2 files changed, 47 insertions, 29 deletions

diff --git a/machines/biski/default.nix b/machines/biski/default.nix
index d4b33b8..d9944e6 100644
--- a/machines/biski/default.nix
+++ b/machines/biski/default.nix
@@ -10,6 +10,7 @@
       ./hardware-configuration.nix
       # /tmp/etc/nixos/hardware-configuartion.nix
       ./disko.nix
+      ./portforward.nix
 
       ../../modules/users/git.nix
     ];
@@ -123,36 +124,8 @@
   };
 
   # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 25565 25567];
+  # networking.firewall.allowedTCPPorts = [ ... ];
   networking.firewall.allowedUDPPorts = [ 10514 ];
-  networking.nftables = {
-    enable = true;
-    ruleset = ''
-      table ip nat {
-        chain PREROUTING {
-          type nat hook prerouting priority dstnat; policy accept;
-          iifname "eno1" tcp dport 25565 dnat to 100.64.0.2:25565
-        }
-      }
-    '';
-  };
-  networking.nat = {
-    enable = true;
-    internalInterfaces = [ "eno1" ];
-    externalInterface = "tailscale0";
-    forwardPorts = [
-    {
-      sourcePort = 25565;
-      proto = "tcp";
-      destination = "100.64.0.2:25565";
-    }
-    {
-      sourcePort = 25567;
-      proto = "tcp";
-      destination = "100.64.0.2:25567";
-    }
-    ];
-  };
   
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
diff --git a/machines/biski/portforward.nix b/machines/biski/portforward.nix
new file mode 100644
index 0000000..a2fd58a
--- /dev/null
+++ b/machines/biski/portforward.nix
@@ -0,0 +1,45 @@
+{ config, lib, ... }: {
+  networking = let
+    forward_ports = [
+      25565
+      25566
+    ];
+    forward_protocols = [ "tcp" "udp" ];
+    internal_ip = "100.64.0.2";
+  in {
+    firewall = {
+      enable = true;
+      allowedUDPPorts = forward_ports;
+      allowedTCPPorts = forward_ports;
+    };
+    nat = {
+      enable = true;
+      internalInterfaces = [ "tailscale0" ];
+      externalInterface = "eno1";
+
+      forwardPorts = builtins.concatLists (
+        lib.lists.forEach forward_protocols (protocol:
+          builtins.concatMap (port: [
+            {
+              destination = "${internal_ip}:${toString port}";
+              proto = protocol;
+              sourcePort = port;
+            }
+          ]) forward_ports
+        )
+      );
+    };
+    nftables = {
+      enable = true;
+      flushRuleset = true;
+      tables.nixos-nat = {
+        family = "ip";
+        content = ''
+          chain post {
+            masquerade
+          }
+        '';
+      };
+    };
+  };
+}