enabled retiolum on chungus

2023-10-20 08:46:57 +02:00 · 2023-10-20 08:46:57 +02:00 · c495ba70b6
commit c495ba70b6
parent a20f9fe608
10 changed files with 28 additions and 24 deletions
--- a/flake.lock
+++ b/flake.lock
@ -988,11 +988,11 @@
    },
    "retiolum": {
      "locked": {
-        "lastModified": 1694786409,
-        "narHash": "sha256-aYpXy5XnTdF9PV6lEgyNnEsXI9s/ccADHxiV6EKrHH4=",
+        "lastModified": 1697359200,
+        "narHash": "sha256-oPSBM9PQzFmuvGxzVyxXIO+EtSmExvbty2GxR4aTsTE=",
        "owner": "Mic92",
        "repo": "retiolum",
-        "rev": "43d5a6ae57ae4a9051724767df133da4064d3461",
+        "rev": "93480e81f8067792937a2512f212447e77b7babc",
        "type": "github"
      },
      "original": {
--- a/nixos/machines/chungus/configuration.nix
+++ b/nixos/machines/chungus/configuration.nix
@ -12,7 +12,7 @@

    ./network-wireguard.nix
    ./network-tinc.nix
-    # ./network-tinc-retiolum.nix # make sure no service is open for this vpn!
+    ./network-tinc-retiolum.nix # make sure no service is open for this vpn!

    ./hass.nix
    ./hass-zigbee2mqtt.nix
--- a/nixos/machines/chungus/hass-mqtt.nix
+++ b/nixos/machines/chungus/hass-mqtt.nix
@ -10,6 +10,7 @@
  };

  # open for tasmota
-  networking.firewall.allowedTCPPorts = [ 1883 ];
+  networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 1883 ];
+  networking.firewall.interfaces.wq0.allowedTCPPorts = [ 1883 ];

 }
--- a/nixos/machines/chungus/hass.nix
+++ b/nixos/machines/chungus/hass.nix
@ -10,9 +10,6 @@
    };
  };

-  #networking.firewall.allowedTCPPorts = [ 8123 ];
-  #networking.firewall.allowedUDPPorts = [ 8123 ];
-
  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8123 ];
  networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8123 ];

--- a/nixos/machines/chungus/media-audiobookshelf.nix
+++ b/nixos/machines/chungus/media-audiobookshelf.nix
@ -10,8 +10,11 @@ in
    group = group;
  };

-  networking.firewall.allowedTCPPorts = [ port ];
-  networking.firewall.allowedUDPPorts = [ port ];
+  networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ port ];
+  networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ port ];
+
+  networking.firewall.interfaces.wq0.allowedTCPPorts = [ port ];
+  networking.firewall.interfaces.wq0.allowedUDPPorts = [ port ];

  systemd.services.audiobookshelf = {
    enable = true;
--- a/nixos/machines/chungus/media-share.nix
+++ b/nixos/machines/chungus/media-share.nix
@ -1,6 +1,9 @@
 { config, ... }:
 {

+  networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 445 139 ];
+  networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 137 138 ];
+
  # To set password:
  # nix-shell -p samba --run "smbpasswd -a media"
  custom.samba-share.enable = true;
--- a/nixos/machines/chungus/media-tdarr.nix
+++ b/nixos/machines/chungus/media-tdarr.nix
@ -31,8 +31,11 @@
    };
  };

-  networking.firewall.allowedTCPPorts = [ 8266 ];
-  networking.firewall.allowedUDPPorts = [ 8266 ];
+  networking.firewall.interfaces.wq0.allowedTCPPorts = [ 8266 ];
+  networking.firewall.interfaces.wq0.allowedUDPPorts = [ 8266 ];
+
+  networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 8266 ];
+  networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 8266 ];

  services.nginx.virtualHosts."tdarr.${config.networking.hostName}.private" = {
    serverAliases = [ "tdarr.${config.networking.hostName}" ];
--- a/nixos/machines/chungus/network-tinc-retiolum.nix
+++ b/nixos/machines/chungus/network-tinc-retiolum.nix
@ -4,7 +4,7 @@
  sops.secrets.tinc_retiolum_rsa_key = { };

  networking.retiolum.port = 720;
-  networking.retiolum.nodename = "centari";
+  networking.retiolum.nodename = "centauri";

  services.tinc.networks.retiolum = {
    ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
--- a/nixos/machines/cream/tinc_retiolum.nix
+++ b/nixos/machines/cream/tinc_retiolum.nix
@ -7,9 +7,7 @@
  networking.retiolum.nodename = "sol";

  services.tinc.networks.retiolum = {
-
    ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
    rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
-
  };
 }
--- a/nixos/modules/services/samba-share.nix
+++ b/nixos/modules/services/samba-share.nix
@ -8,6 +8,7 @@ in
 {

  options.custom.samba-share = {
+    openPorts = mkEnableOption "open samba ports everywher";
    enable = mkEnableOption "enable custom.samba-share";
    enableWSDD = mkEnableOption "enable services.samba-wsdd.enable";
    guestUser = mkOption {
@ -49,11 +50,6 @@ in

    (mkIf cfg.enable {

-      networking.firewall.enable = true;
-      networking.firewall.allowPing = true;
-      networking.firewall.allowedTCPPorts = [ 445 139 ];
-      networking.firewall.allowedUDPPorts = [ 137 138 ];
-
      services.samba = {
        enable = true;
        # services.samba.securityType = "share";
@ -106,17 +102,20 @@ in
      #users.groups.smbguest = { };

    })
+
    # todo : maybe better to have a parameter for this
    (mkIf config.services.syncthing.enable {
      users.groups."syncthing".members = [ "smbguest" ];
    })

+    (mkIf cfg.openPorts {
+      networking.firewall.allowedTCPPorts = [ 445 139 5357 ];
+      networking.firewall.allowedUDPPorts = [ 137 138 3702 ];
+    })
+
    (mkIf cfg.enableWSDD {
      services.samba-wsdd.enable = true;
      services.samba-wsdd.discovery = true;
-      networking.firewall.allowedTCPPorts = [ 5357 ];
-      networking.firewall.allowedUDPPorts = [ 3702 ];
-    }
-    )
+    })
  ];
 }