diff --git a/config/services/adguardhome.nix b/config/services/adguardhome.nix index eefad01..50ab230 100644 --- a/config/services/adguardhome.nix +++ b/config/services/adguardhome.nix @@ -7,7 +7,12 @@ { wireguard.services = { client.via = "nucnix"; - firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ config.services.adguardhome.port ]; + firewallRuleForNode.${globals.services.nginx.host}.allowedTCPPorts = [ + config.services.adguardhome.port + ]; + firewallRuleForNode.${globals.services.homeassistant.host}.allowedTCPPorts = [ + config.services.adguardhome.port + ]; }; services.adguardhome = { enable = true; diff --git a/config/services/homeassistant.nix b/config/services/homeassistant.nix index 66a994e..9eb5cc3 100644 --- a/config/services/homeassistant.nix +++ b/config/services/homeassistant.nix @@ -1,5 +1,6 @@ { config, + globals, nodes, lib, ... @@ -24,9 +25,11 @@ "met" "esphome" "fritzbox" + "homematic" "soundtouch" "spotify" "matter" + "esphome" #"zha" "mqtt" ]; @@ -75,8 +78,15 @@ python3Packages: with python3Packages; [ psycopg2 gtts + fritzconnection + adguardhome ]; }; + networking.hosts = { + "${nodes.${globals.services.adguardhome.host}.config.wireguard.services.ipv4}" = [ + "adguardhome.internal" + ]; + }; age.secrets."home-assistant-secrets.yaml" = { rekeyFile = "${config.node.secretsDir}/secrets.yaml.age"; owner = "hass"; diff --git a/config/services/nginx.nix b/config/services/nginx.nix index 6032417..c229409 100644 --- a/config/services/nginx.nix +++ b/config/services/nginx.nix @@ -116,6 +116,29 @@ in enable = true; recommendedSetup = true; virtualHosts."${globals.services.netbird.domain}".useACMEHost = "web"; + upstreams.fritz = { + servers."${lib.net.cidr.host 1 "10.99.2.0/24"}" = { }; + extraConfig = '' + zone fritz 64k ; + keepalive 5 ; + ''; + }; + virtualHosts.${globals.services.fritz.domain} = { + forceSSL = true; + useACMEHost = "web"; + locations."/" = { + proxyPass = "https://fritz"; + proxyWebsockets = true; + X-Frame-Options = "SAMEORIGIN"; + }; + extraConfig = '' + client_max_body_size 512M ; + proxy_ssl_verify off ; + allow ${globals.net.vlans.home.cidrv4} ; + allow ${globals.net.vlans.home.cidrv6} ; + deny all ; + ''; + }; } (blockOf "vaultwarden" { maxBodySize = "1G"; }) (blockOf "forgejo" { maxBodySize = "1G"; }) diff --git a/config/services/samba.nix b/config/services/samba.nix index 294d8ff..65dae7d 100644 --- a/config/services/samba.nix +++ b/config/services/samba.nix @@ -8,6 +8,8 @@ let shares = lib.removeAttrs config.services.samba.settings [ "global" ]; in { + # allow direct access to shares + networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-home" ]; services.samba-wsdd = { enable = true; # make shares visible for windows 10 clients openFirewall = true; diff --git a/globals.nix b/globals.nix index a877955..d3c467e 100644 --- a/globals.nix +++ b/globals.nix @@ -38,6 +38,7 @@ in id = 40; cidrv4 = "10.99.${toString id}.0/24"; cidrv6 = "fd${toString id}::/64"; + internet = false; }; guests = rec { id = 50; @@ -72,6 +73,9 @@ in domain = "ppl.${globals.domains.web}"; host = "elisabeth-paperless"; }; + fritz = { + domain = "fritz.${globals.domains.web}"; + }; ttrss = { domain = "rss.${globals.domains.web}"; host = "elisabeth-ttrss"; diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index 7900f88..8344388 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -53,9 +53,7 @@ ../../config/services/${guestName}.nix { node.secretsDir = config.node.secretsDir + "/${guestName}"; - networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf ( - lib.length config.guests.${guestName}.networking.links == 1 - ) config.guests.${guestName}.networking.links; + networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-services" ]; systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) ( lib.listToAttrs ( lib.flip map vlans ( @@ -67,7 +65,7 @@ (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4) (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6) ]; - gateway = [ + gateway = lib.optionals globals.net.vlans.${name}.internet [ (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4) (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6) ]; @@ -127,7 +125,13 @@ // mkContainer "netbird" { } // mkContainer "blog" { } // mkContainer "kanidm" { } - // mkContainer "homeassistant" { } + // mkContainer "homeassistant" { + vlans = [ + "services" + "devices" + "iot" + ]; + } // mkContainer "nextcloud" { enablePanzer = true; } // mkContainer "paperless" { enableSharedPaperless = true; } // mkContainer "forgejo" { enablePanzer = true; } @@ -137,6 +141,8 @@ enableRenaultFT = true; enableBunker = true; enableSharedPaperless = true; - vlans = [ "home" ]; + vlans = [ + "home" + ]; }; } diff --git a/hosts/nucnix/guests.nix b/hosts/nucnix/guests.nix index 84f0550..2bdd241 100644 --- a/hosts/nucnix/guests.nix +++ b/hosts/nucnix/guests.nix @@ -38,9 +38,7 @@ in ../../config/services/${guestName}.nix { node.secretsDir = config.node.secretsDir + "/${guestName}"; - networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf ( - lib.length config.guests.${guestName}.networking.links == 1 - ) config.guests.${guestName}.networking.links; + networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-services" ]; systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) ( lib.listToAttrs ( lib.flip map vlans ( @@ -52,7 +50,7 @@ in (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4) (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6) ]; - gateway = [ + gateway = lib.optionals globals.net.vlans.${name}.internet [ (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4) (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6) ]; diff --git a/hosts/nucnix/kea.nix b/hosts/nucnix/kea.nix index adca701..64e08eb 100644 --- a/hosts/nucnix/kea.nix +++ b/hosts/nucnix/kea.nix @@ -35,7 +35,12 @@ in }; subnet4 = flip mapAttrsToList globals.net.vlans ( name: - { id, cidrv4, ... }: + { + id, + cidrv4, + internet, + ... + }: rec { inherit id; interface = "lan-${name}"; @@ -45,16 +50,17 @@ in pool = "${net.cidr.host 50 subnet} - ${net.cidr.host (-6) subnet}"; } ]; - option-data = [ - { + option-data = + [ + { + name = "domain-name-servers"; + data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}"; + } + ] + ++ lib.optional internet { name = "routers"; data = "${net.cidr.host 1 subnet}"; - } - { - name = "domain-name-servers"; - data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}"; - } - ]; + }; reservations = [ { # homematic diff --git a/modules/globals.nix b/modules/globals.nix index 95cc62d..00b32cc 100644 --- a/modules/globals.nix +++ b/modules/globals.nix @@ -109,6 +109,11 @@ in default = null; description = "The CIDRv6 of this vlan"; }; + internet = mkOption { + type = types.bool; + default = true; + description = "Whether this vlan is connected to the internet"; + }; name = mkOption { description = "The name of this VLAN"; @@ -130,7 +135,8 @@ in default = null; }; host = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; description = "The node-name on which this service runs"; }; ip = mkOption {