From 1f8d44514d40fff22b81f3c152fd86c753d3c6ea Mon Sep 17 00:00:00 2001 From: Patrick Date: Mon, 23 Dec 2024 17:03:10 +0100 Subject: [PATCH] fix: switch to internal domains --- config/services/adguardhome.nix | 6 ++--- config/services/samba.nix | 18 ++++++++++----- hosts/nucnix/kea.nix | 22 +++++++++---------- hosts/nucnix/net.nix | 19 ++++++++++++++++ hosts/nucnix/secrets/hostapd/host.pub | 1 + hosts/nucnix/secrets/hostapd/secrets.nix.age | 17 ++++++++++++++ hosts/nucnix/secrets/secrets.nix.age | Bin 905 -> 912 bytes users/patrick/smb.nix | 2 +- 8 files changed, 64 insertions(+), 21 deletions(-) create mode 100644 hosts/nucnix/secrets/hostapd/host.pub create mode 100644 hosts/nucnix/secrets/hostapd/secrets.nix.age diff --git a/config/services/adguardhome.nix b/config/services/adguardhome.nix index 822c324..eefad01 100644 --- a/config/services/adguardhome.nix +++ b/config/services/adguardhome.nix @@ -36,9 +36,9 @@ ]; }; user_rules = [ - "||homematic.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.home.cidrv4}" - "||testberry.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.home.cidrv4}" - "||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}" + "||homematic.internal^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.devices.cidrv4}" + "||testberry.internal^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.devices.cidrv4}" + "||smb.internal^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}" "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}" "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}" ]; diff --git a/config/services/samba.nix b/config/services/samba.nix index 70034df..36e8423 100644 --- a/config/services/samba.nix +++ b/config/services/samba.nix @@ -119,7 +119,7 @@ in # clients hardcode the host and share names. "disable netbios" = "yes"; # Allow access to local network - "hosts allow" = "10. localhost"; + "hosts allow" = "10.99.10. localhost"; "guest account" = "nobody"; "map to guest" = "bad user"; @@ -169,11 +169,17 @@ in hasBunker = true; hasPaperless = true; } { }) - (mkShare { - name = "printer"; - user = "printer"; - group = "printer"; - } { }) + (mkShare + { + name = "printer"; + user = "printer"; + group = "printer"; + } + { + # Also allow printer access + "hosts allow" = "10.99.10. ${lib.net.cidr.host 32 globals.net.vlans.home.cidrv4} localhost"; + } + ) (mkShare { name = "family-data"; user = "family"; diff --git a/hosts/nucnix/kea.nix b/hosts/nucnix/kea.nix index cf644db..adca701 100644 --- a/hosts/nucnix/kea.nix +++ b/hosts/nucnix/kea.nix @@ -11,13 +11,6 @@ let flip mapAttrsToList ; - vlans = { - home = 10; - services = 20; - devices = 30; - iot = 40; - guests = 50; - }; in { environment.persistence."/persist".directories = [ @@ -38,10 +31,12 @@ in valid-lifetime = 86400; renew-timer = 3600; interfaces-config = { - interfaces = flip mapAttrsToList vlans (x: _: "lan-${x}"); + interfaces = flip mapAttrsToList globals.net.vlans (x: _: "lan-${x}"); }; - subnet4 = flip mapAttrsToList vlans ( - name: id: rec { + subnet4 = flip mapAttrsToList globals.net.vlans ( + name: + { id, cidrv4, ... }: + rec { inherit id; interface = "lan-${name}"; subnet = "10.99.${toString id}.0/24"; @@ -71,13 +66,18 @@ in hw-address = "d8:3a:dd:dc:b6:6a"; ip-address = net.cidr.host 31 subnet; } + { + # drucker + hw-address = "48:9e:bd:5c:31:ac"; + ip-address = net.cidr.host 32 subnet; + } ]; } ); }; }; - systemd.services.kea-dhcp4-server.after = flip mapAttrsToList vlans ( + systemd.services.kea-dhcp4-server.after = flip mapAttrsToList globals.net.vlans ( name: _: "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-${name}"}.device" ); } diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index 839fea9..4a05841 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -2,6 +2,7 @@ config, lib, globals, + utils, ... }: let @@ -23,9 +24,15 @@ in { fritz.interfaces = [ "vlan-fritz" ]; wg-services.interfaces = [ "services" ]; + printer.ipv4Addresses = [ + (lib.net.cidr.host 32 globals.net.vlans.device.cidrv4) + ]; adguard.ipv4Addresses = [ (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4) ]; + samba.ipv4Addresses = [ + (lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4) + ]; } (genAttrs (attrNames globals.net.vlans) (name: { interfaces = [ "lan-${name}" ]; @@ -143,6 +150,13 @@ in to = [ "local" ]; allowedUDPPorts = [ 5353 ]; }; + printer-smb = { + from = [ + "printer" + ]; + to = [ "smb" ]; + allowedUDPPorts = [ 445 ]; + }; ssh = { from = [ "fritz" @@ -156,7 +170,9 @@ in "home" ]; to = [ + "iot" "services" + "devices" "fritz" ]; late = true; @@ -264,4 +280,7 @@ in }; }; }; + systemd.services.nftables.after = flip mapAttrsToList globals.net.vlans ( + name: _: "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-${name}"}.device" + ); } diff --git a/hosts/nucnix/secrets/hostapd/host.pub b/hosts/nucnix/secrets/hostapd/host.pub new file mode 100644 index 0000000..2dccaec --- /dev/null +++ b/hosts/nucnix/secrets/hostapd/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOR54uUS7TdVFs8SmKEThJcwNqQhLhqIfkTneoPSNJe diff --git a/hosts/nucnix/secrets/hostapd/secrets.nix.age b/hosts/nucnix/secrets/hostapd/secrets.nix.age new file mode 100644 index 0000000..f9279ae --- /dev/null +++ b/hosts/nucnix/secrets/hostapd/secrets.nix.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> X25519 q8aZVIpO27A7gSGGepzDYQINfV9BT5Vdlck4Ywl/tw4 +f7OZDaBI1nGbWVKz7c/fCTjl5avQMZwweKuGsMZaHmw +-> piv-p256 ZFgiIw AzIXNOToQeNgxBaPr2Ay8PNbWci5KXsOO0hPzntcr9jh +A45KdFFCcHss+yp9o1lMeyGAquweqAAYdN3rebTOV+k +-> piv-p256 XTQkUA Ams4qG3cUEr5JuhwJVl0I9vNvUBSwmeGlO4y1RjW+HM0 +09tBHurIIUJrwXfJEDnTpZppseJSxF/Rrzp81tLiEaI +-> piv-p256 ZFgiIw Ar7T0wlAqoYOPxtm8lZnWRCctOFQ3MpmPhZpzz4dm+0i +8vfGeTyhxjU28KeCmOl59IOhxgSEK/invMRBj5y8wvE +-> piv-p256 5vmPtQ Am6sq2Wde4bMWzMTw6+o+yhkM2ZSkpBbbLGVA3RIAylz +6y8WNKVZiMOuyolKGJjGj+Fc9hqkHw362LtYaGhl274 +-> 5nt&Ew>-grease V;8yod +bApmEO5jhTtDghPr4gisoTKEuhrFOdKxAuNH4iqUufY3dNfojeB/5IjctLLe5VG7 +vWl2CF8Tyw +--- hpy8mTYDQSOQCLhIcQ+5mHcdqRQkvWOIDQHLltWTJD0 +2UzT_˴^ +}XZgVԧ% ?Mt]v:;wژ*XO˂U}dِxKA%6 \ No newline at end of file diff --git a/hosts/nucnix/secrets/secrets.nix.age b/hosts/nucnix/secrets/secrets.nix.age index 0df3d44222d071e8db41be701d23f7091363ca43..baa034564f25dc2d5471b89f5ac4b13a8e8b0eca 100644 GIT binary patch literal 912 zcmY+<-;3J>0KoBW`ryJ|WDhz$q#(Luxn9#GO)m__(l%|bO`0FgkEV*F&F`l9acSBn zRS+L!jKg0O6;Fh7r`t`=lVeZw7h@ZO3ho@JL;P_sdsM-P4Mmym!H4?`KHqQGGO~uR zMQIp2fj=KaR&JaJvd1!QxKPOB8K}R=8KB_t>XMc)4#e>a!cC2FG2$_yE?Y`BrWZ^r z?oV9+<}hVS3d(3oaa3&_rA6G8u#nUP91AQ@naGU>YlWU{F?WT~8D~SdfMq&W%UPUc zh#0L?U4Cqs-9g<|b)WW|h$K?Er50PDLmLFsh~vni&)Etva%#Oe@j?!Vmh!ghnmR3* za-=kyunpG?n@ScDu?0CGMeefNBJWB>h8Wp7(Ss(V#srcZtrQFe{J-ob;(FK9w=G_Btcv$t8~@E>V%V~vEC}{GCN5K5Uj$qGMoy5RssboW{6$Z|6kw$@fArM zijBZk@qiAoj)Wv-3N^fI#%&bCn$vnSv63XAS-Z({ z0h`zQm;(Ev=}5b*!r0?tK0}1VSV;Q|mN_JtcE6MJtr9tea9QXxWsEH%bc3kN6|s*v z0l>P2o?_T!l+)V_P75coN?(t9aw#CANzkG_sz>kxL?f8su61-y#fhvH8Qr0gnTrw- zKsyT_O!FWU2S%<|410OETQA%7G)Q8j#OtcZu$tJfSW$vI&Tq12EKI`;HvH_uSU% z@?86gkN+;GFPu2^>f2}5XU;sc_t(##+;`*#dSUG**5My{;J$EvPw}7p!R2pPe#pLY z%z7nr_A+woc=xTJh?gct`uf&y>BiNan|n^)n9eMH;6L=s`R6{;x3`uzR@(3Aw`V@t zIRE9|ZTr#JeDdgl4<`qoI=O!~r>#Bs$EVxCyDP+{>9Y?HHT3$mL;Gi+-rPCx+3%;V z?|-~>C3ybv7uV(cZ@sKu-}(8Q)2FJ=YIxw>g>IfnzA!L{B$Fbh{7d2bpt-I(+Ov4n(+f;AEbn6aD62@Z)!AY;NpO zq+CvSG7e4$EGxDUxlVF;lC}p$P}JxiqNrZM3aC&f+6=4%dD#<9OZHK!*s(M}ooB)6 zxYwlx3~jPqh?!KCvVpduZIL=$y6gT?uhOi_c}GfgVJtnUdw4hLYhc-jv>Fo64#Q$9 zOzF{@&cgzbDK-^bH>)I9GH6nTbuMewP$O3!2vOE-X%OzXZf7`ylxQHfKjJldF%L%2 zNJZo=iHHym73yWt;vrkc*sL86!v^W7T|@R#PRQ30Y6dR45=i15ga^tl9w?PIs8y2Y zG>6eS!T_aIMRVI340E9t1552_;Av@M=D!H4!=aEjVB7DgoLMJIltDKO4%G#FfoeI$ z=^%?zX;NExDFp7 zyu7A4xunk7adgKen7#z=w44j5b27~7^No%r(qz8xxn1Pi^rPI-GTTxov$!o9b?kXH9S1$?r7C7M`Yxlm8;!{2pYJJ#O0@!{6( z$zWk(^j`O)n&1QKR5o?gVxfH_rHP8 zroY_#^uy(RsaA1 diff --git a/users/patrick/smb.nix b/users/patrick/smb.nix index 894b52f..36b72f1 100644 --- a/users/patrick/smb.nix +++ b/users/patrick/smb.nix @@ -2,7 +2,7 @@ { hm.home.smb = let - address = "smb.${config.secrets.secrets.global.domains.web}"; + address = "smb.internal"; credentials = config.age.secrets.smb-creds.path; in [