mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
Samba on london-b was allowed on 445/tcp from anywhere via UFW, exposing SMB/CIFS to the public internet. Tailscale already reaches it through the tailscale0 allow-all rule, so scope the explicit rule to the local London LAN (192.168.1.0/24) instead of the world. The common UFW task only ever adds allow rules, so it gained support for an optional per-port from_ip, plus a follow-up task that deletes the superseded world-open variant of any source-restricted port — otherwise the old '445 ALLOW Anywhere' rule would linger on the host and defeat the change. PESO-145
39 lines
1 KiB
YAML
39 lines
1 KiB
YAML
---
|
|
host_role: storage
|
|
host_description: "Primary storage (ZFS), Docker services"
|
|
host_location: "London"
|
|
prometheus_location: london
|
|
|
|
docker_services:
|
|
- jellyseerr
|
|
- navidrome
|
|
- slskd
|
|
- miniflux
|
|
- smartctl-exporter
|
|
- plex-exporter
|
|
- bookshelf
|
|
|
|
# Snap-managed services (deployed by media_stack role)
|
|
snap_services:
|
|
- overseerr
|
|
|
|
# APT-managed user services (deployed by media_stack role)
|
|
apt_user_services:
|
|
- syncthing@pez
|
|
|
|
zfs_pools:
|
|
- hdd
|
|
|
|
docker_daemon_extra:
|
|
metrics-addr: "0.0.0.0:9323"
|
|
data-root: "/hdd/docker"
|
|
storage-driver: "zfs"
|
|
|
|
common_ufw_allowed_ports:
|
|
- { port: 32400, proto: tcp, comment: "Plex Media Server" }
|
|
- { port: 6881, proto: tcp, comment: "BitTorrent" }
|
|
- { port: 6881, proto: udp, comment: "BitTorrent" }
|
|
# SMB is reachable over Tailscale via the tailscale0 allow-all rule; this
|
|
# entry additionally allows the local London LAN. Deliberately NOT open to
|
|
# the public internet (see PESO-145).
|
|
- { port: 445, proto: tcp, from_ip: "192.168.1.0/24", comment: "Samba (LAN only)" }
|