Fix NFS export security and consolidate firewall rules

Replace no_root_squash with root_squash in NFS export options. With
no_root_squash, any root user on K8s nodes (or root-running pods) had
full root access to all NFS shares. Now squashed root maps to
configurable anonuid/anongid (default 65534/nobody).

Add anonuid and anongid to the exports template so the mapping is
explicit in /etc/exports.

Consolidate UFW firewall configuration and validation into a single
block so all rules, enable, and verification run as one atomic unit
gated on UFW availability.

Author: serpro69

metal/roles/storage/defaults/main.yml

@@ -3,7 +3,11 @@
 homelab_net_cidr: "10.10.10.0/24"
 
 # Default NFS export options
-default_nfs_options: "rw,sync,no_subtree_check,no_root_squash,insecure"
+default_nfs_options: "rw,sync,no_subtree_check,root_squash,insecure"
+
+# Anonymous uid/gid for root_squash mapping (squashed root becomes this user)
+nfs_anon_uid: 65534 # nobody
+nfs_anon_gid: 65534 # nogroup
 
 # Firewall configuration
 manage_firewall: true # Set to false to skip firewall configuration

metal/roles/storage/tasks/nfs_firewall.yml

@@ -2,10 +2,6 @@
 # NFS Firewall Configuration
 # Configures UFW firewall rules for NFS services
 
-# =================================================================
-# FIREWALL DETECTION AND SETUP
-# =================================================================
-
 - name: Check if UFW is installed
   command: which ufw
   register: ufw_check
@@ -30,11 +26,7 @@
   debug:
     msg: "UFW is {{ 'available' if ufw_available.rc == 0 else 'not available' }}"
 
-# =================================================================
-# UFW CONFIGURATION
-# =================================================================
-
-- name: Configure UFW firewall rules
+- name: Configure and validate UFW firewall
   when: ufw_available.rc == 0
   block:
     - name: Check UFW status
@@ -53,18 +45,18 @@
         direction: outgoing
         policy: allow
 
-    - name: Configure TCP ports in firewall
+    - name: Allow SSH access
       ufw:
         rule: allow
-        src: "{{ item.0 }}"
-        port: "{{ item.1 }}"
+        src: "{{ item }}"
+        port: "22"
         proto: tcp
-        comment: "{{ item.1 }}/tcp"
-      loop: "{{ firewall_allowed_networks | product(['22']) | list }}"
+        comment: "SSH 22/tcp"
+      loop: "{{ firewall_allowed_networks }}"
       loop_control:
-        label: "{{ item.0 }} -> {{ item.1 }}/tcp"
+        label: "{{ item }} -> 22/tcp"
 
-    - name: Configure NFS TCP ports in firewall
+    - name: Allow NFS TCP ports
       ufw:
         rule: allow
         src: "{{ item.0 }}"
@@ -75,18 +67,22 @@
       loop_control:
         label: "{{ item.0 }} -> {{ item.1 }}/tcp"
 
-    - name: Configure NFS UDP ports in firewall
+    - name: Allow NFS UDP ports
       ufw:
         rule: allow
         src: "{{ item.0 }}"
         port: "{{ item.1 }}"
         proto: udp
         comment: "NFS {{ item.1 }}/udp"
-      # UDP 2049 to support potential NFSv3 clients
       loop: "{{ firewall_allowed_networks | product(['111', '2049']) | list }}"
       loop_control:
         label: "{{ item.0 }} -> {{ item.1 }}/udp"
 
+    - name: Enable UFW if not active
+      ufw:
+        state: enabled
+      when: "'Status: active' not in ufw_status.stdout"
+
     - name: Display firewall rules
       command: ufw status numbered
       register: ufw_rules
@@ -97,28 +93,15 @@
         msg: "{{ ufw_rules.stdout_lines }}"
       when: ufw_rules.stdout_lines is defined
 
-    - name: Enable UFW if not active
-      ufw:
-        state: enabled
-      when: "'Status: active' not in ufw_status.stdout"
-      register: ufw_enable
-
-# =================================================================
-# FIREWALL VALIDATION
-# =================================================================
-
-- name: Validate firewall allows NFS traffic
-  when: ufw_available.rc == 0
-  block:
-    - name: Check if NFS ports are allowed
+    - name: Verify NFS firewall rules
       shell: |
         set -o pipefail
         ufw status | grep -E '(111|2049|20048)'
       register: nfs_ports_check
       changed_when: false
       failed_when: false
 
-    - name: Verify NFS firewall rules
+    - name: Assert NFS firewall rules are present
       assert:
         that:
           - nfs_ports_check.rc == 0

metal/roles/storage/templates/exports.j2

@@ -5,7 +5,7 @@
 
 # Default NFS exports for Kubernetes
 {% for dir in storage_dirs %}
-/mnt/storage/{{ dir }} {{ homelab_net_cidr | default('10.10.10.0/24') }}({{ default_nfs_options }},fsid={{ loop.index }})
+/mnt/storage/{{ dir }} {{ homelab_net_cidr | default('10.10.10.0/24') }}({{ default_nfs_options }},anonuid={{ nfs_anon_uid }},anongid={{ nfs_anon_gid }},fsid={{ loop.index }})
 {% endfor %}
 
 # Custom exports (if defined in inventory)