From 268bd66c76e7ce1bf7d587b68ee794c465f5f40f Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Sun, 22 Dec 2024 00:10:37 +0100
Subject: [PATCH] feat: cleaner port forwarding

---
 globals.nix                 | 11 ++++++
 hosts/elisabeth/guests.nix  | 46 ++++++++++++++++-----
 hosts/nucnix/forwarding.nix | 79 +++++++++++++++++++++++++++++++++++++
 hosts/nucnix/net.nix        | 21 +---------
 users/patrick/theme.nix     |  2 +-
 5 files changed, 129 insertions(+), 30 deletions(-)
 create mode 100644 hosts/nucnix/forwarding.nix

diff --git a/globals.nix b/globals.nix
index a447a13..49bb3d4 100644
--- a/globals.nix
+++ b/globals.nix
@@ -54,6 +54,7 @@ in
       forgejo = {
         domain = "forge.${globals.domains.web}";
         host = "elisabeth-forgejo";
+        ip = 13;
       };
       immich = {
         domain = "immich.${globals.domains.web}";
@@ -118,6 +119,7 @@ in
       netbird = {
         domain = "netbird.${globals.domains.web}";
         host = "elisabeth-netbird";
+        ip = 16;
       };
       nginx = {
         domain = globals.domains.web;
@@ -129,6 +131,15 @@ in
         host = "elisabeth-samba";
         ip = 12;
       };
+      ddclient = {
+        domain = "";
+        host = "elisabeth-ddclient";
+      };
+      murmur = {
+        domain = "ts.${globals.domains.web}";
+        host = "elisabeth-murmur";
+        ip = 9;
+      };
     };
   };
 }
diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index 9217cec..cc38628 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -1,5 +1,6 @@
 {
   config,
+  globals,
   stateVersion,
   inputs,
   lib,
@@ -17,6 +18,7 @@
           enableRenaultFT ? false,
           enableBunker ? false,
           enableSharedPaperless ? false,
+          vlans ? [ "services" ],
           ...
         }:
         {
@@ -54,6 +56,25 @@
               networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
                 lib.length config.guests.${guestName}.networking.links == 1
               ) config.guests.${guestName}.networking.links;
+              systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
+                lib.listToAttrs (
+                  lib.flip map vlans (
+                    name:
+                    lib.nameValuePair "09-mv-${name}" {
+                      matchConfig.Name = "mv-${name}";
+                      DHCP = "no";
+                      address = [
+                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
+                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
+                      ];
+                      gateway = [
+                        (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4)
+                        (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6)
+                      ];
+                    }
+                  )
+                )
+              );
             }
           ];
         };
@@ -74,17 +95,23 @@
         };
       };
 
-      mkContainer = guestName: cfg: {
-        ${guestName} = mkGuest guestName cfg // {
-          backend = "container";
-          container.macvlans = [ "lan-services" ];
-          extraSpecialArgs = {
-            inherit (inputs.self) nodes globals;
-            inherit (inputs.self.pkgs.x86_64-linux) lib;
-            inherit inputs minimal stateVersion;
+      mkContainer =
+        guestName:
+        {
+          vlans ? [ "services" ],
+          ...
+        }@cfg:
+        {
+          ${guestName} = mkGuest guestName cfg // {
+            backend = "container";
+            container.macvlans = lib.flip map vlans (x: "lan-${x}:mv-${x}");
+            extraSpecialArgs = {
+              inherit (inputs.self) nodes globals;
+              inherit (inputs.self.pkgs.x86_64-linux) lib;
+              inherit inputs minimal stateVersion;
+            };
           };
         };
-      };
     in
     { }
     // mkContainer "adguardhome" { }
@@ -110,5 +137,6 @@
       enableRenaultFT = true;
       enableBunker = true;
       enableSharedPaperless = true;
+      vlans = [ "home" ];
     };
 }
diff --git a/hosts/nucnix/forwarding.nix b/hosts/nucnix/forwarding.nix
new file mode 100644
index 0000000..f4ef0ef
--- /dev/null
+++ b/hosts/nucnix/forwarding.nix
@@ -0,0 +1,79 @@
+{ globals, lib, ... }:
+let
+  inherit (lib)
+    concatStringsSep
+    net
+    toUpper
+    mkMerge
+    ;
+  forward =
+    {
+      service,
+      ports,
+      protocol,
+      ...
+    }:
+    {
+      networking.nftables = {
+        chains = {
+          prerouting.port-forward = {
+            after = [ "hook" ];
+            rules = [
+              "iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${
+                net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4
+              }"
+              "iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${
+                net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6
+              }"
+            ];
+          };
+        };
+        firewall = {
+          zones = {
+            ${service}.ipv4Addresses = [
+              (lib.net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4)
+            ];
+          };
+          rules = {
+            "forward-${service}" = {
+              from = [ "fritz" ];
+              to = [ service ];
+              "allowed${toUpper protocol}Ports" = ports;
+            };
+          };
+        };
+      };
+    };
+in
+mkMerge [
+  (forward {
+    service = "nginx";
+    ports = [
+      80
+      443
+    ];
+    protocol = "tcp";
+  })
+  (forward {
+    service = "forgejo";
+    ports = [
+      9922
+    ];
+    protocol = "tcp";
+  })
+  (forward {
+    service = "murmur";
+    ports = [
+      9987
+    ];
+    protocol = "udp";
+  })
+  (forward {
+    service = "netbird";
+    ports = [
+      3478
+      5349
+    ];
+    protocol = "udp";
+  })
+]
diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix
index 88a02b9..54f6eac 100644
--- a/hosts/nucnix/net.nix
+++ b/hosts/nucnix/net.nix
@@ -17,6 +17,7 @@ in
   imports = [
     ./hostapd.nix
     ./kea.nix
+    ./forwarding.nix
   ];
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   networking.nftables.firewall.zones = mkMerge [
@@ -25,9 +26,6 @@ in
       adguard.ipv4Addresses = [
         (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
       ];
-      nginx.ipv4Addresses = [
-        (lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv4)
-      ];
     }
     (genAttrs (attrNames globals.net.vlans) (name: {
       interfaces = [ "lan-${name}" ];
@@ -134,26 +132,9 @@ in
       }
     ))
   );
-  networking.nftables.chains = {
-    prerouting.port-forward = {
-      after = [ "hook" ];
-      rules = [
-        "iifname lan-fritz tcp dport { 80, 443 } dnat ip to ${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv4}"
-        "iifname lan-fritz tcp dport { 80, 443 } dnat ip6 to ${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv6}"
-      ];
-    };
-  };
   networking.nftables.firewall = {
     snippets.nnf-ssh.enable = lib.mkForce false;
     rules = {
-      forward-nginx = {
-        from = [ "fritz" ];
-        to = [ "nginx" ];
-        allowedTCPPorts = [
-          80
-          443
-        ];
-      };
       ssh = {
         from = [
           "fritz"
diff --git a/users/patrick/theme.nix b/users/patrick/theme.nix
index 8df5a0d..8a4770d 100644
--- a/users/patrick/theme.nix
+++ b/users/patrick/theme.nix
@@ -95,7 +95,7 @@
     image = config.lib.stylix.pixel "base00";
     base16Scheme = {
       yaml = "${pkgs.base16-schemes}/share/themes/vice.yaml";
-      use-ifd = "auto";
+      use-ifd = "always";
     };
     # Has to be green
     override.base0B = "#00CC99";