feat: allow scanner to access samba SFTP

2025-01-20 17:00:59 +01:00 · 2025-01-20 17:00:59 +01:00 · ec502b4193
commit ec502b4193
parent 4d2b186626
3 changed files with 22 additions and 10 deletions
--- a/globals.nix
+++ b/globals.nix
@ -62,10 +62,15 @@ in
            cidrv6 = "fd20::/64";
            hosts.ward.id = 1;
            hosts.sire.id = 2;
+            hosts.scanner-ads-4300n = {
+              id = 23;
+              mac = globals.macs.scanner-ads-4300n;
+            };
            hosts.wallbox = {
              id = 40;
              mac = globals.macs.wallbox;
            };
+            # TODO remove once new home-assistant machine is up
            hosts.home-assistant-temp = {
              id = 85;
              mac = globals.macs.home-assistant;
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -173,11 +173,15 @@
      {
        untrusted.interfaces = [ "wan" ];
        proxy-home.interfaces = [ "proxy-home" ];
-        adguardhome.ipv4Addresses = [
-          globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4
+        adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
+        adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
+        samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ];
+        samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ];
+        scanner-ads-4300n.ipv4Addresses = [
+          globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4
        ];
-        adguardhome.ipv6Addresses = [
-          globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6
+        scanner-ads-4300n.ipv6Addresses = [
+          globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6
        ];
      }
      // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
@ -194,9 +198,7 @@
          "vlan-devices"
          "vlan-guests"
        ];
-        to = [
-          "untrusted"
-        ];
+        to = [ "untrusted" ];
        masquerade = true;
        late = true; # Only accept after any rejects have been processed
        verdict = "accept";
@ -214,11 +216,16 @@
        verdict = "accept";
      };

+      # Allow the scanner to access samba via SFTP
+      access-samba-sftp = {
+        from = [ "scanner-ads-4300n" ];
+        to = [ "samba" ];
+        allowedTCPPorts = [ 22 ];
+      };
+
      # Allow devices in the home VLAN to talk to any of the services or home devices.
      access-services = {
-        from = [
-          "vlan-home"
-        ];
+        from = [ "vlan-home" ];
        to = [
          "vlan-services"
          "vlan-devices"
--- a/secrets/global.nix.age
+++ b/secrets/global.nix.age