From 76501362f7beb3f54bcb09e8cf9b1fcf34c81000 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sat, 13 Jan 2024 00:05:25 +0100
Subject: [PATCH] parameterize main nic and dmz bridge interface names firewall
 some services to particular interfaces

---
 nixos/modules/data-sharing.nix               |  2 +-
 nixos/modules/networking/default.nix         | 28 ++++++++++-----
 nixos/modules/networking/dmz/default.nix     |  2 +-
 nixos/modules/networking/dmz/dnsmasq.nix     | 38 +++++++++++---------
 nixos/modules/terraform-database/default.nix |  2 +-
 5 files changed, 44 insertions(+), 28 deletions(-)

diff --git a/nixos/modules/data-sharing.nix b/nixos/modules/data-sharing.nix
index 884cbb8..566260e 100644
--- a/nixos/modules/data-sharing.nix
+++ b/nixos/modules/data-sharing.nix
@@ -50,7 +50,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [
+    networking.firewall.interfaces.${config.lab.networking.dmzBridgeName}.allowedTCPPorts = [
       2049 # NFS
       5432 # PostgeSQL
       111 # NFS
diff --git a/nixos/modules/networking/default.nix b/nixos/modules/networking/default.nix
index de43ae5..d032efe 100644
--- a/nixos/modules/networking/default.nix
+++ b/nixos/modules/networking/default.nix
@@ -47,6 +47,22 @@ in {
         The IPv4 address of the DHCP server on the DMZ network.
       '';
     };
+
+    dmzBridgeName = lib.mkOption {
+      default = "bridgedmz";
+      type = lib.types.str;
+      description = ''
+        The name of the DMZ bridge.
+      '';
+    };
+
+    mainNicNamePattern = lib.mkOption {
+      default = "en*";
+      type = lib.types.str;
+      description = ''
+        Pattern to match the name of this machine's main NIC.
+      '';
+    };
   };
 
   config = {
@@ -77,18 +93,14 @@ in {
         "20-bridgedmz" = {
           netdevConfig = {
             Kind = "bridge";
-            Name = "bridgedmz";
-            # TODO: This does not seem to work? Unsure what the problem is.
-            # We don't necessary need this though: we simply use DNS as the host.
-            # MACAddress = lib.mkIf cfg.allowDMZConnectivity "CA:FE:C0:FF:EE:0A";
-            # MACAddress = "ca:fe:c0:ff:ee:0a";
+            Name = cfg.dmzBridgeName;
           };
         };
       };
 
       networks = {
         "30-main-nic" = {
-          matchConfig.Name = "en*";
+          matchConfig.Name = cfg.mainNicNamePattern;
           vlan = [ "vlandmz" ];
 
           networkConfig = {
@@ -103,12 +115,12 @@ in {
           networkConfig = {
             IPv6AcceptRA = false;
             LinkLocalAddressing = "no";
-            Bridge = "bridgedmz";
+            Bridge = cfg.dmzBridgeName;
           };
         };
 
         "40-bridgedmz" = {
-          matchConfig.Name = "bridgedmz";
+          matchConfig.Name = cfg.dmzBridgeName;
           linkConfig.RequiredForOnline = "carrier";
 
           networkConfig = {
diff --git a/nixos/modules/networking/dmz/default.nix b/nixos/modules/networking/dmz/default.nix
index b8314d4..4a7541e 100644
--- a/nixos/modules/networking/dmz/default.nix
+++ b/nixos/modules/networking/dmz/default.nix
@@ -21,7 +21,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    networking.firewall = {
+    networking.firewall.interfaces.${config.lab.networking.dmzBridgeName} = {
       allowedTCPPorts = [ 53 5353 ];
       allowedUDPPorts = [ 53 67 5353 ];
     };
diff --git a/nixos/modules/networking/dmz/dnsmasq.nix b/nixos/modules/networking/dmz/dnsmasq.nix
index e78f9c9..5f68555 100644
--- a/nixos/modules/networking/dmz/dnsmasq.nix
+++ b/nixos/modules/networking/dmz/dnsmasq.nix
@@ -4,34 +4,38 @@ let
 in
 {
   no-resolv = true;
-  server = [
-    dmzRouterIPv4
-    "/geokunis2.nl/${dmzDHCPIPv4}"
-    "/kun.is/${dmzDHCPIPv4}"
-  ];
   local = "/dmz/";
   dhcp-fqdn = true;
   no-hosts = true;
   expand-hosts = true;
   domain = "dmz";
   dhcp-authoritative = true;
-  dhcp-range = [
-    "192.168.30.50,192.168.30.127,15m"
-  ];
-  dhcp-host = [
-    "b8:27:eb:b9:ab:e2,esrom"
-    "ca:fe:c0:ff:ee:08,maestro,${dockerSwarmInternalIPv4}"
-  ];
-  dhcp-option = [
-    "3,${dmzRouterIPv4}"
-    "option:dns-server,${dmzRouterIPv4}"
-  ];
   ra-param = "*,0,0";
   alias = "${publicIPv4},${dockerSwarmInternalIPv4}";
   log-dhcp = true;
   log-queries = true;
-  # interface-name = "hermes.dmz,ens3";
   port = "5353";
+
+  server = [
+    dmzRouterIPv4
+    "/geokunis2.nl/${dmzDHCPIPv4}"
+    "/kun.is/${dmzDHCPIPv4}"
+  ];
+
+  dhcp-range = [
+    "192.168.30.50,192.168.30.127,15m"
+  ];
+
+  dhcp-host = [
+    "b8:27:eb:b9:ab:e2,esrom"
+    "ca:fe:c0:ff:ee:08,maestro,${dockerSwarmInternalIPv4}"
+  ];
+
+  dhcp-option = [
+    "3,${dmzRouterIPv4}"
+    "option:dns-server,${dmzRouterIPv4}"
+  ];
+
   address = [
     "/ns.pizzapim.nl/ns.geokunis2.nl/${dmzDHCPIPv4}"
   ];
diff --git a/nixos/modules/terraform-database/default.nix b/nixos/modules/terraform-database/default.nix
index e13e50e..1b749a1 100644
--- a/nixos/modules/terraform-database/default.nix
+++ b/nixos/modules/terraform-database/default.nix
@@ -10,7 +10,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [ 5432 ];
+    networking.firewall.interfaces.${config.lab.networking.mainNicNamePattern}.allowedTCPPorts = [ 5432 ];
 
     services.postgresql = {
       enable = true;