{ ... }: { networking = { firewall = { enable = true; allowedTCPPorts = [ 80 # HTTP 443 # HTTPS 42420 # Vintage Story 25565 # Minecraft 1443 # Headscale DERP (tcp) 25 # Mailserver 143 # Mailserver 465 # Mailserver 587 # Mailserver 993 # Mailserver 4190 # Mailserver 4443 # Jitsi ]; allowedUDPPorts = [ 3478 # Headscale DERP (udp) 10000 # Jitsi Meet (udp) 15636 # Enshrouded - Game 15637 # Enshrouded - Query Port ]; }; nftables = { enable = true; ruleset = '' table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; iifname "enp0s4" udp dport 15636 dnat to 10.100.1.2:15636; iifname "enp0s4" udp dport 15637 dnat to 10.100.1.2:15637; } } ''; }; nat = { enable = true; internalInterfaces = [ "enp0s4" ]; externalInterface = "wireguard0"; forwardPorts = [ { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } { sourcePort = 15636; proto = "udp"; destination = "10.100.1.2:15636"; } { sourcePort = 15637; proto = "udp"; destination = "10.100.1.2:15637"; } ]; }; }; sops.secrets."cloudflare/api_key" = { owner = "haproxy"; sopsFile = ../../../secrets/cloudflare.yaml; }; sops.secrets."cloudflare/email" = { owner = "haproxy"; sopsFile = ../../../secrets/cloudflare.yaml; }; security.acme = { acceptTerms = true; defaults = { group = "haproxy"; extraLegoFlags = [ "--pem" ]; reloadServices = [ "haproxy" ]; email = "albert@sysctl.io"; dnsProvider = "cloudflare"; credentialFiles = { CLOUDFLARE_API_KEY_FILE = "/var/run/secrets/cloudflare/api_key"; CLOUDFLARE_EMAIL_FILE = "/var/run/secrets/cloudflare/email"; }; }; certs = { "sysctl.io" = { directory = "/haproxy/"; enableDebugLogs = true; }; }; }; services.haproxy = { enable = true; config = '' defaults timeout connect 10s timeout client 30s timeout server 30s maxconn 3000 log global frontend http mode http bind :80 bind :443 ssl crt /haproxy option forwardfor default_backend backend_http frontend tcp mode tcp bind :42420 bind :25565 bind :443 default_backend backend_tcp frontend mail mode tcp bind :25 bind :143 bind :465 bind :587 bind :993 bind :4190 option forwardfor default_backend backend_mail backend backend_mail mode tcp option forwarded option forwardfor if-none server mailserver-wg 10.100.1.3 backend backend_tcp mode tcp option forwarded option forwardfor if-none server framework-server 10.100.0.2 backend backend_http mode http option forwarded option forwardfor if-none server framework-server 10.100.0.2 ''; }; }