mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat(forgejo): masquerade and dnat sentinel:9922 to forgejo vm

Browse source
This commit is contained in:
oddlama 2024-01-23 17:47:28 +01:00
parent 0abd08a7be
commit 7f8c5689e0
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
3 changed files with 26 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
hosts/ward/guests/forgejo.nix
View file

@ -30,6 +30,28 @@ in {
nodes.sentinel = {
networking.providedDomains.forgejo = forgejoDomain;
# Make sure to masquerade 9922 (wan) -> 22 (proxy-sentinel)
networking.nftables.chains = {
forward.dnat = {
after = ["conntrack"];
rules = ["ct status dnat accept"];
};
postrouting.to-forgejo = {
after = ["hook"];
rules = [
"iifname wan ip daddr ${config.meta.wireguard.proxy-sentinel.ipv4} tcp dport 22 masquerade random"
"iifname wan ip6 daddr ${config.meta.wireguard.proxy-sentinel.ipv6} tcp dport 22 masquerade random"
];
};
prerouting.to-forgejo = {
after = ["hook"];
rules = [
"iifname wan tcp dport 9922 dnat ip to ${config.meta.wireguard.proxy-sentinel.ipv4}:22"
"iifname wan tcp dport 9922 dnat ip6 to ${config.meta.wireguard.proxy-sentinel.ipv6}:22"
];
};
};
services.nginx = {
upstreams.forgejo = {
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.gitea.settings.server.HTTP_PORT}" = {};