diff --git a/nixos/hosts/frankfurt-linode-01/firewall.nix b/nixos/hosts/frankfurt-linode-01/firewall.nix
index 5503621e..38090239 100644
--- a/nixos/hosts/frankfurt-linode-01/firewall.nix
+++ b/nixos/hosts/frankfurt-linode-01/firewall.nix
@@ -1,4 +1,11 @@
-{ pkgs, ... }: {
+{ pkgs, ... }:
+let
+ wg-framework-server = "10.100.0.2";
+ wg-enshrouded = "10.100.1.2";
+ wg-mailserver = "10.100.1.3";
+ wg-vintage-story = "10.100.1.5";
+ wg-rust = "10.100.1.6";
+in {
networking = {
firewall = {
enable = true;
@@ -29,15 +36,16 @@
nftables = {
enable = true;
+
+ # iifname "enp0s4" udp dport 15636 dnat to ${wg-enshrouded}:15636;
+ # iifname "enp0s4" udp dport 15637 dnat to ${wg-enshrouded}:15637;
ruleset = ''
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
- iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000;
- iifname "enp0s4" udp dport 15636 dnat to 10.100.1.2:15636;
- iifname "enp0s4" udp dport 15637 dnat to 10.100.1.2:15637;
- iifname "enp0s4" udp dport 20815 dnat to 10.100.1.3:20815;
- iifname "enp0s4" udp dport 20816 dnat to 10.100.1.3:20816;
+ iifname "enp0s4" udp dport 10000 dnat to ${wg-framework-server}:10000;
+ iifname "enp0s4" udp dport 20815 dnat to ${wg-rust}:20815;
+ iifname "enp0s4" udp dport 20816 dnat to ${wg-rust}:20816;
}
}
'';
@@ -48,11 +56,11 @@
internalInterfaces = [ "enp0s4" ];
externalInterface = "wireguard0";
forwardPorts = [
- { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Jitsi Meet
- { sourcePort = 15636; proto = "udp"; destination = "10.100.1.2:15636"; } # Enshrouded
- { sourcePort = 15637; proto = "udp"; destination = "10.100.1.2:15637"; } # Enshrouded
- { sourcePort = 20815; proto = "udp"; destination = "10.100.1.3:20816"; } # Rust
- { sourcePort = 20816; proto = "udp"; destination = "10.100.1.3:20816"; } # Rust
+ { sourcePort = 10000; proto = "udp"; destination = "${wg-framework-server}:10000"; } # Jitsi Meet
+ # { sourcePort = 15636; proto = "udp"; destination = "${wg-enshrouded}:15636"; } # Enshrouded
+ # { sourcePort = 15637; proto = "udp"; destination = "${wg-enshrouded}:15637"; } # Enshrouded
+ { sourcePort = 20815; proto = "udp"; destination = "${wg-rust}:20816"; } # Rust
+ { sourcePort = 20816; proto = "udp"; destination = "${wg-rust}:20816"; } # Rust
];
};
};
@@ -83,8 +91,8 @@
mode http
option forwardfor
option forwarded
- # server framework-server 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
- server framework-server 10.100.0.2
+ # server framework-server ${wg-framework-server}:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
+ server framework-server ${wg-framework-server}
frontend tcp
mode tcp
@@ -97,7 +105,7 @@
default_backend backend_tcp
backend backend_tcp
mode tcp
- server framework-server 10.100.0.2
+ server framework-server ${wg-framework-server}
frontend mail
mode tcp
@@ -110,7 +118,7 @@
default_backend backend_mail
backend backend_mail
mode tcp
- server mailserver-wg 10.100.1.3
+ server mailserver-wg ${wg-mailserver}
frontend vintage-story
mode tcp
@@ -118,7 +126,7 @@
default_backend backend_vintage-story
backend backend_vintage-story
mode tcp
- server vintage-story-wg 10.100.1.5
+ server vintage-story-wg ${wg-vintage-story}
frontend rust
mode tcp
@@ -127,7 +135,7 @@
default_backend backend_rust
backend backend_rust
mode tcp
- server rust-wg 1.100.1.6
+ server rust-wg ${wg-rust}
'';
};