Firewall NFS-Server (#436)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: #436
This commit is contained in:
Michael Grote 2022-11-24 18:07:04 +01:00
parent b1ab442fbc
commit 617a57894e
4 changed files with 66 additions and 1 deletions

View file

@ -4,6 +4,8 @@
- /srv/nfs 192.168.2.40(rw,no_subtree_check,no_root_squash) #k3s3
- /srv/nfs 192.168.2.41(rw,no_subtree_check,no_root_squash) #k3s2
- /srv/nfs 192.168.2.42(rw,no_subtree_check,no_root_squash) #k3s1
nfs_port: 33333
### mgrote.munin-node
munin_node_plugins:
@ -35,3 +37,56 @@
### mgrote.restic
restic_folders_to_backup: "/ /srv/nfs" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben
### oefenweb.ufw
ufw_rules:
- rule: allow
to_port: 22
protocol: tcp
comment: 'ssh'
from_ip: 0.0.0.0/0
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24
# k3s1
- rule: allow
from_ip: 192.168.2.40
comment: 'nfs'
to_port: 2049
- rule: allow
from_ip: 192.168.2.40
comment: 'nfs'
to_port: 111
- rule: allow
from_ip: 192.168.2.40
comment: 'nfs'
to_port: "{{ nfs_port }}"
# k3s2
- rule: allow
from_ip: 192.168.2.41
comment: 'nfs'
to_port: 2049
- rule: allow
from_ip: 192.168.2.41
comment: 'nfs'
to_port: 111
- rule: allow
from_ip: 192.168.2.41
comment: 'nfs'
to_port: "{{ nfs_port }}"
# k3s3
- rule: allow
from_ip: 192.168.2.42
comment: 'nfs'
to_port: 2049
- rule: allow
from_ip: 192.168.2.42
comment: 'nfs'
to_port: 111
- rule: allow
from_ip: 192.168.2.42
comment: 'nfs'
to_port: "{{ nfs_port }}"

View file

@ -23,7 +23,7 @@ all:
k3s1.grote.lan:
k3s2.grote.lan:
k3s3.grote.lan:
k3snfs:
nfs:
hosts:
k3s-nfs2.grote.lan:
vmtest:

View file

@ -3,3 +3,5 @@ nfs_exports: []
nfs_rpcbind_state: started
nfs_rpcbind_enabled: true
nfs_port: 33333

View file

@ -31,6 +31,14 @@
mode: 0644
notify: reload nfs
- name: set port
# https://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs
ansible.builtin.lineinfile:
path: /etc/default/nfs-kernel-server
regexp: 'RPCMOUNTDOPTS=--manage-gids'
line: RPCMOUNTDOPTS="--port {{ nfs_port }}"
notify: reload nfs
- name: Ensure nfs is running.
service: "name={{ nfs_server_daemon }} state=started enabled=yes"
when: nfs_exports|length