From 7400e2a37760d82296ecd8cddb4e69dffa3476be Mon Sep 17 00:00:00 2001
From: Natsu Kagami <nki@nkagami.me>
Date: Sun, 9 Jul 2023 17:31:10 +0200
Subject: [PATCH] Add local networking functionality

---
 modules/common/linux/default.nix    |  3 +-
 modules/common/linux/networking.nix | 47 +++++++++++++++++++++++++++++
 nki-home/configuration.nix          |  3 +-
 3 files changed, 50 insertions(+), 3 deletions(-)
 create mode 100644 modules/common/linux/networking.nix

diff --git a/modules/common/linux/default.nix b/modules/common/linux/default.nix
index b37d909..05afe7a 100644
--- a/modules/common/linux/default.nix
+++ b/modules/common/linux/default.nix
@@ -45,7 +45,7 @@ let
   };
 in
 {
-  imports = with modules; [ adb ios wlr logitech virtualisation ];
+  imports = with modules; [ adb ios wlr logitech virtualisation ] ++ [ ./networking.nix ];
 
   options.common.linux = {
     enable = mkOption {
@@ -170,6 +170,7 @@ in
     services.resolved.domains = cfg.networking.dnsServers;
     services.resolved.fallbackDns = cfg.networking.dnsServers;
     # Firewall: only open to SSH now
+    networking.nftables.enable = true;
     networking.firewall.allowedTCPPorts = [ 22 ];
     networking.firewall.allowedUDPPorts = [ 22 ];
     # Enable tailscale
diff --git a/modules/common/linux/networking.nix b/modules/common/linux/networking.nix
new file mode 100644
index 0000000..b7ae938
--- /dev/null
+++ b/modules/common/linux/networking.nix
@@ -0,0 +1,47 @@
+let
+  localNetworks = { config, lib, pkgs, ... }: with lib; {
+    # Default local networks
+    options.nki.networking = {
+      localNetworks = mkOption {
+        type = types.listOf types.str;
+        description = "A list of known IPv4 local networks";
+      };
+      allowLocalPorts = mkOption {
+        type = types.listOf types.port;
+        default = [ ];
+        description = "Open the following ports in all local networks";
+      };
+    };
+    options.nki.networking.ipv6.localNetworks = mkOption {
+      type = types.listOf types.str;
+      description = "A list of known IPv6 local networks";
+    };
+
+    config.nki.networking.localNetworks = [
+      "11.0.0.0/24" # tinc
+      "100.64.0.0/10" # Headscale
+    ];
+
+    config.nki.networking.ipv6.localNetworks = [
+      "fd7a:115c:a1e0::/48" # Headscale
+    ];
+
+    config.networking = mkIf (config.nki.networking.allowLocalPorts != [ ]) {
+      nftables.enable = true;
+      firewall.extraInputRules =
+        let
+          portsStr = concatMapStringsSep ", " toString config.nki.networking.allowLocalPorts;
+          ip4Str = concatStringsSep ", " config.nki.networking.localNetworks;
+          ip6Str = concatStringsSep ", " config.nki.networking.ipv6.localNetworks;
+        in
+        ''
+          ${if ip4Str == "" then "" else "ip saddr { ${ip4Str} } dport { ${portsStr} } accept"}
+          ${if ip6Str == "" then "" else "ip6 saddr { ${ip6Str} } dport { ${portsStr} } accept"}
+        '';
+    };
+  };
+in
+{ ... }: {
+  imports = [ localNetworks ];
+}
+
diff --git a/nki-home/configuration.nix b/nki-home/configuration.nix
index a528c27..05a5b82 100644
--- a/nki-home/configuration.nix
+++ b/nki-home/configuration.nix
@@ -125,11 +125,10 @@ with lib;
   # Music server
   services.navidrome.enable = true;
   services.navidrome.settings = {
-    Address = "11.0.0.2";
     MusicFolder = "/mnt/Stuff/Music";
   };
   systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = lib.mkAfter [ "/etc" ];
-  networking.firewall.allowedTCPPorts = [ 4533 ];
+  nki.networking.allowLocalPorts = [ 4533 ];
 
   # Printers
   services.printing.enable = true;