diff --git a/config/services/adguardhome.nix b/config/services/adguardhome.nix index d5ad8bd..0258bda 100644 --- a/config/services/adguardhome.nix +++ b/config/services/adguardhome.nix @@ -18,7 +18,8 @@ settings = { dns = { bind_hosts = [ - "0.0.0.0" + (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4) + (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv6) ]; anonymize_client_ip = false; upstream_dns = [ @@ -35,8 +36,8 @@ ]; }; user_rules = [ - "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.home.cidrv4}" "||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}" + "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}" "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}" ]; dhcp.enabled = false; diff --git a/config/services/samba.nix b/config/services/samba.nix index de76b1c..70034df 100644 --- a/config/services/samba.nix +++ b/config/services/samba.nix @@ -119,7 +119,7 @@ in # clients hardcode the host and share names. "disable netbios" = "yes"; # Allow access to local network - "hosts allow" = "192.168.178. 10. localhost"; + "hosts allow" = "10. localhost"; "guest account" = "nobody"; "map to guest" = "bad user"; diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index cc38628..5a09e50 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -68,8 +68,8 @@ (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6) ]; gateway = [ - (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4) - (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6) + (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4) + (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6) ]; } ) @@ -84,7 +84,7 @@ backend = "microvm"; microvm = { system = "x86_64-linux"; - interfaces.lan = { }; + interfaces.lan-services = { }; baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac; }; extraSpecialArgs = { @@ -114,7 +114,6 @@ }; in { } - // mkContainer "adguardhome" { } // mkContainer "oauth2-proxy" { } // mkContainer "vaultwarden" { } // mkContainer "ddclient" { } diff --git a/hosts/elisabeth/net.nix b/hosts/elisabeth/net.nix index 09ec30c..855108f 100644 --- a/hosts/elisabeth/net.nix +++ b/hosts/elisabeth/net.nix @@ -58,13 +58,7 @@ in } ] ++ (flip mapAttrsToList globals.net.vlans ( - name: - { - cidrv4, - cidrv6, - ... - }: - { + name: _: { "40-vlans".vlan = [ "vlan-${name}" ]; "10-vlan-${name}" = { matchConfig.Name = "vlan-${name}"; @@ -79,21 +73,12 @@ in ''; }; "20-lan-${name}" = { - address = [ - (lib.net.cidr.hostCidr 1 cidrv4) - ]; + DHCP = "yes"; matchConfig.Name = "lan-${name}"; networkConfig = { MulticastDNS = true; IPv6PrivacyExtensions = "yes"; - IPv4Forwarding = "yes"; - IPv6SendRA = true; - IPv6AcceptRA = false; - DHCPPrefixDelegation = true; }; - ipv6Prefixes = [ - { Prefix = cidrv6; } - ]; }; } )) @@ -108,6 +93,11 @@ in to = [ "local" ]; allowedTCPPorts = [ 22 ]; }; + mdns = { + from = [ "home" ]; + to = [ "local" ]; + allowedUDPPorts = [ 5353 ]; + }; }; }; @@ -120,10 +110,8 @@ in enable = true; networks = { # redo the network cause the livesystem has macvlans - "10-lanhome" = { - address = [ - # (lib.net.cidr.hostCidr 1 globals.net.vlans.home.cidrv4) - ]; + "10-lan-home" = { + DHCP = "yes"; matchConfig.Name = "vlan-home"; networkConfig = { IPv6PrivacyExtensions = "yes"; @@ -142,7 +130,7 @@ in Name = "vlan-home"; Kind = "vlan"; }; - # vlanConfig.Id = globals.net.vlans.home.id; + vlanConfig.Id = globals.net.vlans.home.id; }; }; }; diff --git a/hosts/nucnix/forwarding.nix b/hosts/nucnix/forwarding.nix index f4ef0ef..62be5ac 100644 --- a/hosts/nucnix/forwarding.nix +++ b/hosts/nucnix/forwarding.nix @@ -19,10 +19,10 @@ let prerouting.port-forward = { after = [ "hook" ]; rules = [ - "iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${ + "iifname { vlan-fritz, lan-home } ip daddr { ${net.cidr.host 1 globals.net.vlans.services.cidrv4}, ${net.cidr.host 2 "10.99.2.0/24"} } ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${ net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4 }" - "iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${ + "iifname { vlan-fritz, lan-home } ip6 daddr ${net.cidr.host 1 globals.net.vlans.services.cidrv6} ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${ net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6 }" ]; @@ -36,7 +36,10 @@ let }; rules = { "forward-${service}" = { - from = [ "fritz" ]; + from = [ + "fritz" + "home" + ]; to = [ service ]; "allowed${toUpper protocol}Ports" = ports; }; diff --git a/hosts/nucnix/guests.nix b/hosts/nucnix/guests.nix index aee87ac..df70f45 100644 --- a/hosts/nucnix/guests.nix +++ b/hosts/nucnix/guests.nix @@ -46,8 +46,8 @@ (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6) ]; gateway = [ - (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4) - (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6) + (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4) + (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6) ]; } ) diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index 54f6eac..bb7b52d 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -23,6 +23,7 @@ in networking.nftables.firewall.zones = mkMerge [ { fritz.interfaces = [ "vlan-fritz" ]; + wg-services.interfaces = [ "services" ]; adguard.ipv4Addresses = [ (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4) ]; @@ -86,7 +87,7 @@ in "40-vlans" = { matchConfig.Name = "lan01"; networkConfig.LinkLocalAddressing = "no"; - vlan = [ "lan-fritz" ]; + vlan = [ "vlan-fritz" ]; }; } ] @@ -135,6 +136,11 @@ in networking.nftables.firewall = { snippets.nnf-ssh.enable = lib.mkForce false; rules = { + mdns = { + from = [ "home" ]; + to = [ "local" ]; + allowedUDPPorts = [ 5353 ]; + }; ssh = { from = [ "fritz" @@ -181,6 +187,12 @@ in to = [ "local" ]; allowedUDPPorts = [ config.wireguard.services.server.port ]; }; + # Forward traffic between participants + forward-wireguard = { + from = [ "wg-services" ]; + to = [ "wg-services" ]; + verdict = "accept"; + }; }; }; wireguard.services.server = { diff --git a/hosts/nucnix/secrets/adguardhome/host.pub b/hosts/nucnix/secrets/adguardhome/host.pub new file mode 100644 index 0000000..eb206e5 --- /dev/null +++ b/hosts/nucnix/secrets/adguardhome/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCoTo3zmzagHyFMVh9Qz8co8dCsTE1rL9Jor0jbJ94I root@nucnix-adguardhome diff --git a/hosts/nucnix/secrets/nginx/host.pub b/hosts/nucnix/secrets/nginx/host.pub new file mode 100644 index 0000000..e183530 --- /dev/null +++ b/hosts/nucnix/secrets/nginx/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHn/tUvgC5lXA5DKwEkSRT1dB10TKilbrqFa6/NBQsOz root@nucnix-nginx