3 files changed, 18 insertions, 11 deletions

diff --git a/config/networking/services/dhcp.nix b/config/networking/services/dhcp.nix
index 360eb66..e625a4d 100644
--- a/config/networking/services/dhcp.nix
+++ b/config/networking/services/dhcp.nix
@@ -4,7 +4,7 @@ let nets = config.personal.networking.networks;
 in {
   services.kea.dhcp4 = {
     enable = true;
-    settings = let subnets = with nets; [ wan iot ];
+    settings = let subnets = with nets; [ wan iot eth0 ];
     in {
       interfaces-config.interfaces =
         builtins.map (network: network.interface) subnets;
diff --git a/config/networking/services/dns.nix b/config/networking/services/dns.nix
index cce2f17..9e70958 100644
--- a/config/networking/services/dns.nix
+++ b/config/networking/services/dns.nix
@@ -7,18 +7,21 @@ in {
     settings = {
       server = {
         module-config = ''"respip validator iterator"'';
-        interface =
-          [ "127.0.0.1" "${nets.wan.subnet}.1" "${nets.iot.subnet}.1" ];
+        interface = [
+          "127.0.0.1"
+          "${nets.wan.subnet}.1"
+          "${nets.iot.subnet}.1"
+          "${nets.eth0.subnet}.1"
+        ];
         access-control = [
           "0.0.0.0/0 refuse"
           "127.0.0.0/8 allow"
           "${nets.wan.subnet}.0/24 allow"
           "${nets.iot.subnet}.0/24 allow"
+          "${nets.eth0.subnet}.0/24 allow"
         ];
       };
-      rpz = {
-        name = "rpz.oisd.nl";
-      };
+      rpz = { name = "rpz.oisd.nl"; };
     };
   };
 }
diff --git a/config/networking/services/firewall/ruleset.nix b/config/networking/services/firewall/ruleset.nix
index 7184de7..5871385 100644
--- a/config/networking/services/firewall/ruleset.nix
+++ b/config/networking/services/firewall/ruleset.nix
@@ -101,12 +101,14 @@ in {
       chains = {
         wan_in.rules = with rulesCommon; dns + dhcp + ssh + ssdp;
         iot_in.rules = with rulesCommon; dns + dhcp + igmp;
+        eth0_in.rules = with rulesCommon; dns + dhcp;
         input = makeBaseChain "filter" "input" {
           rules = with rulesCommon;
             conntrack + ping + ''
-              meta iifname vmap { lo                    : accept      \
-                                , ${nets.wan.interface} : goto wan_in \
-                                , ${nets.iot.interface} : goto iot_in }
+              meta iifname vmap { lo                     : accept       \
+                                , ${nets.wan.interface}  : goto wan_in  \
+                                , ${nets.iot.interface}  : goto iot_in  \
+                                , ${nets.eth0.interface} : goto eth0_in }
             '';
         };
         iot_wan.rules = rulesCommon.sonos.player-controller;
@@ -118,8 +120,10 @@ in {
             '' + conntrack + ''
               meta oifname ${nets.lan.interface} accept
               meta iifname . meta oifname vmap \
-                { ${nets.wan.interface} . ${nets.iot.interface} : goto wan_iot \
-                , ${nets.iot.interface} . ${nets.wan.interface} : goto iot_wan }
+                { ${nets.wan.interface} . ${nets.iot.interface} \
+                : goto wan_iot \
+                , ${nets.iot.interface} . ${nets.wan.interface} \
+                : goto iot_wan }
             '';
         };
       };