From c495ba70b6b054254d2b17c3de824a6d340d7724 Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Fri, 20 Oct 2023 08:46:57 +0200
Subject: [PATCH] enabled retiolum on chungus

---
 flake.lock                                      |  6 +++---
 nixos/machines/chungus/configuration.nix        |  2 +-
 nixos/machines/chungus/hass-mqtt.nix            |  3 ++-
 nixos/machines/chungus/hass.nix                 |  3 ---
 nixos/machines/chungus/media-audiobookshelf.nix |  7 +++++--
 nixos/machines/chungus/media-share.nix          |  3 +++
 nixos/machines/chungus/media-tdarr.nix          |  7 +++++--
 .../machines/chungus/network-tinc-retiolum.nix  |  2 +-
 nixos/machines/cream/tinc_retiolum.nix          |  2 --
 nixos/modules/services/samba-share.nix          | 17 ++++++++---------
 10 files changed, 28 insertions(+), 24 deletions(-)

diff --git a/flake.lock b/flake.lock
index 9bc1ed3..bbcfa4f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -988,11 +988,11 @@
     },
     "retiolum": {
       "locked": {
-        "lastModified": 1694786409,
-        "narHash": "sha256-aYpXy5XnTdF9PV6lEgyNnEsXI9s/ccADHxiV6EKrHH4=",
+        "lastModified": 1697359200,
+        "narHash": "sha256-oPSBM9PQzFmuvGxzVyxXIO+EtSmExvbty2GxR4aTsTE=",
         "owner": "Mic92",
         "repo": "retiolum",
-        "rev": "43d5a6ae57ae4a9051724767df133da4064d3461",
+        "rev": "93480e81f8067792937a2512f212447e77b7babc",
         "type": "github"
       },
       "original": {
diff --git a/nixos/machines/chungus/configuration.nix b/nixos/machines/chungus/configuration.nix
index 3fc3205..cb0843d 100644
--- a/nixos/machines/chungus/configuration.nix
+++ b/nixos/machines/chungus/configuration.nix
@@ -12,7 +12,7 @@
 
     ./network-wireguard.nix
     ./network-tinc.nix
-    # ./network-tinc-retiolum.nix # make sure no service is open for this vpn!
+    ./network-tinc-retiolum.nix # make sure no service is open for this vpn!
 
     ./hass.nix
     ./hass-zigbee2mqtt.nix
diff --git a/nixos/machines/chungus/hass-mqtt.nix b/nixos/machines/chungus/hass-mqtt.nix
index 8a317d6..fd66888 100644
--- a/nixos/machines/chungus/hass-mqtt.nix
+++ b/nixos/machines/chungus/hass-mqtt.nix
@@ -10,6 +10,7 @@
   };
 
   # open for tasmota
-  networking.firewall.allowedTCPPorts = [ 1883 ];
+  networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 1883 ];
+  networking.firewall.interfaces.wq0.allowedTCPPorts = [ 1883 ];
 
 }
diff --git a/nixos/machines/chungus/hass.nix b/nixos/machines/chungus/hass.nix
index 116de36..7ca8f8e 100644
--- a/nixos/machines/chungus/hass.nix
+++ b/nixos/machines/chungus/hass.nix
@@ -10,9 +10,6 @@
     };
   };
 
-  #networking.firewall.allowedTCPPorts = [ 8123 ];
-  #networking.firewall.allowedUDPPorts = [ 8123 ];
-
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8123 ];
   networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8123 ];
 
diff --git a/nixos/machines/chungus/media-audiobookshelf.nix b/nixos/machines/chungus/media-audiobookshelf.nix
index 5b48a57..5c47a53 100644
--- a/nixos/machines/chungus/media-audiobookshelf.nix
+++ b/nixos/machines/chungus/media-audiobookshelf.nix
@@ -10,8 +10,11 @@ in
     group = group;
   };
 
-  networking.firewall.allowedTCPPorts = [ port ];
-  networking.firewall.allowedUDPPorts = [ port ];
+  networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ port ];
+  networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ port ];
+
+  networking.firewall.interfaces.wq0.allowedTCPPorts = [ port ];
+  networking.firewall.interfaces.wq0.allowedUDPPorts = [ port ];
 
   systemd.services.audiobookshelf = {
     enable = true;
diff --git a/nixos/machines/chungus/media-share.nix b/nixos/machines/chungus/media-share.nix
index 2686f1a..35f9f99 100644
--- a/nixos/machines/chungus/media-share.nix
+++ b/nixos/machines/chungus/media-share.nix
@@ -1,6 +1,9 @@
 { config, ... }:
 {
 
+  networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 445 139 ];
+  networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 137 138 ];
+
   # To set password:
   # nix-shell -p samba --run "smbpasswd -a media"
   custom.samba-share.enable = true;
diff --git a/nixos/machines/chungus/media-tdarr.nix b/nixos/machines/chungus/media-tdarr.nix
index 4413f86..6086f9d 100644
--- a/nixos/machines/chungus/media-tdarr.nix
+++ b/nixos/machines/chungus/media-tdarr.nix
@@ -31,8 +31,11 @@
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 8266 ];
-  networking.firewall.allowedUDPPorts = [ 8266 ];
+  networking.firewall.interfaces.wq0.allowedTCPPorts = [ 8266 ];
+  networking.firewall.interfaces.wq0.allowedUDPPorts = [ 8266 ];
+
+  networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 8266 ];
+  networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 8266 ];
 
   services.nginx.virtualHosts."tdarr.${config.networking.hostName}.private" = {
     serverAliases = [ "tdarr.${config.networking.hostName}" ];
diff --git a/nixos/machines/chungus/network-tinc-retiolum.nix b/nixos/machines/chungus/network-tinc-retiolum.nix
index c9b708f..e9bbcf3 100644
--- a/nixos/machines/chungus/network-tinc-retiolum.nix
+++ b/nixos/machines/chungus/network-tinc-retiolum.nix
@@ -4,7 +4,7 @@
   sops.secrets.tinc_retiolum_rsa_key = { };
 
   networking.retiolum.port = 720;
-  networking.retiolum.nodename = "centari";
+  networking.retiolum.nodename = "centauri";
 
   services.tinc.networks.retiolum = {
     ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
diff --git a/nixos/machines/cream/tinc_retiolum.nix b/nixos/machines/cream/tinc_retiolum.nix
index 416ab56..53a0e42 100644
--- a/nixos/machines/cream/tinc_retiolum.nix
+++ b/nixos/machines/cream/tinc_retiolum.nix
@@ -7,9 +7,7 @@
   networking.retiolum.nodename = "sol";
 
   services.tinc.networks.retiolum = {
-
     ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
     rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
-
   };
 }
diff --git a/nixos/modules/services/samba-share.nix b/nixos/modules/services/samba-share.nix
index 9d62911..8d61ab6 100644
--- a/nixos/modules/services/samba-share.nix
+++ b/nixos/modules/services/samba-share.nix
@@ -8,6 +8,7 @@ in
 {
 
   options.custom.samba-share = {
+    openPorts = mkEnableOption "open samba ports everywher";
     enable = mkEnableOption "enable custom.samba-share";
     enableWSDD = mkEnableOption "enable services.samba-wsdd.enable";
     guestUser = mkOption {
@@ -49,11 +50,6 @@ in
 
     (mkIf cfg.enable {
 
-      networking.firewall.enable = true;
-      networking.firewall.allowPing = true;
-      networking.firewall.allowedTCPPorts = [ 445 139 ];
-      networking.firewall.allowedUDPPorts = [ 137 138 ];
-
       services.samba = {
         enable = true;
         # services.samba.securityType = "share";
@@ -106,17 +102,20 @@ in
       #users.groups.smbguest = { };
 
     })
+
     # todo : maybe better to have a parameter for this
     (mkIf config.services.syncthing.enable {
       users.groups."syncthing".members = [ "smbguest" ];
     })
 
+    (mkIf cfg.openPorts {
+      networking.firewall.allowedTCPPorts = [ 445 139 5357 ];
+      networking.firewall.allowedUDPPorts = [ 137 138 3702 ];
+    })
+
     (mkIf cfg.enableWSDD {
       services.samba-wsdd.enable = true;
       services.samba-wsdd.discovery = true;
-      networking.firewall.allowedTCPPorts = [ 5357 ];
-      networking.firewall.allowedUDPPorts = [ 3702 ];
-    }
-    )
+    })
   ];
 }