feat: allow services from home net

hosts/sire/guests/grafana.nix

@@ -146,8 +146,8 @@ in
           proxyWebsockets = true;
         };
         extraConfig = ''
-          allow ${globals.net.home-lan.vlans.services.cidrv4};
+          allow ${globals.net.home-lan.vlans.home.cidrv4};
-          allow ${globals.net.home-lan.vlans.services.cidrv6};
+          allow ${globals.net.home-lan.vlans.home.cidrv6};
           deny all;
         '';
       };

hosts/sire/guests/immich.nix

@@ -249,8 +249,8 @@ in
           proxy_read_timeout 600s;
           proxy_send_timeout 600s;
           send_timeout       600s;
-          allow ${globals.net.home-lan.vlans.services.cidrv4};
+          allow ${globals.net.home-lan.vlans.home.cidrv4};
-          allow ${globals.net.home-lan.vlans.services.cidrv6};
+          allow ${globals.net.home-lan.vlans.home.cidrv6};
           deny all;
         '';
       };

hosts/sire/guests/paperless.nix

@@ -79,8 +79,8 @@ in
         useACMEWildcardHost = true;
         extraConfig = ''
           client_max_body_size 512M;
-          allow ${globals.net.home-lan.vlans.services.cidrv4};
+          allow ${globals.net.home-lan.vlans.home.cidrv4};
-          allow ${globals.net.home-lan.vlans.services.cidrv6};
+          allow ${globals.net.home-lan.vlans.home.cidrv6};
           deny all;
         '';
         locations."/" = {

hosts/sire/guests/samba.nix

@@ -179,8 +179,10 @@ in
             # Deny access to all hosts by default.
             "hosts deny" = "0.0.0.0/0";
             # Allow access to local network and TODO: wireguard
-            "hosts allow" =
+            "hosts allow" = lib.concatStringsSep " " [
-              "${globals.net.home-lan.vlans.services.cidrv4} ${globals.net.home-lan.vlans.services.cidrv6}";
+              globals.net.home-lan.vlans.home.cidrv4
+              globals.net.home-lan.vlans.home.cidrv6
+            ];
             # Don't advertise inaccessible shares to users
             "access based share enum" = "yes";
 

hosts/ward/guests/web-proxy.nix

@@ -70,8 +70,8 @@ in
       # is over TLS.
       extraConfig = ''
         proxy_ssl_verify off;
-        allow ${globals.net.home-lan.vlans.services.cidrv4};
+        allow ${globals.net.home-lan.vlans.home.cidrv4};
-        allow ${globals.net.home-lan.vlans.services.cidrv6};
+        allow ${globals.net.home-lan.vlans.home.cidrv6};
         deny all;
       '';
     };

hosts/ward/net.nix

@@ -214,13 +214,27 @@
         verdict = "accept";
       };
 
+      # Allow devices in the home VLAN to talk to any of the services or home devices.
+      access-services = {
+        from = [
+          "vlan-home"
+        ];
+        to = [
+          "vlan-services"
+          "vlan-devices"
+        ];
+        late = true;
+        verdict = "accept";
+      };
+
+      # Allow the services VLAN to talk to our wireguard server
       services-to-local = {
         from = [ "vlan-services" ];
         to = [ "local" ];
         allowedUDPPorts = [ config.wireguard.proxy-home.server.port ];
       };
 
-      # Forward traffic between participants
+      # Forward traffic between wireguard participants
       forward-proxy-home-vpn-traffic = {
         from = [ "proxy-home" ];
         to = [ "proxy-home" ];

hosts/zackbiene/home-assistant.nix

@@ -176,8 +176,8 @@ in
           proxyWebsockets = true;
         };
         extraConfig = ''
-          allow ${globals.net.home-lan.vlans.services.cidrv4};
+          allow ${globals.net.home-lan.vlans.home.cidrv4};
-          allow ${globals.net.home-lan.vlans.services.cidrv6};
+          allow ${globals.net.home-lan.vlans.home.cidrv6};
           deny all;
         '';
       };