feat: wireguard samba network

hosts/desktopnix/net.nix

@@ -21,4 +21,5 @@
     };
   };
   networking.nftables.firewall.zones.untrusted.interfaces = ["lan01"];
+  wireguard.samba-patrick.client.via = "elisabeth-samba";
 }

hosts/patricknix/net.nix

@@ -13,6 +13,7 @@
     devoloog-sae19.rekeyFile = ./secrets/iwd/devoloog-sae19.age;
     devoloog-sae20.rekeyFile = ./secrets/iwd/devoloog-sae20.age;
   };
+  wireguard.samba-patrick.client.via = "elisabeth-samba";
   networking.nftables.firewall.zones.untrusted.interfaces = ["lan01" "lan02" "wlan01"];
   networking = {
     inherit (config.secrets.secrets.local.networking) hostId;

modules/config/home-manager.nix

@@ -2,6 +2,7 @@
   stateVersion,
   inputs,
   pkgs,
+  nodes,
   ...
 }: {
   imports = [./impermanence/users.nix];
@@ -10,6 +11,7 @@
     useUserPackages = true;
     verbose = true;
     extraSpecialArgs = {
+      inherit nodes;
       spicePkgs = inputs.spicetify-nix.packages.${pkgs.system}.default;
     };
     sharedModules = [

modules/services/paperless.nix

@@ -67,6 +67,7 @@ in {
     client.via = "elisabeth";
     firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.paperless.port];
   };
+
   age.secrets.paperless-admin-passwd = {
     generator.script = "alnum";
     mode = "440";

modules/services/samba.nix

@@ -38,6 +38,13 @@
       ];
     };
   };
+  wireguard.samba-patrick.server = {
+    host = config.secrets.secrets.global.domains.web;
+    port = 51830;
+    reservedAddresses = ["10.43.0.0/20" "fd00:1765::/112"];
+    openFirewall = true;
+  };
+
   services.samba = {
     enable = true;
     securityType = "user";
@@ -62,7 +69,7 @@
       # Deny access to all hosts by default.
       "hosts deny = 0.0.0.0/0"
       # Allow access to local network
-      "hosts allow = 192.168.178. 127.0.0.1 10.0.0. localhost"
+      "hosts allow = 192.168.178. 127.0.0.1 10.43.0. localhost"
 
       "guest account = nobody"
       "map to guest = bad user"

secrets/wireguard/samba-patrick/keys/desktopnix.pub

@@ -0,0 +1 @@
+eA1ooGt8mnAn0zWPjwHYZn2WUXkVt1vRsXV8e/Mr7Vc=

secrets/wireguard/samba-patrick/keys/elisabeth-samba.pub

@@ -0,0 +1 @@
+DgNhJbWzoGYi9GNwAS9QrKbYSobPlWG6wwehNLUJZio=

secrets/wireguard/samba-patrick/keys/patricknix.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 jSOPR4LRd0tfr2ygMnIBz+NL2f63QvjDPHwhE7+ezEA
+pIFPGdJy11+xZ6lh5tYouOoUqz8n9w5SUhdeHxP0yjU
+-> piv-p256 XTQkUA AjmrbTNVLJ9YWq/BLnn8t9nnuKMs13QASclnSJbKGLgL
+xsJwc9qPCrHKFODIfLlQwjFFdBQ7OWaPxcDFCQOcTbo
+-> piv-p256 ZFgiIw A7sPNQpa+8ok9V1AFczo+YZJ/S9xyU1lctkVXCgJgzFS
+9L4Ff6o75Ir31atvH/OGKJN/XBofrQtWsCOZh09GmDA
+-> piv-p256 5vmPtQ A2FD9DnhSA9DMl2krxLHQGOaULNzQsN6CCbxFJc+x4z8
+TOxi0USIzxF61IbP7wd/sNZbWu+llnfz1W3fZQ/HSOs
+-> piv-p256 ZFgiIw AyCJNFSiZ7EoCbAjB6QUwsXLeqr3GUtL3vugCuCL4KFP
+0ZRhdIES7WQ6Kv8jciPGa/5HjFpGNK5TIZUIBB+A+lE
+-> KQfRA-grease gq} | kD
+G+FJybvwLHnk06k
+--- M8jZW4khQpHjC8OvQouNonLilK9dnant0IUzqYbYHCk
+Ãü<uPq"èã.ÚZ49{ì»û	ªK$mÉijs7YÒVPuf<75>£àÕ·?Ü+<2B>mt!|´ñ-Bþ J”…I1§¤¹¹¿$p(

secrets/wireguard/samba-patrick/keys/patricknix.pub

@@ -0,0 +1 @@
+pWodJY+hhGrJxW1ovQnWxWxZXcXfEBDFfq7HXIzymF8=

secrets/wireguard/samba-patrick/psks/desktopnix+elisabeth-samba.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 t6oAnWOe58WatE7xAZutNkbfMJALCfOblGzwF4SXuhg
+ARg4y/JHxyujLAQeZokxcjVlIz20vPbI614wwUzxLSw
+-> piv-p256 XTQkUA Akz23XTjEEXje1/maOahUvHngVn5ArcL4pLfwg3mOc3F
+SqH9c1CyeIl3ujKYOZ/mfpfHBEBjfzJEOzFhYXuB5B8
+-> piv-p256 ZFgiIw A+6EYdHMjm8qRIpXCdr5c/sfJDH678LKM0ZWDrUrxAZP
+6WE0/kNs5RERwjR2sMHKpAFRaeX18eoVWPheZjzPqZQ
+-> piv-p256 5vmPtQ AsLoUNVHvNydMli9OfXGzoYanobiI0bWZYLsPfu1SdF1
+20dL9iybblGRE06YV/bPnTJ9rGffIQJu/VQ1WYNMPU8
+-> piv-p256 ZFgiIw AxqCgK+ogTBYaJ0HQF9m8ZBUtufpCsD6wKoIavCl+Cdb
+2Vi+AvG3D/U/kV7VtNd1P3Z5VW5Lzz4Ll/DeTqFHQnk
+-> l*B1BIs-grease eIX .o<9F39h fI8
+s0/BUCj4reWqfTxkvA
+--- L1ENSVVcxVSROI+zYhmFHASbsfIOkjn0nXNc4nfFdQY
+搭棗豏PUf_贓q裈y熬鄑讲悧y╳<79>f恈@<40>M翐A孛p伞亇'C<13>柅*<2A>濋袵U噠填湥迏<E6B9A5>

secrets/wireguard/samba-patrick/psks/elisabeth-samba+patricknix.age

@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> X25519 eFLhzD4YvPXNBOZC2Ud6cB0FPRWo6+x1qTH8YEKy+Cg
+rPUgaR4mLNbPz/zfCOnN7BQ/prNzoYGW5rPrRMOEgvk
+-> piv-p256 XTQkUA A1eUqEvO/tkHgPlr7DFqQBdddMMvKJvvZ6bFgl6SqTUE
++J2gi8D9Bg6dEr5OLOmnhy8/kfGQDXQpTCnYTWLp0IM
+-> piv-p256 ZFgiIw AoHGWuCfTy0aIy1ZIp+H64wXzuoR9Yd2rsDxJL6Rjr9Y
+W+u/mTIo5TwYdZc1nnC6rPa6WU15eXSg86RFdLCTFkg
+-> piv-p256 5vmPtQ A6BO2wkSQ8rZnJg1ykx6WhyZpQMMiLYovm2AHa567VdO
+XB9NpGBZJU48rSddjmfk3uEMCugR2vktv0NajTpPF4M
+-> piv-p256 ZFgiIw AthYefErdON2SVYJaysT8twtGxfM0xrdUf1Qu74MtG/C
+nZb7ozfvgf4JipSWKWjdztdxubdwokv1aBtLfn4HxNo
+-> PsVq=WN-grease
+kFWRaojwHfs1RYduR3IrPISIUXHrwjiJEZtciWI8A+1BFv9H8B/7r+Ews3i2JfhE
+LwCsAaK40IdWZbe47+67K8wNo60do+NKW0W6qemkYgziVlP0
+--- o/fKSKsuClle7KXgbq2gXn7t78C2iCvOM2uuU/9Mt8g
+‰S˜Ÿï=“ê‘q“* ɾ8UI/#4¹ÔçUñð
+áð
+ž<12>ýØ/‘Ÿbçø<C3A7>ÜÉýÎþ649§Gj«?!‡^¡½‡twËV‰ìwL—

users/patrick/smb.nix

@@ -1,6 +1,10 @@
-{nixosConfig, ...}: {
+{
+  nixosConfig,
+  nodes,
+  ...
+}: {
   home.smb = let
-    address = "192.168.178.12";
+    address = nodes.elisabeth-samba.config.wireguard.samba-patrick.ipv4;
     credentials = nixosConfig.age.secrets.smb-creds.path;
   in [
     {