pez-infra/ansible/inventory/host_vars/london-b.yml
Rasmus Wejlgaard ede9193996 Restrict london-b Samba (445) to LAN + Tailscale, off public internet
Samba on london-b was allowed on 445/tcp from anywhere via UFW, exposing
SMB/CIFS to the public internet. Tailscale already reaches it through the
tailscale0 allow-all rule, so scope the explicit rule to the local London
LAN (192.168.1.0/24) instead of the world.

The common UFW task only ever adds allow rules, so it gained support for an
optional per-port from_ip, plus a follow-up task that deletes the superseded
world-open variant of any source-restricted port — otherwise the old
'445 ALLOW Anywhere' rule would linger on the host and defeat the change.

PESO-145
2026-06-07 11:32:37 +01:00

39 lines
1 KiB
YAML

---
host_role: storage
host_description: "Primary storage (ZFS), Docker services"
host_location: "London"
prometheus_location: london
docker_services:
- jellyseerr
- navidrome
- slskd
- miniflux
- smartctl-exporter
- plex-exporter
- bookshelf
# Snap-managed services (deployed by media_stack role)
snap_services:
- overseerr
# APT-managed user services (deployed by media_stack role)
apt_user_services:
- syncthing@pez
zfs_pools:
- hdd
docker_daemon_extra:
metrics-addr: "0.0.0.0:9323"
data-root: "/hdd/docker"
storage-driver: "zfs"
common_ufw_allowed_ports:
- { port: 32400, proto: tcp, comment: "Plex Media Server" }
- { port: 6881, proto: tcp, comment: "BitTorrent" }
- { port: 6881, proto: udp, comment: "BitTorrent" }
# SMB is reachable over Tailscale via the tailscale0 allow-all rule; this
# entry additionally allows the local London LAN. Deliberately NOT open to
# the public internet (see PESO-145).
- { port: 445, proto: tcp, from_ip: "192.168.1.0/24", comment: "Samba (LAN only)" }