refactor(access): network interface config

2026-02-09 20:39:18 -08:00 · 2024-03-23 21:13:01 -07:00 · 2024-03-23 21:13:01 -07:00 · f2fddc1001
commit f2fddc1001
parent ee3834d72a
42 changed files with 466 additions and 189 deletions
--- a/modules/nixos/access.nix
+++ b/modules/nixos/access.nix
@ -77,6 +77,14 @@ in {
          "fe80::/64"
        ];
      };
+      int = {
+        v4 = [
+          "10.9.1.0/24"
+        ];
+        v6 = [
+          "fd0c::/64"
+        ];
+      };
      tail = mkIf tailscale.enable {
        v4 = [
          "100.64.0.0/10"
@ -86,6 +94,24 @@ in {
          "fd7a:115c:a1e0:ab12::/64"
        ];
      };
+      allLan = {
+        v4 = cfg.cidrForNetwork.loopback.v4
+          ++ cfg.cidrForNetwork.local.v4
+          ++ cfg.cidrForNetwork.int.v4;
+        v6 = cfg.cidrForNetwork.loopback.v6
+          ++ cfg.cidrForNetwork.local.v6
+          ++ cfg.cidrForNetwork.int.v6;
+      };
+      allLocal = {
+        v4 = mkMerge [
+          cfg.cidrForNetwork.allLan.v4
+          (mkIf tailscale.enable cfg.cidrForNetwork.tail.v4)
+        ];
+        v6 = mkMerge [
+          cfg.cidrForNetwork.allLan.v6
+          (mkIf tailscale.enable cfg.cidrForNetwork.tail.v6)
+        ];
+      };
    };
    localaddrs = {
      nftablesInclude = mkBefore (''
--- a/modules/nixos/home-assistant.nix
+++ b/modules/nixos/home-assistant.nix
@ -7,7 +7,7 @@
  cfg = config.services.home-assistant;
  inherit (lib.modules) mkIf mkMerge mkBefore mkDefault mkOptionDefault;
  inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.lists) optional optionals elem unique;
+  inherit (lib.lists) optional elem unique;
  inherit (lib.strings) toLower;
 in {
  options.services.home-assistant = with lib.types; {
@ -118,9 +118,7 @@ in {
          trusted_proxies = let
            inherit (config.networking.access) cidrForNetwork;
          in
-            cidrForNetwork.loopback.all
-            ++ cidrForNetwork.local.all
-            ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all
+            cidrForNetwork.allLocal.all
            ++ [
              "200::/7"
            ];
--- a/modules/nixos/network/namespace.nix
+++ b/modules/nixos/network/namespace.nix
@ -9,11 +9,10 @@
  inherit (lib.options) mkOption mkEnableOption;
  inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkDefault mkOptionDefault;
  inherit (lib.attrsets) mapAttrs' mapAttrsToList listToAttrs nameValuePair attrValues;
-  inherit (lib.lists) singleton optional optionals filter concatMap;
+  inherit (lib.lists) singleton optional filter concatMap;
  inherit (lib.strings) concatStringsSep escapeShellArg;
  inherit (utils) escapeSystemdExecArg;
  inherit (inputs.self.lib.lib) unmerged;
-  inherit (config.services) tailscale;
  inherit (config) networking;
  inherit (networking) access;
  enabledNamespaces = filter (ns: ns.enable) (attrValues networking.namespaces);
@ -324,8 +323,8 @@
          ''
        ];
        extraOutput = let
-          addrs4 = access.cidrForNetwork.local.v4 ++ optionals tailscale.enable access.cidrForNetwork.tail.v4;
-          addrs6 = access.cidrForNetwork.local.v6 ++ optionals tailscale.enable access.cidrForNetwork.tail.v6;
+          addrs4 = access.cidrForNetwork.allLocal.v4;
+          addrs6 = access.cidrForNetwork.allLocal.v6;
          daddr4 = ''{ ${concatStringsSep ", " addrs4} }'';
          daddr6 = ''{ ${concatStringsSep ", " addrs6} }'';
        in
--- a/modules/nixos/nginx/local.nix
+++ b/modules/nixos/nginx/local.nix
@ -6,7 +6,6 @@
  inherit (lib.options) mkOption mkEnableOption;
  inherit (lib.modules) mkIf mkMerge mkBefore mkOptionDefault;
  inherit (lib.strings) concatMapStringsSep optionalString;
-  inherit (lib.lists) optionals;
  inherit (config.services) tailscale;
  inherit (config.networking.access) cidrForNetwork localaddrs;
  mkAddrVar = remoteAddr: varPrefix: ''
@ -29,6 +28,13 @@
    if (${remoteAddr} ~ "^fe80::") {
      set ${varPrefix}lan 1;
    }
+    set ${varPrefix}int 0;
+    if (${remoteAddr} ~ "^10\.9\.1\.[0-9]+") {
+      set ${varPrefix}lan 1;
+    }
+    if (${remoteAddr} ~ "^fd0c::") {
+      set ${varPrefix}int 1;
+    }
    set ${varPrefix}localhost 0;
    if (${remoteAddr} = "::1") {
      set ${varPrefix}localhost 1;
@ -43,6 +49,9 @@
    if (${varPrefix}lan) {
      set ${varPrefix}client 1;
    }
+    if (${varPrefix}int) {
+      set ${varPrefix}client 1;
+    }
    if (${varPrefix}localhost) {
      set ${varPrefix}client 1;
    }
@ -79,12 +88,8 @@
    config = {
      extraConfig = let
        mkAllow = cidr: "allow ${cidr};";
-        allowAddresses =
-          cidrForNetwork.loopback.all
-          ++ cidrForNetwork.local.all
-          ++ optionals tailscale.enable cidrForNetwork.tail.all;
        allows =
-          concatMapStringsSep "\n" mkAllow allowAddresses
+          concatMapStringsSep "\n" mkAllow cidrForNetwork.allLocal.all
          + optionalString localaddrs.enable ''
            include ${localaddrs.stateDir}/*.nginx.conf;
          '';
--- a/modules/nixos/postgres.nix
+++ b/modules/nixos/postgres.nix
@ -39,6 +39,9 @@
        tailscale = {
          allow = mkEnableOption "tailscale TCP connections";
        };
+        int = {
+          allow = mkEnableOption "internal TCP connections";
+        };
        local = {
          allow = mkEnableOption "local TCP connections";
        };
@ -55,7 +58,8 @@
        in
          mkMerge [
            (mkIf config.authentication.tailscale.allow cidrForNetwork.tail.all)
-            (mkIf config.authentication.local.allow (cidrForNetwork.loopback.all ++ cidrForNetwork.local.all))
+            (mkIf config.authentication.int.allow cidrForNetwork.int.all)
+            (mkIf config.authentication.local.allow cidrForNetwork.local.all)
          ];
        authentication = mkMerge (map (host: ''
            host ${config.authentication.database} ${config.name} ${formatHost host} ${config.authentication.method}