Security
Firewall (UFW)
UFW is active on attic-gremlin and immichbox with default-deny incoming. smaug (TrueNAS) and HAOS manage their own exposure. bazzite has no UFW configured yet.
To re-apply or update rules, edit the script then reset and re-run:
sudo ufw --force reset
sudo bash ufw-<machine>.sh
Always keep an existing SSH session open while testing a new connection after firewall changes.
attic-gremlin UFW rules
| Port | Proto | From | Purpose |
|---|---|---|---|
| 22 | tcp | 192.168.4.0/24 | SSH — LAN only |
| 9090 | tcp | 192.168.4.0/24 | Prometheus UI — LAN only |
| 3000 | tcp | 192.168.4.0/24 | Grafana UI — LAN only |
| 9100 | tcp | 127.0.0.1 | Node Exporter — localhost only |
| 2003 | tcp | 192.168.4.50 | Graphite receive — smaug only |
| 9108 | tcp | 127.0.0.1 | Graphite scrape — localhost only |
| 9115 | tcp | 127.0.0.1 | Blackbox Exporter — localhost only |
| 11434 | tcp | 192.168.4.0/24 | Ollama — LAN only |
| 8000 | tcp | 192.168.4.30 | MkDocs wiki — immichbox/Caddy only |
immichbox UFW rules
| Port | Proto | From | Purpose |
|---|---|---|---|
| 22 | tcp | 192.168.4.0/24 | SSH — LAN only |
| 80 | tcp | Anywhere | Caddy HTTP (HTTPS redirect + ACME) |
| 443 | tcp | Anywhere | Caddy HTTPS — all public subdomains |
| 9100 | tcp | 192.168.4.71 | Node Exporter — attic-gremlin only |
| 8096 | tcp | 192.168.4.71 | Jellyfin health probe — attic-gremlin |
| 8081 | tcp | 192.168.4.71 | qBittorrent health probe — attic-gremlin |
| 7878 | tcp | 192.168.4.71 | Radarr health probe — attic-gremlin |
| 8989 | tcp | 192.168.4.71 | Sonarr health probe — attic-gremlin |
| 9696 | tcp | 192.168.4.71 | Prowlarr health probe — attic-gremlin |
| 8096 | tcp | 192.168.4.0/24 | Jellyfin — LAN direct |
| 8081 | tcp | 192.168.4.0/24 | qBittorrent — LAN direct |
| 7878 | tcp | 192.168.4.0/24 | Radarr — LAN direct |
| 8989 | tcp | 192.168.4.0/24 | Sonarr — LAN direct |
| 9696 | tcp | 192.168.4.0/24 | Prowlarr — LAN direct |
Note: Matrix Synapse listens on 127.0.0.1:8008 only — Caddy proxies to it. No UFW rule needed. Federation is handled via .well-known delegation through Caddy on port 443, so port 8448 is not required.
Note: When adding new services to immichbox, remember to add a UFW rule or the service will be silently blocked.
SSH
SSH is restricted to LAN (192.168.4.0/24) on both attic-gremlin and immichbox via UFW.
Key-based auth status
| Machine | framework-16 | bazzite |
|---|---|---|
| attic-gremlin | ✅ key installed | ⏳ pending |
| immichbox | ✅ key installed | ⏳ pending |
To add bazzite's key (once generated)
# On bazzite
ssh-keygen -t ed25519 -C "yoosh@bazzite"
ssh-copy-id attic-gremlin@attic.lan
ssh-copy-id immichbox@ibox.lan
Disable password auth (pending — do after bazzite keys are set up)
Once all machines have keys installed, disable password authentication on attic-gremlin and immichbox:
sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^#*KbdInteractiveAuthentication.*/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
sudo sshd -t && sudo systemctl restart ssh
Validate config with sshd -t before restarting. Keep an existing session open while testing.