jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixformat + firewall rules to port forward qbittorrent

Browse Source
This commit is contained in:
Danilo Reyes
2026-04-01 20:32:31 -06:00
parent 1877ad159e
commit 645b022bcf
7 changed files with 127 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
hosts/vps/configuration.nix
View File

@@ -23,6 +23,7 @@ let
};
ports = {
inherit (config.my.ports) giteaSsh;
inherit (config.my.ports) qbittorrent;
inherit (config.my.ports) ssh;
web = [
80
@@ -33,7 +34,6 @@ let
synapseFederation = config.my.ports.synapseSsl;
};
portsStr = {
giteaSsh = toString ports.giteaSsh;
syncthing = toString ports.syncthing;
synapseFederation = toString ports.synapseFederation;
synapseClient = toString config.my.servers.synapse.port;
@@ -48,6 +48,38 @@ let
ollama = toString config.my.ports.ollama;
comfyui = toString config.my.ports.comfyui;
};
forwardedPorts = [
{
comment = "snat ssh forward";
port = ports.giteaSsh;
proto = "tcp";
}
{
comment = "snat qbittorrent tcp forward";
port = ports.qbittorrent;
proto = "tcp";
}
{
comment = "snat qbittorrent udp forward";
port = ports.qbittorrent;
proto = "udp";
}
];
mkForwardPort =
{ port, proto, ... }:
{
sourcePort = port;
inherit proto;
destination = "${ips.homeServer}:${toString port}";
};
mkSnatRule =
{
comment,
port,
proto,
...
}:
''iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${ips.homeServer}/32 ${proto} dport ${toString port} masquerade comment "${comment}"'';
in
{
imports = [
@@ -99,14 +131,8 @@ in
nat = {
inherit externalInterface;
enable = true;
internalInterfaces = [ "wg0" ];
forwardPorts = [
{
sourcePort = ports.giteaSsh;
proto = "tcp";
destination = "${ips.homeServer}:${portsStr.giteaSsh}";
}
];
internalInterfaces = [ wgInterface ];
forwardPorts = map mkForwardPort forwardedPorts;
};
nftables = {
enable = true;
@@ -115,7 +141,8 @@ in
content = ''
chain postrouting {
type nat hook postrouting priority srcnat;
iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.giteaSsh} masquerade comment "snat ssh forward"
iifname "${wgInterface}" oifname "${externalInterface}" ip saddr ${subnets.wgHomelab} masquerade comment "snat homelab egress"
${lib.concatStringsSep "\n " (map mkSnatRule forwardedPorts)}
}
'';
};
@@ -124,8 +151,15 @@ in
enable = true;
filterForward = true;
checkReversePath = "loose";
allowedTCPPorts = [ ports.ssh ] ++ ports.web;
allowedUDPPorts = [ ports.wg ];
allowedTCPPorts = [
ports.ssh
ports.qbittorrent
]
++ ports.web;
allowedUDPPorts = [
ports.wg
ports.qbittorrent
];
extraForwardRules = ''
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.syncthing} accept
iifname "${wgInterface}" ip saddr ${ips.homeServer}/32 ip daddr ${subnets.wgFriends} tcp dport ${portsStr.syncthing} accept
@@ -142,6 +176,7 @@ in
iifname "${wgInterface}" ip saddr ${subnets.wgHomelab} ip daddr ${ips.wgWorkstation}/32 tcp dport { ${portsStr.openWebui}, ${portsStr.sillytavern}, ${portsStr.ollama}, ${portsStr.comfyui} } accept
iifname "${wgInterface}" ip saddr ${ips.wgWorkstation}/32 ip daddr ${subnets.wgHomelab} tcp sport { ${portsStr.openWebui}, ${portsStr.sillytavern}, ${portsStr.ollama}, ${portsStr.comfyui} } accept
iifname "${wgInterface}" ip saddr ${subnets.wgHomelab} oifname "${externalInterface}" accept
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} oifname "${externalInterface}" accept
iifname "${wgInterface}" ip saddr ${subnets.wgGuests} oifname "${externalInterface}" accept