diff --git a/nixos/hosts/frankfurt-linode-01/firewall.nix b/nixos/hosts/frankfurt-linode-01/firewall.nix index 6152094c..f9977caa 100644 --- a/nixos/hosts/frankfurt-linode-01/firewall.nix +++ b/nixos/hosts/frankfurt-linode-01/firewall.nix @@ -3,11 +3,103 @@ firewall = { enable = true; allowedTCPPorts = [ + 80 # HTTP + 443 # HTTPS + 42420 # Vintage Story + 25565 # Minecraft 1443 # Headscale DERP (tcp) + 25 # Mailserver + 143 # Mailserver + 465 # Mailserver + 587 # Mailserver + 993 # Mailserver + 4190 # Mailserver + 4443 # Jitsi ]; allowedUDPPorts = [ 3478 # Headscale DERP (udp) + 10000 # Jitsi Meet (udp) + 15636 # Enshrouded - Game + 15637 # Enshrouded - Query Port + ]; + }; + + nftables = { + enable = true; + ruleset = '' + table ip nat { + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; + iifname "enp0s4" udp dport 15636 dnat to 10.100.1.2:15636; + iifname "enp0s4" udp dport 15637 dnat to 10.100.1.2:15637; + } + } + ''; + }; + + nat = { + enable = true; + internalInterfaces = [ "enp0s4" ]; + externalInterface = "wireguard0"; + forwardPorts = [ + { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } + { sourcePort = 15636; proto = "udp"; destination = "10.100.1.2:15636"; } + { sourcePort = 15637; proto = "udp"; destination = "10.100.1.2:15637"; } ]; }; }; + + services.haproxy = { + enable = true; + config = '' + defaults + timeout connect 10s + timeout client 30s + timeout server 30s + maxconn 3000 + log global + + frontend http + mode http + bind :80 + default_backend backend_http + + frontend tcp + mode tcp + bind :42420 + bind :25565 + bind :4443 + bind :443 + default_backend backend_tcp + + frontend mail + mode tcp + bind :25 + bind :143 + bind :465 + bind :587 + bind :993 + bind :4190 + default_backend backend_mail + + backend backend_mail + mode tcp + option forwarded + option forwardfor if-none + server mailserver-wg 10.100.1.3 + + backend backend_tcp + mode tcp + option forwarded + option forwardfor if-none + server framework-server 10.100.0.2 + + backend backend_http + mode http + option forwarded + option forwardfor if-none + server framework-server 10.100.0.2 + ''; + }; } diff --git a/nixos/hosts/frankfurt-linode-01/wireguard.nix b/nixos/hosts/frankfurt-linode-01/wireguard.nix index 0c784daa..92d4e30d 100644 --- a/nixos/hosts/frankfurt-linode-01/wireguard.nix +++ b/nixos/hosts/frankfurt-linode-01/wireguard.nix @@ -29,7 +29,6 @@ # Wireguard Forwarder boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; "net.ipv4.conf.all.forwarding" = 1; "net.ipv4.conf.default.forwarding" = 1; }; diff --git a/nixos/hosts/osaka-linode-01/default.nix b/nixos/hosts/osaka-linode-01/default.nix index 3a71e4e4..9de1aa70 100644 --- a/nixos/hosts/osaka-linode-01/default.nix +++ b/nixos/hosts/osaka-linode-01/default.nix @@ -1,4 +1,4 @@ -{ lib, modulesPath, ... }: { +{ lib, modulesPath, hostname, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ../../common/services/tailscale-autoconnect.nix @@ -37,7 +37,8 @@ networking.useDHCP = lib.mkDefault true; time.timeZone = "Asia/Tokyo"; - networking.hostName = "osaka-linode-01"; + networking.hostName = hostname; services.tailscale.extraUpFlags = [ "--advertise-exit-node" ]; + boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; }; } diff --git a/nixos/hosts/osaka-linode-01/wireguard.nix b/nixos/hosts/osaka-linode-01/wireguard.nix index 0c784daa..92d4e30d 100644 --- a/nixos/hosts/osaka-linode-01/wireguard.nix +++ b/nixos/hosts/osaka-linode-01/wireguard.nix @@ -29,7 +29,6 @@ # Wireguard Forwarder boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; "net.ipv4.conf.all.forwarding" = 1; "net.ipv4.conf.default.forwarding" = 1; };