From ab8ab4921ceaf33b9edd65e8c00cbec13e088532 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Thu, 8 Jun 2023 19:53:20 +0800
Subject: [PATCH] config: add more comments

---
 hosts/plover/modules/hardware/hetzner-cloud-cx21.nix | 4 ++++
 hosts/plover/modules/services/coredns.nix            | 4 ++--
 hosts/plover/modules/services/keycloak.nix           | 2 +-
 hosts/plover/modules/services/wireguard.nix          | 3 +++
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
index 332fbe1f..72b617f2 100644
--- a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
+++ b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
@@ -86,6 +86,8 @@ in
       "20-lan" = with interfaces.internal; {
         matchConfig.Name = lib.concatStringsSep " " internalEthernetInterfaceNames;
 
+        # Take note of the private subnets set in your Hetzner Cloud instance
+        # (at least for IPv4 addresses)..
         address = [
           "${IPv4.address}/16"
           "${IPv6.address}/64"
@@ -102,8 +104,10 @@ in
           "::1"
         ];
 
+        # Force our own internal domain to be used in the system.
         domains = [ config.networking.fqdn ];
 
+        # Use the gateway to enable resolution of external domains.
         gateway = [
           IPv4.gateway
           IPv6.gateway
diff --git a/hosts/plover/modules/services/coredns.nix b/hosts/plover/modules/services/coredns.nix
index d097c46f..0b7f5030 100644
--- a/hosts/plover/modules/services/coredns.nix
+++ b/hosts/plover/modules/services/coredns.nix
@@ -73,8 +73,8 @@ in
   # Setting up the firewall to make less things to screw up in case anything is
   # screwed up.
   networking.firewall.extraInputRules = ''
-    meta l4proto {tcp, udp} th dport 53 ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers"
-    meta l4proto {tcp, udp} th dport 53 ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers"
+    meta l4proto {tcp, udp} th dport 53 ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers and private networks"
+    meta l4proto {tcp, udp} th dport 53 ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers and private networks"
   '';
 
   # The main DNS server.
diff --git a/hosts/plover/modules/services/keycloak.nix b/hosts/plover/modules/services/keycloak.nix
index 6a0e3b38..9dc1efb3 100644
--- a/hosts/plover/modules/services/keycloak.nix
+++ b/hosts/plover/modules/services/keycloak.nix
@@ -12,7 +12,7 @@ let
   keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username;
 
   certs = config.security.acme.certs;
-  host = "127.0.0.1";
+  host = "localhost";
 in
 {
   # Hey, the hub for your application sign-in.
diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix
index f01bb482..82727022 100644
--- a/hosts/plover/modules/services/wireguard.nix
+++ b/hosts/plover/modules/services/wireguard.nix
@@ -27,6 +27,9 @@ in
     filterForward = true;
   };
 
+  # Since we're using systemd-networkd to configure interfaces, we can control
+  # how each interface can handle things such as IP masquerading so no need for
+  # modifying sysctl settings like 'ipv4.ip_forward' or similar.
   systemd.network = {
     wait-online.ignoredInterfaces = [ wireguardIFName ];