From e580cd58857751a081eec10324d881bb1c5cda8c Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Tue, 18 Feb 2025 14:33:07 +0100
Subject: [PATCH] chore: allow home assistant access from devices VLAN for
 voice PE

---
 hosts/sausebiene/home-assistant.nix |  7 +++++++
 hosts/ward/net.nix                  | 16 ++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/hosts/sausebiene/home-assistant.nix b/hosts/sausebiene/home-assistant.nix
index 8096e38..b99d3fc 100644
--- a/hosts/sausebiene/home-assistant.nix
+++ b/hosts/sausebiene/home-assistant.nix
@@ -33,6 +33,11 @@ in
   #   network = "internet";
   # };
 
+  services.matter-server = {
+    enable = true;
+    logLevel = "debug";
+  };
+
   topology.self.services.home-assistant.info = "https://${homeassistantDomain}";
   services.home-assistant = {
     enable = true;
@@ -226,6 +231,8 @@ in
         extraConfig = ''
           allow ${globals.net.home-lan.vlans.home.cidrv4};
           allow ${globals.net.home-lan.vlans.home.cidrv6};
+          allow ${globals.net.home-lan.vlans.devices.cidrv4};
+          allow ${globals.net.home-lan.vlans.devices.cidrv6};
           deny all;
         '';
       };
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index aafc5c2..a45039b 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -171,6 +171,8 @@
         proxy-home.interfaces = [ "proxy-home" ];
         adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
         adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
+        web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ];
+        web-proxy.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6 ];
         samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ];
         samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ];
         scanner-ads-4300n.ipv4Addresses = [
@@ -212,6 +214,20 @@
         verdict = "accept";
       };
 
+      # Allow access to the web proxy from the devices VLAN
+      access-web-proxy = {
+        from = [
+          "vlan-devices"
+        ];
+        to = [ "web-proxy" ];
+        allowedTCPPorts = [
+          80
+          443
+        ];
+        allowedUDPPorts = [ 443 ];
+        verdict = "accept";
+      };
+
       # Allow the scanner to access samba via SFTP
       access-samba-sftp = {
         from = [ "scanner-ads-4300n" ];