diff --git a/config/services/adguardhome.nix b/config/services/adguardhome.nix index 822c324..eefad01 100644 --- a/config/services/adguardhome.nix +++ b/config/services/adguardhome.nix @@ -36,9 +36,9 @@ ]; }; user_rules = [ - "||homematic.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.home.cidrv4}" - "||testberry.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.home.cidrv4}" - "||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}" + "||homematic.internal^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.devices.cidrv4}" + "||testberry.internal^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.devices.cidrv4}" + "||smb.internal^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}" "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}" "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}" ]; diff --git a/config/services/samba.nix b/config/services/samba.nix index 70034df..36e8423 100644 --- a/config/services/samba.nix +++ b/config/services/samba.nix @@ -119,7 +119,7 @@ in # clients hardcode the host and share names. "disable netbios" = "yes"; # Allow access to local network - "hosts allow" = "10. localhost"; + "hosts allow" = "10.99.10. localhost"; "guest account" = "nobody"; "map to guest" = "bad user"; @@ -169,11 +169,17 @@ in hasBunker = true; hasPaperless = true; } { }) - (mkShare { - name = "printer"; - user = "printer"; - group = "printer"; - } { }) + (mkShare + { + name = "printer"; + user = "printer"; + group = "printer"; + } + { + # Also allow printer access + "hosts allow" = "10.99.10. ${lib.net.cidr.host 32 globals.net.vlans.home.cidrv4} localhost"; + } + ) (mkShare { name = "family-data"; user = "family"; diff --git a/hosts/nucnix/kea.nix b/hosts/nucnix/kea.nix index cf644db..adca701 100644 --- a/hosts/nucnix/kea.nix +++ b/hosts/nucnix/kea.nix @@ -11,13 +11,6 @@ let flip mapAttrsToList ; - vlans = { - home = 10; - services = 20; - devices = 30; - iot = 40; - guests = 50; - }; in { environment.persistence."/persist".directories = [ @@ -38,10 +31,12 @@ in valid-lifetime = 86400; renew-timer = 3600; interfaces-config = { - interfaces = flip mapAttrsToList vlans (x: _: "lan-${x}"); + interfaces = flip mapAttrsToList globals.net.vlans (x: _: "lan-${x}"); }; - subnet4 = flip mapAttrsToList vlans ( - name: id: rec { + subnet4 = flip mapAttrsToList globals.net.vlans ( + name: + { id, cidrv4, ... }: + rec { inherit id; interface = "lan-${name}"; subnet = "10.99.${toString id}.0/24"; @@ -71,13 +66,18 @@ in hw-address = "d8:3a:dd:dc:b6:6a"; ip-address = net.cidr.host 31 subnet; } + { + # drucker + hw-address = "48:9e:bd:5c:31:ac"; + ip-address = net.cidr.host 32 subnet; + } ]; } ); }; }; - systemd.services.kea-dhcp4-server.after = flip mapAttrsToList vlans ( + systemd.services.kea-dhcp4-server.after = flip mapAttrsToList globals.net.vlans ( name: _: "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-${name}"}.device" ); } diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index 839fea9..4a05841 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -2,6 +2,7 @@ config, lib, globals, + utils, ... }: let @@ -23,9 +24,15 @@ in { fritz.interfaces = [ "vlan-fritz" ]; wg-services.interfaces = [ "services" ]; + printer.ipv4Addresses = [ + (lib.net.cidr.host 32 globals.net.vlans.device.cidrv4) + ]; adguard.ipv4Addresses = [ (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4) ]; + samba.ipv4Addresses = [ + (lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4) + ]; } (genAttrs (attrNames globals.net.vlans) (name: { interfaces = [ "lan-${name}" ]; @@ -143,6 +150,13 @@ in to = [ "local" ]; allowedUDPPorts = [ 5353 ]; }; + printer-smb = { + from = [ + "printer" + ]; + to = [ "smb" ]; + allowedUDPPorts = [ 445 ]; + }; ssh = { from = [ "fritz" @@ -156,7 +170,9 @@ in "home" ]; to = [ + "iot" "services" + "devices" "fritz" ]; late = true; @@ -264,4 +280,7 @@ in }; }; }; + systemd.services.nftables.after = flip mapAttrsToList globals.net.vlans ( + name: _: "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-${name}"}.device" + ); } diff --git a/hosts/nucnix/secrets/hostapd/host.pub b/hosts/nucnix/secrets/hostapd/host.pub new file mode 100644 index 0000000..2dccaec --- /dev/null +++ b/hosts/nucnix/secrets/hostapd/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOR54uUS7TdVFs8SmKEThJcwNqQhLhqIfkTneoPSNJe diff --git a/hosts/nucnix/secrets/hostapd/secrets.nix.age b/hosts/nucnix/secrets/hostapd/secrets.nix.age new file mode 100644 index 0000000..f9279ae --- /dev/null +++ b/hosts/nucnix/secrets/hostapd/secrets.nix.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> X25519 q8aZVIpO27A7gSGGepzDYQINfV9BT5Vdlck4Ywl/tw4 +f7OZDaBI1nGbWVKz7c/fCTjl5avQMZwweKuGsMZaHmw +-> piv-p256 ZFgiIw AzIXNOToQeNgxBaPr2Ay8PNbWci5KXsOO0hPzntcr9jh +A45KdFFCcHss+yp9o1lMeyGAquweqAAYdN3rebTOV+k +-> piv-p256 XTQkUA Ams4qG3cUEr5JuhwJVl0I9vNvUBSwmeGlO4y1RjW+HM0 +09tBHurIIUJrwXfJEDnTpZppseJSxF/Rrzp81tLiEaI +-> piv-p256 ZFgiIw Ar7T0wlAqoYOPxtm8lZnWRCctOFQ3MpmPhZpzz4dm+0i +8vfGeTyhxjU28KeCmOl59IOhxgSEK/invMRBj5y8wvE +-> piv-p256 5vmPtQ Am6sq2Wde4bMWzMTw6+o+yhkM2ZSkpBbbLGVA3RIAylz +6y8WNKVZiMOuyolKGJjGj+Fc9hqkHw362LtYaGhl274 +-> 5nt&Ew>-grease V;8yod +bApmEO5jhTtDghPr4gisoTKEuhrFOdKxAuNH4iqUufY3dNfojeB/5IjctLLe5VG7 +vWl2CF8Tyw +--- hpy8mTYDQSOQCLhIcQ+5mHcdqRQkvWOIDQHLltWTJD0 +2UzT_˴^ +}XZgVԧ% ?Mt]v:;wژ*XO˂U}dِxKA%6 \ No newline at end of file diff --git a/hosts/nucnix/secrets/secrets.nix.age b/hosts/nucnix/secrets/secrets.nix.age index 0df3d44..baa0345 100644 Binary files a/hosts/nucnix/secrets/secrets.nix.age and b/hosts/nucnix/secrets/secrets.nix.age differ diff --git a/users/patrick/smb.nix b/users/patrick/smb.nix index 894b52f..36b72f1 100644 --- a/users/patrick/smb.nix +++ b/users/patrick/smb.nix @@ -2,7 +2,7 @@ { hm.home.smb = let - address = "smb.${config.secrets.secrets.global.domains.web}"; + address = "smb.internal"; credentials = config.age.secrets.smb-creds.path; in [