diff --git a/machines/sleeper-service/network-sleeper-service.nix b/machines/sleeper-service/network-sleeper-service.nix index b441c0d..816e730 100644 --- a/machines/sleeper-service/network-sleeper-service.nix +++ b/machines/sleeper-service/network-sleeper-service.nix @@ -41,21 +41,26 @@ # nameservers = [ "10.0.0.14" "10.0.0.138" "8.8.8.8" ]; # Pi-hole, router, Google DNS fallback # Additional firewall ports for file server services - firewall.allowedTCPPorts = [ - 22 # SSH - 111 # NFS portmapper - 2049 # NFS - 445 # SMB/CIFS - 139 # NetBIOS Session Service - # Add additional ports here as needed - ]; + firewall = { + # Trust the Tailscale interface for mesh network access + trustedInterfaces = [ "tailscale0" ]; + + allowedTCPPorts = [ + 22 # SSH + 111 # NFS portmapper + 2049 # NFS + 445 # SMB/CIFS + 139 # NetBIOS Session Service + # Add additional ports here as needed + ]; - firewall.allowedUDPPorts = [ - 22 # SSH - 111 # NFS portmapper - 2049 # NFS - 137 # NetBIOS Name Service - 138 # NetBIOS Datagram Service - ]; + allowedUDPPorts = [ + 22 # SSH + 111 # NFS portmapper + 2049 # NFS + 137 # NetBIOS Name Service + 138 # NetBIOS Datagram Service + ]; + }; }; } diff --git a/machines/sleeper-service/nfs.nix b/machines/sleeper-service/nfs.nix index cf7b4fc..5cf2a4f 100644 --- a/machines/sleeper-service/nfs.nix +++ b/machines/sleeper-service/nfs.nix @@ -7,8 +7,9 @@ services.nfs.server = { enable = true; # Export the storage directory (ZFS dataset) + # Allow access from both local network and Tailscale network exports = '' - /mnt/storage 10.0.0.0/24(rw,sync,no_subtree_check,no_root_squash) + /mnt/storage 10.0.0.0/24(rw,sync,no_subtree_check,no_root_squash) 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash) ''; # Create exports on startup createMountPoints = true;