{ ... }: { networking = { firewall = { enable = true; allowedTCPPorts = [ 80 # HTTP 443 # HTTPS 42420 # Vintage Story 25565 # Minecraft 1443 # Headscale DERP (tcp) 25 # Mailserver 143 # Mailserver 465 # Mailserver 587 # Mailserver 993 # Mailserver 4190 # Mailserver 4443 # Jitsi ]; allowedUDPPorts = [ 3478 # Headscale DERP (udp) 10000 # Jitsi Meet (udp) 15636 # Enshrouded ]; }; nftables = { enable = true; ruleset = '' table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:15636; } } ''; }; nat = { enable = true; internalInterfaces = [ "enp0s4" ]; externalInterface = "wireguard0"; forwardPorts = [ { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } { sourcePort = 15636; proto = "udp"; destination = "10.100.0.2:15636"; } ]; }; }; services.haproxy = { enable = true; config = '' frontend http mode http bind :80 default_backend backend_http frontend tcp mode tcp bind :443 bind :42420 bind :25565 bind :25 bind :143 bind :465 bind :587 bind :993 bind :4190 bind :4443 default_backend backend_tcp backend backend_tcp mode tcp option forwarded option forwardfor if-none server framework-server 10.100.0.2 backend backend_http mode http option forwarded option forwardfor if-none server framework-server 10.100.0.2 ''; }; }