refactor(access): network interface config

nixos/access/ldap.nix

@@ -7,8 +7,6 @@ let
   inherit (lib.options) mkOption mkEnableOption;
   inherit (lib.modules) mkIf mkMerge;
   inherit (lib.strings) concatMapStringsSep optionalString;
-  inherit (lib.lists) optionals;
-  inherit (config.services) tailscale;
   inherit (config.services.nginx) virtualHosts;
   inherit (config.networking.access) cidrForNetwork localaddrs;
   access = config.services.nginx.access.ldap;
@@ -16,11 +14,7 @@ let
   portSsl = 636;
   allows = let
     mkAllow = cidr: "allow ${cidr};";
-    allowAddresses =
-      cidrForNetwork.loopback.all
-      ++ cidrForNetwork.local.all
-      ++ optionals tailscale.enable cidrForNetwork.tail.all;
-    allows = concatMapStringsSep "\n" mkAllow allowAddresses + optionalString localaddrs.enable ''
+    allows = concatMapStringsSep "\n" mkAllow cidrForNetwork.allLocal.all + optionalString localaddrs.enable ''
       include ${localaddrs.stateDir}/*.nginx.conf;
     '';
   in ''

nixos/kyuuto/opl.nix

@@ -42,10 +42,6 @@ in {
       };
       shares.opl = let
         inherit (config.networking.access) cidrForNetwork;
-        localAddrs =
-          cidrForNetwork.loopback.all
-          ++ cidrForNetwork.local.all
-          ++ lib.optionals config.services.tailscale.enable cidrForNetwork.tail.all;
       in
         mkIf cfg.enable {
           comment = "Kyuuto Media OPL";
@@ -58,7 +54,7 @@ in {
             "@kyuuto-peeps"
           ];
           "strict sync" = false;
-          "hosts allow" = localAddrs;
+          "hosts allow" = cidrForNetwork.allLocal.all;
         };
     };
     services.tmpfiles = let

nixos/kyuuto/samba.nix

@@ -4,14 +4,9 @@
   ...
 }: let
   inherit (lib.modules) mkIf mkMerge mkDefault;
-  inherit (lib.lists) optionals;
   inherit (config.networking.access) cidrForNetwork;
   inherit (config) kyuuto;
   cfg = config.services.samba;
-  localAddrs =
-    cidrForNetwork.loopback.all
-    ++ cidrForNetwork.local.all
-    ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all;
   guestUsers = mkIf cfg.guest.enable [cfg.guest.user];
   kyuuto-media = {
     "create mask" = "0664";
@@ -41,7 +36,7 @@ in {
           ["@peeps"]
         ];
         #"guest only" = true;
-        "hosts allow" = localAddrs;
+        "hosts allow" = cidrForNetwork.allLocal.all;
         "acl group control" = true;
         "create mask" = "0664";
         "force directory mode" = "3000";
@@ -61,7 +56,7 @@ in {
           ];
           "read list" = guestUsers;
           "write list" = ["@kyuuto-peeps"];
-          "hosts allow" = localAddrs;
+          "hosts allow" = cidrForNetwork.allLocal.all;
         }
       ];
       kyuuto-library-net = mkMerge [

nixos/nfs.nix

@@ -23,9 +23,7 @@ in {
       mountdPort = mkDefault 4002;
     };
     export = {
-      flagSets = let
-        localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all;
-      in {
+      flagSets = {
         common = [
           "no_subtree_check"
           "anonuid=${toString config.users.users.guest.uid}"
@@ -57,7 +55,7 @@ in {
           "@trusted"
         ];
         tailClients = optionals config.services.tailscale.enable cidrForNetwork.tail.all;
-        localClients = localAddrs ++ flagSets.tailClients;
+        localClients = cidrForNetwork.allLan.all ++ flagSets.tailClients;
         allClients = flagSets.clientGroups ++ flagSets.trustedClients ++ flagSets.localClients;
       };
       root = {

nixos/reisen-ct/internal.nix

@@ -1,48 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
-  inherit (lib.trivial) toHexString;
-  cfg = config.access.internal;
-  offset = 32;
-in {
-  options.access = with lib.types; {
-    internal = {
-      enable = mkEnableOption "eth9";
-      macAddress = mkOption {
-        type = nullOr str;
-        default = null;
-      };
-      vmid = mkOption {
-        type = int;
-      };
-      address4 = mkOption {
-        type = str;
-      };
-      address6 = mkOption {
-        type = str;
-      };
-    };
-  };
-  config.access.internal = {
-    address4 = mkOptionDefault "10.9.1.${toString (cfg.vmid - offset)}";
-    address6 = mkOptionDefault "fd0c::${toHexString (cfg.vmid - offset)}";
-  };
-  config.systemd.network.networks.eth9 = mkIf cfg.enable {
-    mdns.enable = false;
-    name = mkDefault "eth9";
-    matchConfig = {
-      MACAddress = mkIf (cfg.macAddress != null) (mkOptionDefault cfg.macAddress);
-      Type = mkOptionDefault "ether";
-    };
-    linkConfig.RequiredForOnline = mkOptionDefault false;
-    address = mkMerge [
-      ["${cfg.address4}/24"]
-      (mkIf config.networking.enableIPv6 [ "${cfg.address6}/64" ])
-    ];
-    DHCP = "no";
-  };
-}

nixos/reisen-ct/proxmox.nix

@@ -1,9 +1,14 @@
 {
   lib,
+  inputs,
   modulesPath,
+  system,
   ...
 }: let
-  inherit (lib.modules) mkDefault;
+  inherit (inputs.self.lib.lib) unmerged;
+  inherit (lib.modules) mkIf mkMerge mkDefault;
+  inherit (lib.attrsets) mapAttrsToList;
+  inherit (system) proxmox;
 in {
   imports = [
     (modulesPath + "/virtualisation/proxmox-lxc.nix")
@@ -16,4 +21,18 @@ in {
     # nix default is way too big
     GC_INITIAL_HEAP_SIZE = mkDefault "8M";
   };
+
+  proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true;
+
+  systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface: mkIf (interface.enable && interface.networkd.enable) {
+    networks.${interface.name} = unmerged.mergeAttrs interface.networkd.networkSettings;
+  }) proxmox.network.interfaces));
+
+  networking.firewall.interfaces.int = let
+    inherit (proxmox.network.internal) interface;
+  in mkIf (interface != null) {
+    nftables.conditions = [
+      "iifname ${interface.name}"
+    ];
+  };
 }