-server
+    regexp: 'RPCMOUNTDOPTS=--manage-gids'
+    line: RPCMOUNTDOPTS="--port {{ nfs_port }}"
+  notify: reload nfs
+
 - name: Ensure nfs is running.
  service: "name={{ nfs_server_daemon }} state=started enabled=yes"
  when: nfs_exports|length