Compare commits

...

2 commits

Author SHA1 Message Date
81efa1b717
Remove stale cloudflared service from copenhagen-a (PESO-138) (#125)
Some checks are pending
Deploy (on merge) / Discover hosts (push) Waiting to run
Deploy (on merge) / deploy (push) Blocked by required conditions
cloudflared was retired in #56 when Caddy + Authelia replaced Cloudflare
Tunnels, but copenhagen-a was unreachable at the time so its
cloudflared.service was never stopped and is still running.

Add a cleanup task to the common role that stops, disables and purges
cloudflared wherever the unit lingers. Gated on the unit file existing so
it self-targets copenhagen-a and is a no-op everywhere else, and explicitly
excludes copenhagen-c, which legitimately runs a hand-configured tunnel.
2026-06-07 11:45:35 +01:00
3871dc8f90
Restrict london-b Samba (445) to LAN + Tailscale, off public internet (#124)
Samba on london-b was allowed on 445/tcp from anywhere via UFW, exposing
SMB/CIFS to the public internet. Tailscale already reaches it through the
tailscale0 allow-all rule, so scope the explicit rule to the local London
LAN (192.168.1.0/24) instead of the world.

The common UFW task only ever adds allow rules, so it gained support for an
optional per-port from_ip, plus a follow-up task that deletes the superseded
world-open variant of any source-restricted port — otherwise the old
'445 ALLOW Anywhere' rule would linger on the host and defeat the change.

PESO-145
2026-06-07 11:37:45 +01:00
3 changed files with 60 additions and 1 deletions

View file

@ -33,4 +33,7 @@ common_ufw_allowed_ports:
- { port: 32400, proto: tcp, comment: "Plex Media Server" } - { port: 32400, proto: tcp, comment: "Plex Media Server" }
- { port: 6881, proto: tcp, comment: "BitTorrent" } - { port: 6881, proto: tcp, comment: "BitTorrent" }
- { port: 6881, proto: udp, comment: "BitTorrent" } - { port: 6881, proto: udp, comment: "BitTorrent" }
- { port: 445, proto: tcp, comment: "Samba" } # SMB is reachable over Tailscale via the tailscale0 allow-all rule; this
# entry additionally allows the local London LAN. Deliberately NOT open to
# the public internet (see PESO-145).
- { port: 445, proto: tcp, from_ip: "192.168.1.0/24", comment: "Samba (LAN only)" }

View file

@ -7,3 +7,7 @@
- name: Reload ufw - name: Reload ufw
community.general.ufw: community.general.ufw:
state: reloaded state: reloaded
- name: Reload systemd daemon
ansible.builtin.systemd:
daemon_reload: true

View file

@ -99,6 +99,7 @@
rule: allow rule: allow
port: "{{ item.port | string }}" port: "{{ item.port | string }}"
proto: "{{ item.proto | default('tcp') }}" proto: "{{ item.proto | default('tcp') }}"
from_ip: "{{ item.from_ip | default(omit) }}"
comment: "{{ item.comment | default(omit) }}" comment: "{{ item.comment | default(omit) }}"
loop: "{{ common_ufw_allowed_ports }}" loop: "{{ common_ufw_allowed_ports }}"
when: when:
@ -106,7 +107,58 @@
- common_ufw_allowed_ports | length > 0 - common_ufw_allowed_ports | length > 0
notify: Reload ufw notify: Reload ufw
# When a port is restricted to a source (from_ip), make sure the older
# unrestricted "allow from anywhere" variant of the same rule isn't left
# lingering on the host — UFW keeps it otherwise, which would defeat the
# source restriction. Deleting an absent rule is a no-op, so this is safe
# on hosts that never had the broad rule.
- name: Remove superseded world-open rules for source-restricted ports
community.general.ufw:
rule: allow
port: "{{ item.port | string }}"
proto: "{{ item.proto | default('tcp') }}"
delete: true
loop: "{{ common_ufw_allowed_ports | selectattr('from_ip', 'defined') | list }}"
when: common_ufw_enabled | bool
notify: Reload ufw
- name: Enable UFW - name: Enable UFW
community.general.ufw: community.general.ufw:
state: enabled state: enabled
when: common_ufw_enabled | bool when: common_ufw_enabled | bool
# --- Cleanup: orphaned cloudflared (PESO-138) ---
# Cloudflare Tunnels were retired in favour of Caddy + Authelia (PESO-134, #56),
# which removed cloudflared from ansible config. copenhagen-a was unreachable at
# the time, so its cloudflared.service was never actually stopped and is still
# running. Remove it wherever the unit lingers. copenhagen-c legitimately runs a
# hand-configured cloudflared tunnel — never touch it.
- name: Detect lingering cloudflared unit
ansible.builtin.stat:
path: /etc/systemd/system/cloudflared.service
register: common_cloudflared_unit
when: inventory_hostname != 'copenhagen-c'
- name: Remove orphaned cloudflared
when:
- inventory_hostname != 'copenhagen-c'
- common_cloudflared_unit.stat.exists | default(false)
block:
- name: Stop and disable cloudflared
ansible.builtin.systemd:
name: cloudflared
state: stopped
enabled: false
failed_when: false
- name: Remove cloudflared systemd unit
ansible.builtin.file:
path: /etc/systemd/system/cloudflared.service
state: absent
notify: Reload systemd daemon
- name: Uninstall cloudflared package
ansible.builtin.apt:
name: cloudflared
state: absent
purge: true