feat: begin zackbiene rework

hosts/ward/default.nix

@@ -33,7 +33,7 @@
   };
 
   # Connect safely via wireguard to skip authentication
-  networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
+  networking.hosts.${config.wireguard.proxy-home.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
   meta.telegraf = {
     enable = true;
     influxdb2 = {

hosts/ward/guests/adguardhome.nix

@@ -9,7 +9,7 @@
 in {
   wireguard.proxy-sentinel = {
     client.via = "sentinel";
-    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.port];
+    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.port];
   };
 
   nodes.sentinel = {
@@ -17,7 +17,7 @@ in {
 
     services.nginx = {
       upstreams.adguardhome = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.port}" = {};
+        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" = {};
         extraConfig = ''
           zone adguardhome 64k;
           keepalive 2;
@@ -52,9 +52,9 @@ in {
   services.adguardhome = {
     enable = true;
     mutableSettings = false;
+    host = "0.0.0.0";
+    port = 3000;
     settings = {
-      host = "0.0.0.0";
-      port = 3000;
       dns = {
         # allowed_clients = [
         # ];

hosts/ward/kea.nix

@@ -9,6 +9,13 @@
   dnsIp = net.cidr.host 3 lanCidrv4;
   webProxyIp = net.cidr.host 4 lanCidrv4;
 in {
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/kea";
+      mode = "0700";
+    }
+  ];
+
   # TODO make meta.kea module?
   # TODO reserve by default using assignIps algo?
   services.kea.dhcp4 = {

hosts/ward/net.nix

@@ -156,9 +156,6 @@ in {
     };
   };
 
-  # Allow accessing influx
-  wireguard.proxy-sentinel.client.via = "sentinel";
-
   #wireguard.home.server = {
   #  host = todo # config.networking.fqdn;
   #  port = 51192;

hosts/zackbiene/default.nix

@@ -6,6 +6,7 @@
 }: let
   inherit (config.repo.secrets.local) acme;
   sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
 in {
   imports = [
     ../../modules/optional/hardware/odroid-n2plus.nix
@@ -14,14 +15,14 @@ in {
     ../../modules/optional/initrd-ssh.nix
     ../../modules/optional/zfs.nix
 
-    ./esphome.nix
+    #./esphome.nix
     ./fs.nix
-    ./home-assistant.nix
-    ./hostapd.nix
-    ./mosquitto.nix
+    #./home-assistant.nix
+    #./hostapd.nix
+    #./mosquitto.nix
     ./kea.nix
     ./net.nix
-    ./zigbee2mqtt.nix
+    #./zigbee2mqtt.nix
   ];
 
   topology.self.name = "🥔  zackbiene"; # yes this is 2x U+2009, don't ask (satori 🤬).
@@ -47,7 +48,12 @@ in {
   };
 
   # Connect safely via wireguard to skip http authentication
-  networking.hosts.${sentinelCfg.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
+  networking.hosts.${
+    if config.wireguard ? proxy-home
+    then wardWebProxyCfg.wireguard.proxy-home.ipv4
+    else sentinelCfg.wireguard.proxy-sentinel.ipv4
+  } = [sentinelCfg.networking.providedDomains.influxdb];
+
   meta.telegraf = {
     enable = true;
     influxdb2 = {

hosts/zackbiene/kea.nix

@@ -4,8 +4,15 @@
   ...
 }: let
   inherit (lib) net;
-  iotCidrv4 = "10.0.90.0/24";
+  iotCidrv4 = "10.0.90.0/24"; # FIXME: make all subnet allocations accessible via global.net or smth
 in {
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/kea";
+      mode = "0700";
+    }
+  ];
+
   services.kea.dhcp4 = {
     enable = true;
     settings = {
@@ -14,13 +21,18 @@ in {
         persist = true;
         type = "memfile";
       };
-      valid-lifetime = 4000;
-      renew-timer = 1000;
-      rebind-timer = 2000;
+      valid-lifetime = 86400;
+      renew-timer = 3600;
       interfaces-config = {
         interfaces = ["wlan1"];
         service-sockets-max-retries = -1;
       };
+      option-data = [
+        {
+          name = "domain-name-servers";
+          data = "192.168.1.3"; # FIXME: global (also search for 192.168 and "*Ip =")
+        }
+      ];
       subnet4 = [
         {
           interface = "wlan1";

hosts/zackbiene/net.nix

@@ -8,8 +8,8 @@
 in {
   networking.hostId = config.repo.secrets.local.networking.hostId;
 
-  wireguard.proxy-sentinel = {
-    client.via = "sentinel";
+  wireguard.proxy-home = {
+    client.via = "ward";
   };
 
   boot.initrd.systemd.network = {
@@ -51,6 +51,27 @@ in {
   };
 
   networking.nftables.firewall = {
-    zones.untrusted.interfaces = ["lan1"];
+    snippets.nnf-icmp.ipv6Types = ["mld-listener-query" "nd-router-solicit"];
+
+    zones = {
+      untrusted.interfaces = ["lan1"];
+      lan.interfaces = ["lan1"];
+      iot.interfaces = ["wlan1"];
+    };
+
+    rules = {
+      masquerade-iot = {
+        from = ["lan"];
+        to = ["iot"];
+        masquerade = true;
+      };
+
+      outbound = {
+        from = ["lan"];
+        to = ["iot"];
+        late = true; # Only accept after any rejects have been processed
+        verdict = "accept";
+      };
+    };
   };
 }

secrets/rekeyed/sentinel/7bbc738a6b7f036671566a0dcf16455b-wireguard-proxy-sentinel-psks-sentinel+ward.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 yV7lcA vQsqojxPobKC/GApVahRbbyNBINS8wIuu8duOrLCmQE
-Jugt2kwD/csBYt+zv1K8G4ZTby3/3FomloJTzYLPTAY
--> '+q#4U3t-grease
-QGHRmCylzgRVGaKpEWSFt9e5Wm6Bm5ctgHEPWNKvrAlsJN12vUkt3uCtZmy500S8
-gKw/rNxTU2sUhL+qEJQuzbvpjBvepGBm6QOvh4n9vG93Yfq0+nFzS1A
---- 1VVeULtF716DG+ZFn0YFiDx2bfvAG5fA+3V3uuIZan4
-õ[5|RÕœœ_ ˜#A–Kr�ƒhJ®Û:šµV¶›	ÞjI]m~_Nå½?„”9ÐM´6Ûâ€é�š�Ó8aD5ïé"|E

secrets/rekeyed/sentinel/91eb5997e276d968bdb36f794e4bc903-wireguard-proxy-sentinel-psks-sentinel+zackbiene.age

@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 yV7lcA 6ACSnnVp2xhzQ/QVuf/HepfEYoSpjk30q825mzwRilc
-gzAkr/xnFODD2dnn0l7vzS4w7pmZwAO23J6r0Yx9H14
--> U-grease j _i*1$@SM jfz6.
-FqCMO4ohslThLGpAowt0DBM+UTvbn7wIgPsvrpNdrB4nY7fQHHAI417uI8K8YvQY
-/IBfSiuPiFF1TDUaV2UvHL+P2lGCMIrWvHg1wiZHPpuS1yarDdj6THomPWYkbdAb
-7qeg
---- 1SON/pfv2UQly8bx4JlVTdj1QPLZih53h7yxAgyoddk
-¤žpß]b1rŒ=4Á?=ai�oFL¦ÕÅO
-ܽ€b›ñ¬÷bûoN5’Ëùü„gNUX¹Ý{þ2`?Ž%°|œ¤Çò»:LÂ

secrets/rekeyed/ward/020fd8ddc9ee58c7e32a968d26d3b765-wireguard-proxy-home-psks-ward+zackbiene.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg iTd9PnSEFe5Zzwld5E/onR2xtvNRF1vs8uNAuiU21FE
+8id5IERQSvIiVjEIuZ6uFrO2aLGtLD3TiGUqZJIZ4UA
+-> ZLaW2-grease
+OGBoLHKqHfuUnly0OEo+sSj20yKrrQ5U+xH5gBZ9ZA
+--- 71by0nesi0wWF0q1HgwTlvnZL6+rC24oxGZ1ogmer9E
+ºï3T—Á™ÈõD #§§‰m—«-áë³”Àí´7²U:öÂl	±Y›ÌÄúuÄÆÈ`ÌظŽ•«Ðr_KK+€é$xP¾&ƒ”[/‰h)

secrets/rekeyed/ward/62f1ce6d3e02cbbb670793b0ab141184-wireguard-proxy-sentinel-psks-sentinel+ward.age

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 iNceIg LhLSnqwCOA5S50b1zYiPlOeXGw2uPjJDiwv5w9XGrTM
-4Hz5PCLxetDHcf6N6Tp2fuDLreqHhIavM4NjdnTA6uQ
--> c&1hmDw-grease [VS*Zev: %;MC=6 @p5nwT61
-vP5f5VHYMYMFaDhzXHyA38rvb4e1KNfPG5Jj7jM2yiVKfk/kPc6jTqnzDlEuD7h4
-uusvcw
---- Btcjc8qBkfxLQ1LFUeEy8kBFho+NKwbHzSMht2jUIeg
-íƒmo§¹G±–M
-¦‘€ÂM�|%ý‹Q�ÇZ¨§ù¦-fþÕ›Ñ4—.Y“`÷ãiK…¤s§Ù^ƒ¢Ù DŠ>9ûŸ3­ÿÅÝ*Á

secrets/rekeyed/ward/97b14c8662bd7bd081e2b000db354bcc-wireguard-proxy-sentinel-priv-ward.age

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 iNceIg 2fpmUUMrDliZx8uVqkl/gAXFDLY+orMQgqKzM8AfkQ8
-qL4p4rRzgUEk0WfN+eXBVssJurtFJh2SpfzErkKpRWM
--> *Xm?<Z-grease fv[eyBgk
-4PLchn2s+mMnqx8MMNfWZxvdbkH6tiAJ8vBSKxdbSrJ8pGCuy88d8I8Delp9Lekx
-l39QFkaBLDx4unj5qgueqWqV+owahjN8dgu72rVY0z1bQoEvcWQYYB4
---- 4YxKhEk9XGuE2617op8Ki00DuiWvZ/ntuxckViMq7/g
-][§4^wï¾ífü&ç»j
-JVäΑË.2}®:ÉsaƒNÙ?%ìÇ�†xdò/®
Aþ+�|Ä9!ð]ÿóF'Kç1qãûûŸÖS-+÷À�

secrets/rekeyed/zackbiene/2114c48ad63cd022bc589099aa7ae978-mosquitto-pw-home_assistant.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 DynNMA 0jbyffbAwO0+WtJmLPgBdQ6o4BQfhtyoR3eC/CisgyY
-nx2vpN/ZWdoG6z0GVA5a4563wiySTlr+BUggqeAxfVU
--> fHq^-grease $1R? 4g mF
-6Y3otzVbFmwsR3Jqy6G82g9wnKz5JB5tSblkn6O9UoO5
---- wiu0ndqSrU3ofFPn8WlpLJz3JaMRSGDYcxR8A+QHSbI
-g[û^0ÄJìI‘¢¸—ÿ«3}§ß½c·m`íç-“x�‡tS'Éö˜¢»9¨$ˆ²Qb�ÝÛΆ

secrets/rekeyed/zackbiene/21fec08806b3194e39c928380133562f-mosquitto-pw-zigbee2mqtt.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 DynNMA IKMt3H+qN5Tp+klLYaeKCa0b5brlB8//VAjpAl68GCI
-MTV8wXhkCYulvS6o7Wnq/rMHeYqPxDdSMggMT6+FLyo
--> |-:8x-grease s O3ZB {Q"
-GscWlHRccebYhiGFelYXa+GLLzprQc+k9iS//LY
---- FgB9+ChfVo/svSZ9pgcCv+ZG/edwwIs11tNjCpkHLjg
-��
-Ô»W€%˜D´Ñ¯¯“`›¦{E[&rÕ-îÿ‘×–bMM�€õ[Óˆ=t�.&š„„›_À�Ú

secrets/rekeyed/zackbiene/6917bad7d537d4b0053232a993fdb5a7-home-assistant-secrets.yaml.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 DynNMA XFqNwvTo+KpkJoPd9jYFN2XfCEb/kLGQfeubvcCFSQs
-Zixgkd3zxoyHFqszXWMEoouNIDI3o/RMbkGsTqAZzXg
--> :/[1R6-grease e'6D_ e>ngz4
-8KsUxS4HykfNC6D2O/CVFf6XhRh6OPtjDuuyYyypgGWRAg8Cx3Zzpd5Vjxp8bQHh
-T5Ih+xXlZa6ilkbd3A9Wm2adrdHBdbMFFmWgAKYjQQ
---- XDQWFwbDpKtM5swe0W42WNd0IGRIEolRdXJ0OL1SpFk
-ˆîŠÿÞ•¾>ц�ú�©Õ°bÐSÃâÍ«ÄŠ…ž Ü¶ÁZÔb·¡\v<‚ÙÇõ^‰™‰·R	æH”„ ÀŠ€�ö-³jšÜ«ïPø'$ãjƈWÌè*—-S«+QÜåš%Àˆq‘?ALRŽU!Uo¦2õQXê£Ð¼±½×ùjË	Ö”wî)½þ/Ì4òê“Žº€MÂÅ“g`«:»˜nl£Ú!Ӌ˲÷[Až�‹*.„d+À

secrets/rekeyed/zackbiene/71daa67a131fadb64673a2ee99b6bd9e-wireguard-proxy-sentinel-psks-sentinel+zackbiene.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 DynNMA u4AEzCigYB0NoNbhsNP4tICYl/P7UMB7t7Ck+tt8kTs
-EG7+IzCrSjfJx9m1YXX57knrSw5hpox6xtxbNZ2Xbpw
--> `>-grease A!nt\3HR ',ty Q q
-vj9LYGl5kOAPQGE+Cg3HIHzWxqMfRSQVDOJIm89vRmaWd0DnFnLa8zTlzCtM/ktJ
-88mUSEN+d9KdfH1Auq8mj1d3LRCHF1HHCFbnrytlwg/gQGUx
---- X+PWRfD/ySSoblWKP2Fi/OJnksyB1th9bBHzGMlAWSU
-~?ÄþCØ:Â5Øø¼=uo©ØFÝÉrô‚=ìôÀ+ ꑧ·¢žÂåàýÙ1éRŠu5L•4¶¬W„Ê	VÎ/‘aQ¶{xÏÁcÄŽ

secrets/rekeyed/zackbiene/d0f23e19a9316e295461ea6e66c401b7-wireguard-proxy-sentinel-priv-zackbiene.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 DynNMA Sv9A3D5SrVkISNOrSOyZLnBsCVI8S/6A9BRQekWmG0c
-p6TfLZFJK66oATpVtzZ+eU2nvPGgR8Je35Gp5EestGQ
--> S&-grease Gjr ~x6E
-UUg82dyOhlec/nd33A
---- WeMa6zNNsTCtgAvfS08Tarzjt1XKWK3Dj5v/Uc/abuI
-ÎLtˆ/ïXÕv?3°ò§ÒdŠeé²&Z»Ô=ª%?ÀI/w¢ûÐqÂz8rŠž³‡Û~e„nË;‹FÞÛæ&ütW¹x;󭼚D

secrets/rekeyed/zackbiene/f47d690aad469d096c3857040d7905f2-wireguard-proxy-home-psks-ward+zackbiene.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 DynNMA OszBoMLZTrzxXJ8dO8oCJGw9F2U6HRQKrkI6U2OWY00
+HyuLC64mc40QciTIAh9Wj5YeLkxk3XGTyq9eZ7BDHrY
+-> @2Y^^-grease ~1 SdR3 e%0g.;jM
+yMAB/c4lVnD+c/PKEgHi+sKtwzC/WoRGEseyoRT7e0+dfuExNg
+--- JHzw1xmBmoi4qtwlazCJ23s9W2UBYbCRswB/a2XpCe4
+È2ý\o©¨ôÑ¥56Y¬u¾ü¾�'zŽ@¦ñ÷A8ƒÿv
+»±Š!Ó9ýaéœc¿ø¦ç ‰€³|ÜÿG“tt¡Yq;•«h9

secrets/wireguard/proxy-home/keys/zackbiene.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 31hLfNremLhkbDFT6Z8SvMcgN0J6UHHfnV4kvadAuzo
+bYnLUZpztxdkA0JeRd+A6aqhUZ8Blw8EeDgAFijsGU8
+-> piv-p256 xqSe8Q AqxEjTAlthttVUtPusarKoKcQQsjpW075NUAgHhFxwNM
+ITiV6VF7tRNnEO6KCy35pK9KmSVrLEvPTKOlZXj+KhI
+-> Y_,\|kE-grease K=r$dP
+MNA2sN3rcItZ8j+sBCoxSu5Tdl0EURNxQyP2pLWzHp4Co1zbnzxsPnbbiBY3pvLd
+VnaytjVcoX8NuxlQQeJmK/3xuzOBgfU
+--- 6hp4Z5hE7P0H7/sN51gfH15Jfv9WBBlybObNGWZT76A
+#a¼MiQN{:Öeý�,í”’Ë”h˜äÜBHÖv9Z3JCÍ•Œ˜	oÏ9ùô×L2+zM¢HÕåÛ«M\ÛØCîZÒà|û,ž

secrets/wireguard/proxy-home/keys/zackbiene.pub

@@ -0,0 +1 @@
+vhOgoCnM3IQctN7rQLbBzZBfBYTIZrdFKDsJzissxWY=

secrets/wireguard/proxy-home/psks/ward+zackbiene.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 nIy3GDknvICdU2E9snZDJtZqHxA12c4Aa6/XzzeBDzY
+hEvsVMkP1h/grI/jAViIwtCGTT8fDLp//zPuHawY6XE
+-> piv-p256 xqSe8Q Aryo90NAlU3hI+GRpBnXkTTaskoCaGoMQyptKucQDKHf
+qXtpL/Se74WlOO0hVc59JEeqnM6Aq0m7Iv6u9CA5GJY
+-> 'XN-grease 0%qI5bYt %IlJ{ $
+AxNrd8cVoKomOI38tWGQf2gHE4PSe7k+GwjCPPahkrZybMQUYGWLF5//jdRoECjC
+SIhvUvTPUOnZp+/bYVDTXvrrKdSjmv3QiHZ5c96Uk2Qv6sbMI0s1EG8zeWc
+--- MDRkb3z+qB1Lh27aneTscpE+9xNx7n3CTIIvaZNf+hE
+Aó”A^Ç8XEď¤@|bFjőÁ\gÉë‘ś¬L·MÇŰ-ÔýTwŇEŐ9®rGFńkMM^o�űÍW‘7ÉĘ`H<
2ÚŰ&�×ŮŠ•űčŇ