feat(nftables): lan rules

modules/nixos/access.nix

@@ -6,6 +6,7 @@
   inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
   inherit (lib.options) mkOption;
   inherit (lib.lists) optionals;
+  inherit (lib.strings) concatStringsSep;
   inherit (config.services) tailscale avahi;
   inherit (config) networking;
   inherit (networking) hostName;
@@ -83,4 +84,15 @@ in {
       };
     };
   };
+
+  config.networking.firewall = {
+    interfaces.local = {
+      nftables.conditions = [
+        "ip saddr { ${concatStringsSep ", " networking.access.cidrForNetwork.local.v4} }"
+        (mkIf networking.enableIPv6
+          "ip6 saddr { ${concatStringsSep ", " networking.access.cidrForNetwork.local.v6} }"
+        )
+      ];
+    };
+  };
 }

modules/nixos/nftables.nix

@@ -1,6 +1,11 @@
-{ pkgs, lib, config, modulesPath, ... }:
+{ lib, config, ... }:
 
 let
+  inherit (lib) types;
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf;
+  inherit (lib.attrsets) mapAttrsToList;
+  inherit (lib.strings) optionalString concatStringsSep concatMapStringsSep;
   fwcfg = config.networking.firewall;
   cfg = config.networking.nftables;
 
@@ -9,8 +14,8 @@ let
   mkPorts = cond: ports: ranges: action: let
     portStrings = (map (range: "${toString range.from}-${toString range.to}") ranges)
                ++ (map toString ports);
-  in lib.optionalString (portStrings != []) ''
-    ${cond} dport { ${lib.concatStringsSep ", " portStrings} } ${action}
+  in optionalString (portStrings != []) ''
+    ${cond} dport { ${concatStringsSep "," portStrings} } ${action}
   '';
 
   ruleset = ''
@@ -26,17 +31,17 @@ let
         ct state established,related accept
 
         iifname { ${
-          lib.concatStringsSep "," (["lo"] ++ fwcfg.trustedInterfaces)
+          concatStringsSep "," (["lo"] ++ fwcfg.trustedInterfaces)
         } } accept
 
         ${mkPorts "tcp" fwcfg.allowedTCPPorts fwcfg.allowedTCPPortRanges "accept"}
         ${mkPorts "udp" fwcfg.allowedUDPPorts fwcfg.allowedUDPPortRanges "accept"}
 
         ${
-          lib.concatStringsSep "\n" (lib.mapAttrsToList (name: ifcfg:
-              mkPorts "iifname ${name} tcp" ifcfg.allowedTCPPorts ifcfg.allowedTCPPortRanges "accept"
-            + mkPorts "iifname ${name} udp" ifcfg.allowedUDPPorts ifcfg.allowedUDPPortRanges "accept"
-          ) fwcfg.interfaces)
+          concatStringsSep "\n" (mapAttrsToList (name: ifcfg: concatMapStringsSep "\n" (cond:
+              mkPorts "${cond} tcp" ifcfg.allowedTCPPorts ifcfg.allowedTCPPortRanges "accept"
+            + mkPorts "${cond} udp" ifcfg.allowedUDPPorts ifcfg.allowedUDPPortRanges "accept"
+          ) ifcfg.nftables.conditions) fwcfg.interfaces)
         }
 
         # DHCPv6
@@ -58,7 +63,7 @@ let
         type filter hook forward priority filter
         policy ${cfg.forwardPolicy}
 
-        ${lib.optionalString doDocker ''
+        ${optionalString doDocker ''
           oifname docker0 ct state invalid drop
           oifname docker0 ct state established,related accept
           iifname docker0 accept
@@ -69,7 +74,7 @@ let
         counter
       }
     }
-    ${lib.optionalString doDocker ''
+    ${optionalString doDocker ''
       table ip nat {
         chain docker-postrouting {
           type nat hook postrouting priority 10
@@ -79,9 +84,17 @@ let
     ''}
     ${cfg.extraConfig}
   '';
+  interfaceModule = { config, name, ... }: {
+    options = {
+      nftables.conditions = mkOption {
+        type = types.listOf types.str;
+        default = "iifname ${name}";
+      };
+    };
+  };
 
 in {
-  options = with lib; {
+  options = {
     networking.nftables = {
       extraConfig = mkOption {
         type = types.lines;
@@ -116,15 +129,18 @@ in {
         default = true;
       };
     };
+    networking.firewall.interfaces = mkOption {
+      type = types.attrsOf (types.submodule interfaceModule);
+    };
   };
 
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
     networking.firewall.enable = false;
     networking.nftables = {
       inherit ruleset;
     };
 
-    virtualisation.docker = lib.mkIf doDocker {
+    virtualisation.docker = mkIf doDocker {
       extraOptions = "--iptables=false";
     };
   };

nixos/base/ssh.nix

@@ -26,7 +26,10 @@ in with lib; {
       LogLevel = "VERBOSE";
     };
   };
-  networking.firewall.allowedTCPPorts = [publicPort];
+  networking.firewall = {
+    allowedTCPPorts = [publicPort];
+    interfaces.local.allowedTCPPorts = [ 22 ];
+  };
 
   programs.mosh.enable = true;
 }

nixos/home-assistant.nix

@@ -22,7 +22,6 @@ in {
 
   services.home-assistant = {
     enable = mkDefault true;
-    openFirewall = mkDefault true;
     mutableUiConfig = mkDefault true;
     domain = mkDefault "home.${config.networking.domain}";
     config = {

nixos/mosquitto.nix

@@ -30,7 +30,6 @@ in {
     persistence = mkDefault true;
     listeners = [
       {
-        openFirewall = mkDefault true;
         acl = [
           "pattern readwrite #"
         ];

systems/tei/nixos.nix

@@ -1,7 +1,12 @@
 {
+  config,
+  lib,
   meta,
   ...
-}: {
+}: let
+  inherit (lib.modules) mkIf mkMerge;
+  inherit (config.services) kanidm mosquitto home-assistant;
+in {
   imports = let
     inherit (meta) nixos;
   in [
@@ -24,8 +29,19 @@
 
   sops.defaultSopsFile = ./secrets.yaml;
 
-  services.kanidm = {
-    server.openFirewall = true;
+  networking.firewall = {
+    interfaces.local.allowedTCPPorts = mkMerge [
+      (mkIf kanidm.enableServer [
+        kanidm.server.frontend.port
+        (mkIf kanidm.server.ldap.enable kanidm.server.ldap.port)
+      ])
+      (mkIf home-assistant.enable [
+        home-assistant.config.http.server_port
+      ])
+      (mkIf mosquitto.enable (map (listener:
+        listener.port
+      ) mosquitto.listeners))
+    ];
   };
 
   systemd.network.networks.eth0 = {