diff options
| author | Devin Finlinson <devin.finlinson@pm.me> | 2026-03-28 16:01:01 -0600 |
|---|---|---|
| committer | Devin Finlinson <devin.finlinson@pm.me> | 2026-03-28 16:01:01 -0600 |
| commit | b956f3ebd611c9354a4138e8dfa5bfbed5a45894 (patch) | |
| tree | 03135dc59e10237abfd2a4ce8669dc90010d3df7 /machines | |
| parent | cf31c63d296c728f5431bf8af0e7df80eb295bca (diff) | |
set up port forwarding module for list of ports
Diffstat (limited to 'machines')
| -rw-r--r-- | machines/biski/default.nix | 31 | ||||
| -rw-r--r-- | machines/biski/portforward.nix | 45 |
2 files changed, 47 insertions, 29 deletions
diff --git a/machines/biski/default.nix b/machines/biski/default.nix index d4b33b8..d9944e6 100644 --- a/machines/biski/default.nix +++ b/machines/biski/default.nix @@ -10,6 +10,7 @@ ./hardware-configuration.nix # /tmp/etc/nixos/hardware-configuartion.nix ./disko.nix + ./portforward.nix ../../modules/users/git.nix ]; @@ -123,36 +124,8 @@ }; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ 25565 25567]; + # networking.firewall.allowedTCPPorts = [ ... ]; networking.firewall.allowedUDPPorts = [ 10514 ]; - networking.nftables = { - enable = true; - ruleset = '' - table ip nat { - chain PREROUTING { - type nat hook prerouting priority dstnat; policy accept; - iifname "eno1" tcp dport 25565 dnat to 100.64.0.2:25565 - } - } - ''; - }; - networking.nat = { - enable = true; - internalInterfaces = [ "eno1" ]; - externalInterface = "tailscale0"; - forwardPorts = [ - { - sourcePort = 25565; - proto = "tcp"; - destination = "100.64.0.2:25565"; - } - { - sourcePort = 25567; - proto = "tcp"; - destination = "100.64.0.2:25567"; - } - ]; - }; # Or disable the firewall altogether. # networking.firewall.enable = false; diff --git a/machines/biski/portforward.nix b/machines/biski/portforward.nix new file mode 100644 index 0000000..a2fd58a --- /dev/null +++ b/machines/biski/portforward.nix @@ -0,0 +1,45 @@ +{ config, lib, ... }: { + networking = let + forward_ports = [ + 25565 + 25566 + ]; + forward_protocols = [ "tcp" "udp" ]; + internal_ip = "100.64.0.2"; + in { + firewall = { + enable = true; + allowedUDPPorts = forward_ports; + allowedTCPPorts = forward_ports; + }; + nat = { + enable = true; + internalInterfaces = [ "tailscale0" ]; + externalInterface = "eno1"; + + forwardPorts = builtins.concatLists ( + lib.lists.forEach forward_protocols (protocol: + builtins.concatMap (port: [ + { + destination = "${internal_ip}:${toString port}"; + proto = protocol; + sourcePort = port; + } + ]) forward_ports + ) + ); + }; + nftables = { + enable = true; + flushRuleset = true; + tables.nixos-nat = { + family = "ip"; + content = '' + chain post { + masquerade + } + ''; + }; + }; + }; +} |