Add default ufw rules on storage host

Author: serpro69

docs/guides/how_to_install_debian_on_storage_node.md

@@ -115,3 +115,16 @@ Before running the storage playbook (`ansible-playbook -i inventory.sh storage.y
 - [ ] APT sources configured (for package installation)
 - [ ] Data drives are physically installed and visible: `lsblk` shows the expected disks
 - [ ] Data drives are partitioned (partition IDs match the inventory in `metal/inventory/metal.yml`)
+- [ ] Controller is reachable from the homelab network (see firewall warning below)
+
+!!! warning "Firewall: SSH lockout risk"
+    The storage playbook configures UFW with a **default deny incoming** policy. Only networks listed in `firewall_allowed_networks` (defaults to `10.10.10.0/24`) are allowed SSH and NFS access. If your Ansible controller is on a different subnet (e.g. `192.168.1.0/24`), **UFW will block SSH and you will be locked out** of the storage node.
+
+    To avoid this, either:
+
+    - Run the playbook from a machine on the `10.10.10.0/24` network, **or**
+    - Add your controller's subnet to `firewall_allowed_networks` when running the playbook:
+
+        ```bash
+        make -C metal storage ANSIBLE_ARGS='-e "firewall_allowed_networks=[\"10.10.10.0/24\",\"192.168.1.0/24\"]"'
+        ```

docs/info/todo.md

@@ -190,7 +190,7 @@ title: ToDo
 
 - [ ] Setup pi-hole on the cluster
 
-- [ ] NFS Optimizations
+- [ ] Storage Node / NFS Optimizations
   - NFS mount monitoring/health check on K8s side
     There's no monitoring or alerting for NFS mount failures on the K8s side. If the NAS goes down, pods will hang on NFS operations. This is a common NFS issue. Consider adding:
     - NFS mount soft option (instead of default hard) for timeout behavior
@@ -202,3 +202,5 @@ title: ToDo
     This is optional and premature optimization, but should be kept in mind.
   - fstab entry cleanup
     - If you remove a data drive from inventory, the fstab entry persists (uses lineinfile with state: present, never absent). Not a concern for initial deployment.
+  - Use `nftables` instead of `ufw` on Debian
+    - Add equivalent `firewalld` tasks to properly support RedHat

metal/roles/storage/defaults/main.yml

@@ -7,8 +7,9 @@ default_nfs_options: "rw,sync,no_subtree_check,no_root_squash,insecure"
 
 # Firewall configuration
 manage_firewall: true # Set to false to skip firewall configuration
+# TODO: should use nftables on Debian (+ firewalld equivalent if we trully want to support redhat OSes)
 install_ufw: true # Install UFW if not present (only when manage_firewall=true)
-nfs_allowed_networks:
+firewall_allowed_networks: # NB! The default will only allow connections (including SSH) from homelab network
   - "{{ homelab_net_cidr }}"
 
 # Network configuration (optional)

metal/roles/storage/tasks/k8s_validation.yml

@@ -57,7 +57,7 @@
             volumes:
             - name: nfs-volume
               nfs:
-                server: {{ ansible_host }}
+                server: "{{ ansible_host }}"
                 path: /mnt/storage/Temp
             restartPolicy: Never
         dest: /tmp/nfs-test-pod.yaml

metal/roles/storage/tasks/nfs_firewall.yml

@@ -43,14 +43,35 @@
       changed_when: false
       failed_when: false
 
+    - name: Set UFW default deny incoming
+      ufw:
+        direction: incoming
+        policy: deny
+
+    - name: Set UFW default allow outgoing
+      ufw:
+        direction: outgoing
+        policy: allow
+
+    - name: Configure TCP ports in firewall
+      ufw:
+        rule: allow
+        src: "{{ item.0 }}"
+        port: "{{ item.1 }}"
+        proto: tcp
+        comment: "{{ item.1 }}/tcp"
+      loop: "{{ firewall_allowed_networks | product(['22']) | list }}"
+      loop_control:
+        label: "{{ item.0 }} -> {{ item.1 }}/tcp"
+
     - name: Configure NFS TCP ports in firewall
       ufw:
         rule: allow
         src: "{{ item.0 }}"
         port: "{{ item.1 }}"
         proto: tcp
         comment: "NFS {{ item.1 }}/tcp"
-      loop: "{{ nfs_allowed_networks | product(['22', '111', '2049', '20048']) | list }}"
+      loop: "{{ firewall_allowed_networks | product(['111', '2049', '20048']) | list }}"
       loop_control:
         label: "{{ item.0 }} -> {{ item.1 }}/tcp"
 
@@ -62,7 +83,7 @@
         proto: udp
         comment: "NFS {{ item.1 }}/udp"
       # UDP 2049 to support potential NFSv3 clients
-      loop: "{{ nfs_allowed_networks | product(['111', '2049']) | list }}"
+      loop: "{{ firewall_allowed_networks | product(['111', '2049']) | list }}"
       loop_control:
         label: "{{ item.0 }} -> {{ item.1 }}/udp"