nat table

config/jawz.nix

@@ -79,7 +79,6 @@ in
       "galaxy"
       "phone"
       "vps"
-      "windows_vm"
     ];
   };
 }

hosts/server/configuration.nix

@@ -79,6 +79,7 @@ in
           allowedIPs = [
             "${config.my.ips.wg-vps}/32"
             "${config.my.ips.wg-friends}/24" # all friends
+            "${config.my.ips.wg-gs}/24" # all friends
           ];
           persistentKeepalive = 25;
         }

hosts/vps/configuration.nix

@@ -47,57 +47,70 @@ in
     };
   };
   image.modules.linode = { };
-  networking.hostName = "vps";
   services.smartd.enable = lib.mkForce false;
   environment.systemPackages = [ ];
-  networking.nftables.enable = true;
+  networking = {
-  networking.firewall = {
+    hostName = "vps";
-    enable = true;
+    nat = {
-    filterForward = true;
+      inherit externalInterface;
-    checkReversePath = "loose";
+      enable = true;
-    allowedTCPPorts = [ sshPort ] ++ webPorts;
+      internalInterfaces = [ "wg0" ];
-    allowedUDPPorts = [ wgPort ];
+      forwardPorts = [
-    extraForwardRules = ''
+        {
-      iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+          sourcePort = giteaSshPort;
-      iifname "${wgInterface}" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+          proto = "tcp";
-      iifname "${wgInterface}" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+          destination = "${homeServer}:${giteaSshPortStr}";
-      iifname "${wgInterface}" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+        }
-      iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
+      ];
-      iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
+    };
-      iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
+    nftables = {
-      iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
+      enable = true;
+      tables."vps-snat" = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority srcnat;
+            iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} masquerade comment "snat ssh forward"
+          }
+        '';
+      };
+    };
+    firewall = {
+      enable = true;
+      filterForward = true;
+      checkReversePath = "loose";
+      allowedTCPPorts = [ sshPort ] ++ webPorts;
+      allowedUDPPorts = [ wgPort ];
+      extraForwardRules = ''
+        iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
 
-      iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
+        iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
 
-      iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
+        iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
-      iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
+        iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
-      iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
+        iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
-      iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
+        iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
 
-      iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
+        iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
-      iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
+        iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
 
-      iifname "${externalInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} accept
+        iifname "${externalInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} accept
 
-      ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
+        ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
-      ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
+        ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
-      ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
+        ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
-      ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
+        ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
-      ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
+        ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
-      ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
+        ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
-    '';
+      '';
-  };
+    };
-  networking.nat = {
-    enable = true;
-    inherit externalInterface;
-    internalInterfaces = [ "wg0" ];
-    forwardPorts = [
-      {
-        sourcePort = giteaSshPort;
-        proto = "tcp";
-        destination = "${homeServer}:${giteaSshPortStr}";
-      }
-    ];
   };
   security.sudo-rs.extraRules = [
     {

modules/modules.nix

@@ -56,12 +56,12 @@ in
         wg-gs = "10.9.0.0";
         wg-g0 = "10.9.0.1";
         wg-g1 = "10.9.0.2";
+        wg-friends = "10.8.0.0";
         wg-friend0 = "10.8.0.1";
         wg-friend1 = "10.8.0.2";
         wg-friend2 = "10.8.0.3";
         wg-friend3 = "10.8.0.4";
         wg-friend4 = "10.8.0.5";
-        wg-friends = "10.8.0.0";
       };
       description = "Set of IP's for all my computers.";
     };

parts/core.nix

@@ -224,7 +224,6 @@ in
         nixworkstation = ../secrets/ssh/ed25519_nixworkstation.pub;
         nixserver = ../secrets/ssh/ed25519_nixserver.pub;
         nixminiserver = ../secrets/ssh/ed25519_nixminiserver.pub;
-        windows_vm = ../secrets/ssh/ed25519_windows_vm.pub;
       };
       getSshKeys = keyNames: keyNames |> map (name: inputs.self.lib.sshKeys.${name});
       # Helper functions for multi-user toggle support