From ec502b419322ec7221b89f8126a695732793e133 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Mon, 20 Jan 2025 17:00:59 +0100
Subject: [PATCH] feat: allow scanner to access samba SFTP

---
 globals.nix            |   5 +++++
 hosts/ward/net.nix     |  27 +++++++++++++++++----------
 secrets/global.nix.age | Bin 3347 -> 3372 bytes
 3 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/globals.nix b/globals.nix
index 5fc7706..57e1b83 100644
--- a/globals.nix
+++ b/globals.nix
@@ -62,10 +62,15 @@ in
             cidrv6 = "fd20::/64";
             hosts.ward.id = 1;
             hosts.sire.id = 2;
+            hosts.scanner-ads-4300n = {
+              id = 23;
+              mac = globals.macs.scanner-ads-4300n;
+            };
             hosts.wallbox = {
               id = 40;
               mac = globals.macs.wallbox;
             };
+            # TODO remove once new home-assistant machine is up
             hosts.home-assistant-temp = {
               id = 85;
               mac = globals.macs.home-assistant;
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index b983c6b..96ff4bc 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -173,11 +173,15 @@
       {
         untrusted.interfaces = [ "wan" ];
         proxy-home.interfaces = [ "proxy-home" ];
-        adguardhome.ipv4Addresses = [
-          globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4
+        adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
+        adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
+        samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ];
+        samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ];
+        scanner-ads-4300n.ipv4Addresses = [
+          globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4
         ];
-        adguardhome.ipv6Addresses = [
-          globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6
+        scanner-ads-4300n.ipv6Addresses = [
+          globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6
         ];
       }
       // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
@@ -194,9 +198,7 @@
           "vlan-devices"
           "vlan-guests"
         ];
-        to = [
-          "untrusted"
-        ];
+        to = [ "untrusted" ];
         masquerade = true;
         late = true; # Only accept after any rejects have been processed
         verdict = "accept";
@@ -214,11 +216,16 @@
         verdict = "accept";
       };
 
+      # Allow the scanner to access samba via SFTP
+      access-samba-sftp = {
+        from = [ "scanner-ads-4300n" ];
+        to = [ "samba" ];
+        allowedTCPPorts = [ 22 ];
+      };
+
       # Allow devices in the home VLAN to talk to any of the services or home devices.
       access-services = {
-        from = [
-          "vlan-home"
-        ];
+        from = [ "vlan-home" ];
         to = [
           "vlan-services"
           "vlan-devices"
diff --git a/secrets/global.nix.age b/secrets/global.nix.age
index 2c67dcba3a0ae57993b295ed9cab17a2116787bd..65fa807334a076f77ab4f64848c5cf7cba0ef6ed 100644
GIT binary patch
literal 3372
zcmV+{4b$>rXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zV?R%~=mNoq(!RCzIF
zY)W}SX+|$dOK(_7O?hZ;c};UpG)!tmO;SNkYfTDxR!cKQSwv@HL}h3>V`pzTZDU1f
zOJ-qHWOFiFPjXUFXjn5%Q#d&@P)!OgJ|J*ub}eu+H8vo4aZ_bDQ6NDubz*5vWJh6j
zICn)+SXxMGHB?nZZBB4xQ(9v+K{-t@PiIq5YF9IOdRhuZW@=DPHcm4|M{qATYi&hL
zIBje>L}X}VWNlhULP|$OdUrTwP)%1!LrDrPJ|HM$S#@eKKrLr-Wnpt=AW%s|UsQ1*
zNq%K^Pd{NGQZyiBB?@9VctmPeVoPW+YB*$UT1hupV{lqZHcM`Ic|}=AQ%q-5b}(2;
zVKr!4azt=)STS@lYe5PvEiE8JZ9yw&Q*?J&cwuK)Sxz@NWK}SFOJQ$kcv)99Lr6<g
zcuh$-Z9#ZBW=RUN*ab-YwRhUZUqua_nq1=!Jaa3o`Mz6$Z(6}aW;d8i1m!4npRMr}
z-QTg@k180tB1LwC5M+a!2dr}}ewrpkADIkTBVg06;A!V>vpi>zAW@F!uYFG4^O0#k
ztC`BYe-uE6((vUdMj&-f3!U}9@l6eT&b-jy@3PdmMhZl=s@+UiDn4x-IcNX90+pK^
zY6oRgx?mx5YE~2ycvabN1kp{IY-O~fX|zY%SJX~<Ne-r&pOYHrTPmR-fzU`T!Ty)J
zl%jKd3kq=#gy%we)>ZOIz>+w=V#K;iMkeO($Mf=1QoFM3H=lns4m$7~YnmZF+Qo<{
z#kr=08+@)MP-m${nC=R*vrXsTM)}z~sUcRkn3rjt9sK2MQ(H2Ia-Zt8>X9XZgW{9L
z@U&}X4o4{M7Mh>&{fp1N_htzmy4NxoMsVLh1rqw7+f_rW7CjzLyV`zDF5#;B;Zyxv
zn+L#PGiha=I*1V!ZqsZf;vTZIuuEoG6}L8IQ4%L#TjM5n@Wl<e-h&vRxRKU&-Y&WB
zIU=d_->ctRi~jdMbgm@@qJrW)!jd1;;1E`(Jxl^tHV8OsdP??^_T}JxiZ;^A#Igdd
zm|a(Kt&7jRh0G741w~DRjAEZNdbG^G#qoIc>9w??T`NOjw=UwKWYT-D5#K^BJeY@(
zfRmrI_+NI7x@%CYF{vxY#IwasJWGUN6jr%JIfGL@!OZg6pAXj1Rs?h0!msrnjw7v$
z@&nlSI(2Xp<cb!h8-^FTE=FY82@Bc4bg2wq((bEn7<T&i=vLve!eLNJ#$e8atU6z~
zb0syHME_5z8WibCul(pqX6a_N732Z5O_LEUj?6NAy)+BK^eYb_ERVZFCH(_%?Zg-H
z6;y)+*GrF97xPR4Vt^cmfsx0rood(mYgMiiQqVC|a(Ia~0iQqvpZOapNf@F*7N@&W
zKiV&-$0hgJ=7>A<0h5f95DYK-cFYU(lrj<fO^~-AwD#U3ul>pa&QXUkDBuX6=t8(E
z{^Kvy;U2}7x*MVOUWDbPpMkP<ORXd--GlF(7D#m=C<|8+z>RymQjV_0-NfEr5b*Z~
z_B`ZP#?-_4`17${#lMIe=pBRDANVLQ_I)tQvmcQ9sP5u6@+-U21OpsMy$MH4n^l2^
z8@<rvWRAJWR8VLYH|eAmvjOE%iu6I=`8?W}5=WEUS@5eaHQHo_tNQ2~dwyP?<Gwh=
zhZk5pjBTOreOEySJY^lY;AkD&?<@>U`p8;F#w<$itC{&xh58k%eSI}&K=*eYvHRUw
z46>q4Qd2cSVf8;u52@)#(MSFrT~}j$#B$a%OyNTDpmJ^AOj(BIi}tA~lmCwx8k6op
zjp%lPsi>z&CvIEQNXhjt06fY*GV0CfgRxVD>(>2;0aeH#H>1!izp=ZuP6e0DQc!Xk
zSiviDB|Pegv@Nx{T4Sg7%o0w6l61viIbxyBMo*?l5%oLMX@;e-m#vuaqX%x?_fR>$
zvhg7~O@uqKk7-veUPtp=3c{3$wiJY@KZ44lAY3-W4TwYw{WE;{1vx`SY=x35SyXM3
z?l6MWEHB`ddRnG5NUyLrL)QrUdrmj^uD{x@LasEt!|o{*bPCXr?1BB}7Bpmm*~5gz
zgzmHsL;>aA1Hfx!-2@-U;;~zI^|D)7bygWZ0!y$Qg0Gvr+PRC?cUtbwn?WR}AgT(C
z{ENxv0U1~(T{M}@G;*0|Y~}_`T%v-!&?ye;!45?Vpg2-d^K97Z4^~#=Qk3DB1bR+>
zMTOa<_mlT}^Q$pn?`4mU-~28j+WM^IoGAG&Jysk`lQ!5Pl4m=flWnEGzeEt$&12?!
zxXf@N=KHM+sxXg$HAWzrz@LakCzAz0JDM7Jah?%FIA*@xq9o?ixGxatuXMX3m2r1h
zX^mUE6|##Rwsty8pQZ<5iJ~!@BQAIeqzzZ4+L$?Wc%a#s&CoJn#D8eSD)~t%;?-b6
zK3}4li6Dq(OdkvBagMMHFM3sTYqZP^eycjWS>vXKUJ!k=<1ye#AuVki?xEqtCh^+e
z?>NGk4|?iSoEG;CQGfo~rpf8wpHFrf(pkEa<MO?xOI4@^)+*<C?SzBUj|sn+V{Mdm
zKu^7mrxQ9^WAlJTAMi_-8<LH$WaV4UgRFg49@X?0W<R5@PJ}lLL&yBUjCnIr#E+NZ
zy&Euh#Nr!{Hw_veynBTF7@0@+TA+emhLQR434GnJOu<$Z7%fIs<VM$@emN*?-<re{
zcH+0lJIl#ZokDc)W1VEK#0HhtqP*^5eW7CajOJWbGFI}YM$^&Ghy8r7(5RLTX;~g{
z5UROhP0W??Ms4Vz%<e^Mkmj?>qni;$njl*5ejLMEKc{N>MAR8yh;;nV9*?o<(MS7+
zNUl&OPxS+?UiO*@Vq5@rrO9zjMA;ah6xWs5SDp5K<_~$Zp-J5c<A*^T?XH*SB1y_-
znYpjeI6stf;%qQb509<)R~y{0Ix)bwH!j2W4(of8Q4~-xSolmp??kTEWK0=1bs>C)
zihUzB;oG=3V6>ZdUokUi&BTONJQp2<1;L=%LM6$EK3A4uD|S{sZ0%0f6JncWPP7#<
z9b4NNwnj{zvsMFJTfk-JG*d^SsC1N~qVZ|vXCN*UI#$FX2$*Aj4(8q@wGJ_U7GAw3
zVvjoFD63LwdI5VEM21~)?OnUYuWlDolSvjbLYhIugJnEcZPS7qBlKl90RxN<=snhw
zSN=on4#Y(7WpP704Z8ghh40T;nVAS0AaIGgQlN!0XM+h+L964d{rd*j^V1D;H!-7K
zD_+J0YQ^&TRw#ZZ4-RL>dV(cDZ_{-b$j!zrJ9%Q~myAE6QBv+1Nl1}r{0Ujnof6F-
z=aYZ6X$kR_3VI=cnqSWS6npX)pMnzQ8*0G>jU_P0!Y1c0^%lAoF$Lm4%v*JMrrLex
zwNNwDn@%4!?Px|*6R4j>F@1$9NfLl-TnMPlW15K?oi<QaA|Y<sgYz^pQzwZ`gy{y~
zvAa7fa(d9n34KhFF{Ao6RkA!3|1|X2^G($W^VvD*aJaim{mlv{ue)kh&_1WPlJAp{
z?70)3+~psiJkNG1fpuHp{oLvBeZD5fp2UqM>|G03rbkiEs@8TD>oGSiC5Ijzm;z)e
zO(NTNe<3~~zhmYT(py^;u()Tvt1<ZFnaTSiK{@$>OY5qPuc#>t8@t7>>p%4jR@SZH
ztRPpcFX~6_BO)nMG6X>4xbui1FH3_B4#*u*)YNB~Ih392fvdfZ`u@ekJrlZA1s>=L
zW6y5tvU%3Xfc6b1?^1(lbbk_e+fvL5Yvpui5k}&zQ^}FDwUHd4xHLdNCa=5b(rIFo
z;k9N7VQH{paurUYG$d7`ETHl@dar(u7e4s|$35cb+G$<*k=J&p<5osW?~?*xC}8f>
zM;$E6Yzbe-?<jO144R)0BZOC4K=7+J9^|Y~ireIE8`asc;VuOu`{=AcW3@+ur_Skc
z?o=eL<&k(EKBe1#q)&{nmyiwoo^)j&8YLD_9A;)Sn&D}`pT)&EtH^c+d+QJb@0Q}<
zjlZi=OSRM2Uzoj4K<&_nd%FXEhKPl5i+T=rc7OLo`%paIAso}v15{%)G+KAPP18`I
zX^z#srhaWwYtc8h?}EiswaBIKSM{k(JM5ZP%gFHa6$Giy?Y4GgdX5;8WnQ;J4^v9L
z23HP}aqBkTG``+Sno$0A^>n8&25Kqga^!-XS4=S!F^TQ2Or|rjp?tw*qeL;6im#Ut
z$s<BD>Fbf|lco_ov~Uan)FiMGAx?$<n!3|=y7^D@%H`RWc|JDdTo_3Ji0Et&^AnUK
zpM?^qS?*4COHAE9^I5qI2^`}Va9tG!e4idS72^#AFwq7<%;56DDcS>->Fz53PKVsb
z!St{lQBOx@n({OfQI+$68TVKyjmOZk*1U>G{udO+oD$8=UfQ<{3hz_eW2Q@z(7i=1
CY)J$F

literal 3347
zcmV+u4eat^XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVwIYD++bT~yXaZogO
zbY)36Hdke9PgQzMS3z2CW=d`^Q*u;KG*4zyFf<A>LRD!=a9L7gazSNnD{n?MWl=a!
zP<l3ZD@!waT4+^zbW&D9M{`hWN=*taJ|J*ub}eu+H8vo4aZ_bDQ6NEWQE+B5ML~B{
zQBrJ2aX55MXmepTQ*3KiFmr20ad|XIR5dtjX-#Byc4Z21O;SrqM^#EQFfv$9RY^@V
zb3}S8YB*3UK`?q|YcwxWb~raHSwuBdD@6(|J|IJEa(gXja%Ew2WgtdQav&>XS~PPY
zaz#xlGi@^pYgkY;c`z$aL0WoMGg5a_LvVFfXK_?*R7iMrbZSscV?tJXcsXowM`Be<
zQ8`&NK{GjLO?EbTMR0FLXH+;%3Pm|mF?CRQLv~jyHAzEn3N0-yAb3k~azsctaCT8e
zXfIlNVQ4c*ICnNgRZnYXSz>K?X;dpPb9Y8+Mlwx73biW!@dH9blJM;BO50TUezoSo
z=^*{NStAGO0vcabju3Qrf#P#>W*>Z!`0x~amQZEjl!#X$D$)WCq<FiLRvI6}q7eHo
zZFSq;0^GF_CnXeP1ZB73{{I)wY(#^f6V}9!Iyl$;pxw}fCJ=F@2k-1(O;z+Uk+}X!
zT9Uk*093rNugqDXb1ft%GehCY!g1LAU`(g`U+d3fn0Ll7yOex_I2?y)pYW(`^4n}5
ziQ;M&esQ>^`+Jimi_L+W?%1q}u@EnIORb%>%)Jh#6N$>yCxTGLcU`IIYwr^L0O&q^
zBr`?>II~X0g|e)}Xxeg5ZcRT`<!;NHlI_(o0m^;J7h+fr50IExXkF~SBwn_s$4x|~
z{;ZHju1@CBEsO}>qsBfg{?+hUxi5akG`4Vesv*OQ{Uq6K0{j8#a0>djN;h29FXwoC
z@>@5QlswqyTXHuOtB*oz$<s`tfT|YynV9$W&m=1yKGX9s*0A(9|7&#kaQrOnn);MU
z|0A&vztnK&zfo=9Hc~a!tMkjtjqS;l)huVQ4E2)m+5yB}@L)TY-`8Nvpd`BYPYi<P
z${S1{L+Wm}uH&^(P8`N1aL7Il7xzC{vwMuy&TPH9TkL1&IPaK?17=b%ny8*+>|}$-
zv!^X6`M{03RCL7uiN%M+_$qaZaQadFuuGWX(PJ%n)5vnkCJ!BzD~zUx%ga))tfI*R
z#XDOa`|6v?QeQOwR-O*0*^?B*b_`*ot+c(A6G0UBhqz#lw?Uh2cyvn<=tfDnN?|rc
zwZ0N*SkjCUJih|Jrcm-ByFl7#91bxUwLr4r{8%-wDdXwwA?+otx1UTdOUl38U5a(t
zDQa1A02ys%TVVkFW}+vvyavN2iqXQRx0C=Th>0SoWdjb$a`$>G{VCrT@cboBUvOK(
zi*|jVA)xq*!NxK1^KDprHR&rNB(wKo=11_~3a|>Il*!r6bD5fa1<Za{=$E@{R(!(b
zim2x6DhSq9)#nG4yg}$5uBt~5LTFc4tVEDTF4YVSl*$bI*AS_RX7Dk+Zy?d6em0}j
z3ur0eNYV`aUtwFgZgl~i;Q9?_KJL1BXnTLz7rDn4poGPHGQ6~#>{y>6V+4EY({{uY
zgS`So$CGMN9ksLp5o_8qC_j<~fmYt}C8we_9DXt}0B}l`%jtfxBcuUs67bnzvNPfs
zQqN$%>^-_z3^q+I8?4npWWozPs8!#hzL7|1hH-dw@pkA}#R(L@HB2Kvu?h7aE8cHe
zMmjF}Qsi#!4@bf^ew|jCjW&qZ53<iUEO{7u^!Ox$rR-3)k~r3jB4f<BwoV1#`atOU
z;oF|@zA+6ANd2AVq@Dpa$yl}Qf|8H3NsJO`&upt>FK!Pn1+kyTeAQ*V73$lkMK_%>
zdR(H*VQ^l@fGKyX=&6vYk1-7qABF-xVA*cn+4!6eVKCT6%|}D^ppK>WJ=g8#2NjyN
z8b!sYqc7CI|AMUQe6UroYoTdR?Nh|eh32Q5YK9?`s|BAQO9O?j@52{<GAqlqMMm?V
zapGTJw8+e1>6b4Q&n$Z+r)^L0pEN*!38i~Z1RJq&77m${%(9^M2v{~tu}1hF`ld`$
z!JgTXIXo7zokHwjKBvJDvM?*Cc_B#<`Z&q*go-=ncgz!H-PyQuO83w*H=(Ekc-n~@
zRCrL(16@D8Jm%u)7N)+O9W=LZ@8!;sQK4O0DeGzsTy0l~wE|PJ)-lmCsTAA*azz@D
z7}>xWaMOJ)1UAV4ACoJEfunBN@dM60%QFTa0(CZqF=38{VvOzG*S1#2O0wOVQ_P;<
zu3!ulF2*w|hW*e`G{Ng@CKW&qykPA21e`f%9CvCS5OY5I^0eE~zW=C40VXSNSpY}%
z%q-*yzwP7-E|}wql91DawHKp@6ljYW3NPsWm;gdryPTcZ$;Q1K>+Lky;G$PmLiJTT
zS(QlkxlG(}UovY1bY2xB*C(AK!JZAnz*5I_Q~M390Km69n=ZS&v8Lo)H@<X3pX-&d
zUV~37^DFb*szLFagyE`$ZTPlPhOIUL=AoU^O7+D`3Pw-R;MP*}$c|};byc~{Ui=d`
zEveE~BcHfuzp|S3Ud^4y8d{SwlG&=7*aS`b-xy48$6^vp%UmJdg?*6lHgr}0|I0^D
zn&^~x?PAS3BTt6Ou|6`GparV7mk&D0LbGX^7O{%s!NUFA7~xQ!AiC1ZpbHK+bl(Bh
z83B-=NvjfD0%p$N-Qf=ld**UUyRnvm^hYvdZ$4KOY^127p=d6#Y-oiOMc|SblpLz?
z9M70^6BolEtB6=aCKZ>N>Kx7;Dtc<oa^4xamcb(4L{U?Dgv&2lFq@ah<66nj3!^KS
zU8@dtbhqR${_JfO7T3VbN`u|DR@hlkOys>a{XBqE{%Yt{jR!=m-j)8S>`9piz#OW4
zc-W^y!qJPGn?pMCq^W;r!@x5&icyHNvN(KU|0NSjB%5Z>)#}U_(1K<g)>jeu1ktkg
z+jzH^QANq(xCy)bA>8{<&R|gcuSG3K8?>e$qnfzBRrn`^92V0!%IprE9(Kzh4#3U?
z-0|LbTv5>}m+fosTv#zIH88mt=<*u6U%tS|4XAJ+0zz{W?)kZQG5;b~J-~iy{2K6S
zhh?ZhPFVQY(m%WtmL^Y%NrG}gC^1A83BKjN&)p5Th%sJNTk=ud^Xmlbl(x#X1)mX~
zHuv_G;K2%ifj~|i>ve5Cl0r=i5|Q-SG5Fp+G(dXN*57dd+;)2Sn!|LasTjFCPM8}$
z#~_W-#@alTVNM>yRlZ!57TD<7p?sBuo|#{S(m*G=xM;U1Woh%{#$#BRPDgb9)sjrO
zlz)hQvg0ea^5A)#(^*^{0lokYY>rQIoK)03Im(17s~D_i#!}N{--Z8q5lRN&Hwdpl
z{neEsoY6vq7!05DvZJmJB3ySy+(_uYD1_fT29o#7I?!ndlZRnbuXT(2z1?d(E}pK;
zkU#rQL9}k*<FRhoG!N=f&bvHCsM>J}2tipoZOKP-=+Gdmtp7C{^rV}q_!U$aliUk_
zcW6At-A%{EW|9eM+52&>!YHn}c_P_QN(na79Tz;`^qjVD_u<yQX7->uHwJy6fdpz9
z63w~uFJFb4GFjN*!k(ivA+LYVR1_N3Qk^6KBBpVOt@}r+NUuOFF2U@R-L<eqFS;gh
zMCn~nn1(FIpdq<dEo*)eQSl}-wr*@_Ji6dZm{$N2U>O1TyLd#+=BMRUU)qctc}7v2
z6P>z;qZ3+zL9dMnxFL@zW`vj0`H=Kc(_-wO3;AaGFUS)ZzIlZQ7^zr?(_XOVoC$OA
zr4z9*r7mDvU^1-CA8cse0vLZu7sELFAZ1htb||ojK&FHF8Jrhwv7CDznCzQe^SRj(
z=Gro17Lls60(RuX8PX;n?E|1ZSAjP9KXM#3%JG=S;O#@u?wRvQ!9E}OcrA2mOXxCE
zM&(R8D`+mRH8YoE-mPM{^cgIQeI1m243ro57q@{M+YU|cT$NXZ7eg0Q>Jo%2CH2oR
zqUgj5hl|#M#8sHtN}pj%W!u0R0Afpf8w|Q4cA5Mbcp-N~q0V`fjpc1LVu&CKi!j8p
z#9pM*!Dw3N@nL<Xj^;V7^e}yCtCNxE<DxMVS(LOt$i*IQoo;)H2VP@a@kINT&M{QK
zIN&Fu$0*y%yC5$*c5q+z*D8g|coC}_EKEQWS+|C*Fu3NS24I?OxYqYkvf7Y}$5%#8
zL^5cXGi2o=ft;|-5sbDdT^szt7DX#~1@BjcO+X=o2<#+R?QV@+qCBXoi5gxl0O)u!
zg6IbH+=!B}6k!u?G^>Lft&sc#Ee9q+-1sK<tCa2EmJ^RZ-E!X<+iJ{+#7mQ~SW0Ro
d8lp1N<lyilP#o@aL%@{Q<Q+>n38Fi%<<hB@Ns#~m