nat table

config/jawz.nix

@@ -79,7 +79,6 @@ in
       "galaxy"
       "phone"
       "vps"
-      "windows_vm"
     ];
   };
 }

hosts/server/configuration.nix

@@ -79,6 +79,7 @@ in
           allowedIPs = [
             "${config.my.ips.wg-vps}/32"
             "${config.my.ips.wg-friends}/24" # all friends
+            "${config.my.ips.wg-gs}/24" # all friends
           ];
           persistentKeepalive = 25;
         }

hosts/vps/configuration.nix

@@ -47,11 +47,35 @@ in
     };
   };
   image.modules.linode = { };
-  networking.hostName = "vps";
   services.smartd.enable = lib.mkForce false;
   environment.systemPackages = [ ];
-  networking.nftables.enable = true;
+  networking = {
-  networking.firewall = {
+    hostName = "vps";
+    nat = {
+      inherit externalInterface;
+      enable = true;
+      internalInterfaces = [ "wg0" ];
+      forwardPorts = [
+        {
+          sourcePort = giteaSshPort;
+          proto = "tcp";
+          destination = "${homeServer}:${giteaSshPortStr}";
+        }
+      ];
+    };
+    nftables = {
+      enable = true;
+      tables."vps-snat" = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority srcnat;
+            iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} masquerade comment "snat ssh forward"
+          }
+        '';
+      };
+    };
+    firewall = {
       enable = true;
       filterForward = true;
       checkReversePath = "loose";
@@ -87,17 +111,6 @@ in
         ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
       '';
     };
-  networking.nat = {
-    enable = true;
-    inherit externalInterface;
-    internalInterfaces = [ "wg0" ];
-    forwardPorts = [
-      {
-        sourcePort = giteaSshPort;
-        proto = "tcp";
-        destination = "${homeServer}:${giteaSshPortStr}";
-      }
-    ];
   };
   security.sudo-rs.extraRules = [
     {

modules/modules.nix

@@ -56,12 +56,12 @@ in
         wg-gs = "10.9.0.0";
         wg-g0 = "10.9.0.1";
         wg-g1 = "10.9.0.2";
+        wg-friends = "10.8.0.0";
         wg-friend0 = "10.8.0.1";
         wg-friend1 = "10.8.0.2";
         wg-friend2 = "10.8.0.3";
         wg-friend3 = "10.8.0.4";
         wg-friend4 = "10.8.0.5";
-        wg-friends = "10.8.0.0";
       };
       description = "Set of IP's for all my computers.";
     };

parts/core.nix

@@ -224,7 +224,6 @@ in
         nixworkstation = ../secrets/ssh/ed25519_nixworkstation.pub;
         nixserver = ../secrets/ssh/ed25519_nixserver.pub;
         nixminiserver = ../secrets/ssh/ed25519_nixminiserver.pub;
-        windows_vm = ../secrets/ssh/ed25519_windows_vm.pub;
       };
       getSshKeys = keyNames: keyNames |> map (name: inputs.self.lib.sshKeys.${name});
       # Helper functions for multi-user toggle support