From 23e21f4145a73c183c695816caa5fbfc9c2fa1dd Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Mon, 20 Jan 2025 15:36:51 +0100
Subject: [PATCH] feat: allow services from home net

---
 hosts/sire/guests/grafana.nix      |  4 ++--
 hosts/sire/guests/immich.nix       |  4 ++--
 hosts/sire/guests/paperless.nix    |  4 ++--
 hosts/sire/guests/samba.nix        |  6 ++++--
 hosts/ward/guests/web-proxy.nix    |  4 ++--
 hosts/ward/net.nix                 | 16 +++++++++++++++-
 hosts/zackbiene/home-assistant.nix |  4 ++--
 7 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix
index 5fac840..0548e43 100644
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@@ -146,8 +146,8 @@ in
           proxyWebsockets = true;
         };
         extraConfig = ''
-          allow ${globals.net.home-lan.vlans.services.cidrv4};
-          allow ${globals.net.home-lan.vlans.services.cidrv6};
+          allow ${globals.net.home-lan.vlans.home.cidrv4};
+          allow ${globals.net.home-lan.vlans.home.cidrv6};
           deny all;
         '';
       };
diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix
index 5eb143e..5f09f24 100644
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@@ -249,8 +249,8 @@ in
           proxy_read_timeout 600s;
           proxy_send_timeout 600s;
           send_timeout       600s;
-          allow ${globals.net.home-lan.vlans.services.cidrv4};
-          allow ${globals.net.home-lan.vlans.services.cidrv6};
+          allow ${globals.net.home-lan.vlans.home.cidrv4};
+          allow ${globals.net.home-lan.vlans.home.cidrv6};
           deny all;
         '';
       };
diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix
index f4b562c..02c180e 100644
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@@ -79,8 +79,8 @@ in
         useACMEWildcardHost = true;
         extraConfig = ''
           client_max_body_size 512M;
-          allow ${globals.net.home-lan.vlans.services.cidrv4};
-          allow ${globals.net.home-lan.vlans.services.cidrv6};
+          allow ${globals.net.home-lan.vlans.home.cidrv4};
+          allow ${globals.net.home-lan.vlans.home.cidrv6};
           deny all;
         '';
         locations."/" = {
diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix
index 31f7560..3f8ca3e 100644
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@@ -179,8 +179,10 @@ in
             # Deny access to all hosts by default.
             "hosts deny" = "0.0.0.0/0";
             # Allow access to local network and TODO: wireguard
-            "hosts allow" =
-              "${globals.net.home-lan.vlans.services.cidrv4} ${globals.net.home-lan.vlans.services.cidrv6}";
+            "hosts allow" = lib.concatStringsSep " " [
+              globals.net.home-lan.vlans.home.cidrv4
+              globals.net.home-lan.vlans.home.cidrv6
+            ];
             # Don't advertise inaccessible shares to users
             "access based share enum" = "yes";
 
diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix
index 47bf2ec..d55c39f 100644
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@@ -70,8 +70,8 @@ in
       # is over TLS.
       extraConfig = ''
         proxy_ssl_verify off;
-        allow ${globals.net.home-lan.vlans.services.cidrv4};
-        allow ${globals.net.home-lan.vlans.services.cidrv6};
+        allow ${globals.net.home-lan.vlans.home.cidrv4};
+        allow ${globals.net.home-lan.vlans.home.cidrv6};
         deny all;
       '';
     };
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index f1f58f7..b983c6b 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -214,13 +214,27 @@
         verdict = "accept";
       };
 
+      # Allow devices in the home VLAN to talk to any of the services or home devices.
+      access-services = {
+        from = [
+          "vlan-home"
+        ];
+        to = [
+          "vlan-services"
+          "vlan-devices"
+        ];
+        late = true;
+        verdict = "accept";
+      };
+
+      # Allow the services VLAN to talk to our wireguard server
       services-to-local = {
         from = [ "vlan-services" ];
         to = [ "local" ];
         allowedUDPPorts = [ config.wireguard.proxy-home.server.port ];
       };
 
-      # Forward traffic between participants
+      # Forward traffic between wireguard participants
       forward-proxy-home-vpn-traffic = {
         from = [ "proxy-home" ];
         to = [ "proxy-home" ];
diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix
index e2638df..66e7c19 100644
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@@ -176,8 +176,8 @@ in
           proxyWebsockets = true;
         };
         extraConfig = ''
-          allow ${globals.net.home-lan.vlans.services.cidrv4};
-          allow ${globals.net.home-lan.vlans.services.cidrv6};
+          allow ${globals.net.home-lan.vlans.home.cidrv4};
+          allow ${globals.net.home-lan.vlans.home.cidrv6};
           deny all;
         '';
       };