Udpate firewall / iptables rules

nixos/hosts/frankfurt-linode-01/firewall.nix

@@ -1,4 +1,11 @@
-{ pkgs, ... }: {
+{ pkgs, ... }: 
+let
+  wg-framework-server = "10.100.0.2";
+  wg-enshrouded       = "10.100.1.2";
+  wg-mailserver       = "10.100.1.3";
+  wg-vintage-story    = "10.100.1.5";
+  wg-rust             = "10.100.1.6";
+in {
   networking = {
     firewall = {
       enable = true;
@@ -29,15 +36,16 @@
 
     nftables = {
       enable = true;
+
+      # iifname "enp0s4" udp dport 15636 dnat to ${wg-enshrouded}:15636;
+      # iifname "enp0s4" udp dport 15637 dnat to ${wg-enshrouded}:15637;
       ruleset = ''
           table ip nat {
             chain PREROUTING {
               type nat hook prerouting priority dstnat; policy accept;
-              iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000;
-              iifname "enp0s4" udp dport 15636 dnat to 10.100.1.2:15636;
-              iifname "enp0s4" udp dport 15637 dnat to 10.100.1.2:15637;
-              iifname "enp0s4" udp dport 20815 dnat to 10.100.1.3:20815;
-              iifname "enp0s4" udp dport 20816 dnat to 10.100.1.3:20816;
+              iifname "enp0s4" udp dport 10000 dnat to ${wg-framework-server}:10000;
+              iifname "enp0s4" udp dport 20815 dnat to ${wg-rust}:20815;
+              iifname "enp0s4" udp dport 20816 dnat to ${wg-rust}:20816;
             }
           }
       '';
@@ -48,11 +56,11 @@
       internalInterfaces = [ "enp0s4" ];
       externalInterface = "wireguard0";
       forwardPorts =  [
-        { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Jitsi Meet
-        { sourcePort = 15636; proto = "udp"; destination = "10.100.1.2:15636"; } # Enshrouded 
-        { sourcePort = 15637; proto = "udp"; destination = "10.100.1.2:15637"; } # Enshrouded 
-        { sourcePort = 20815; proto = "udp"; destination = "10.100.1.3:20816"; } # Rust
-        { sourcePort = 20816; proto = "udp"; destination = "10.100.1.3:20816"; } # Rust
+        { sourcePort = 10000; proto = "udp"; destination = "${wg-framework-server}:10000"; } # Jitsi Meet
+        # { sourcePort = 15636; proto = "udp"; destination = "${wg-enshrouded}:15636"; } # Enshrouded 
+        # { sourcePort = 15637; proto = "udp"; destination = "${wg-enshrouded}:15637"; } # Enshrouded 
+        { sourcePort = 20815; proto = "udp"; destination = "${wg-rust}:20816"; } # Rust
+        { sourcePort = 20816; proto = "udp"; destination = "${wg-rust}:20816"; } # Rust
       ];
     };
   };
@@ -83,8 +91,8 @@
         mode http
         option forwardfor
         option forwarded
-        # server framework-server 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
-        server framework-server 10.100.0.2 
+        # server framework-server ${wg-framework-server}:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
+        server framework-server ${wg-framework-server} 
         
       frontend tcp
         mode tcp
@@ -97,7 +105,7 @@
         default_backend backend_tcp 
       backend backend_tcp
         mode tcp
-        server framework-server 10.100.0.2
+        server framework-server ${wg-framework-server}
 
       frontend mail 
         mode tcp
@@ -110,7 +118,7 @@
         default_backend backend_mail 
       backend backend_mail
         mode tcp 
-        server mailserver-wg 10.100.1.3
+        server mailserver-wg ${wg-mailserver}
 
       frontend vintage-story
         mode tcp 
@@ -118,7 +126,7 @@
         default_backend backend_vintage-story 
       backend backend_vintage-story
         mode tcp
-        server vintage-story-wg 10.100.1.5
+        server vintage-story-wg ${wg-vintage-story}
 
       frontend rust 
         mode tcp
@@ -127,7 +135,7 @@
         default_backend backend_rust
       backend backend_rust 
         mode tcp 
-        server rust-wg 1.100.1.6
+        server rust-wg ${wg-rust}
     '';
   };