{ pkgs, ... }: { networking = { firewall = { enable = true; allowedTCPPorts = [ 80 # HTTP 443 # HTTPS 42420 # Vintage Story 25565 # Minecraft 1443 # Headscale DERP (tcp) 25 # Mailserver 143 # Mailserver 465 # Mailserver 587 # Mailserver 993 # Mailserver 4190 # Mailserver 4443 # Jitsi ]; allowedUDPPorts = [ 3478 # Headscale DERP (udp) 10000 # Jitsi Meet (udp) 15636 # Enshrouded - Game 15637 # Enshrouded - Query Port ]; }; nftables = { enable = true; ruleset = '' table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; iifname "enp0s4" udp dport 15636 dnat to 10.100.1.2:15636; iifname "enp0s4" udp dport 15637 dnat to 10.100.1.2:15637; } } ''; }; nat = { enable = true; internalInterfaces = [ "enp0s4" ]; externalInterface = "wireguard0"; forwardPorts = [ { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } { sourcePort = 15636; proto = "udp"; destination = "10.100.1.2:15636"; } { sourcePort = 15637; proto = "udp"; destination = "10.100.1.2:15637"; } ]; }; }; environment.systemPackages = [ pkgs.cacert ]; services.haproxy = { enable = true; config = '' defaults timeout connect 10s timeout client 30s timeout server 30s maxconn 3000 log global frontend http mode http bind :80 bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem http-request redirect scheme https unless { ssl_fc } default_backend backend_http backend backend_http mode http option forwardfor option forwarded server framework-server 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host) frontend tcp mode tcp bind :25565 bind :4443 default_backend backend_tcp backend backend_tcp mode tcp server framework-server 10.100.0.2 frontend mail mode tcp bind :25 bind :143 bind :465 bind :587 bind :993 bind :4190 default_backend backend_mail backend backend_mail mode tcp server mailserver-wg 10.100.1.3 frontend vintage-story mode tcp bind :42420 default_backend backend_vintagestory backend backend_vintagestory mode tcp server vintage-story-wg 10.100.1.5 ''; }; }