feat(forgejo): masquerade and dnat sentinel:9922 to forgejo vm

hosts/sire/guests/immich.nix

@@ -148,6 +148,9 @@ in {
   microvm.mem = 1024 * 12;
   microvm.vcpu = 16;
 
+  # Forwarding required to masquerade podman network
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
   # Mirror the original oauth2 secret
   age.secrets.immich-oauth2-client-secret = {
     inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-immich) rekeyFile;

hosts/ward/guests/forgejo.nix

@@ -30,6 +30,28 @@ in {
   nodes.sentinel = {
     networking.providedDomains.forgejo = forgejoDomain;
 
+    # Make sure to masquerade 9922 (wan) -> 22 (proxy-sentinel)
+    networking.nftables.chains = {
+      forward.dnat = {
+        after = ["conntrack"];
+        rules = ["ct status dnat accept"];
+      };
+      postrouting.to-forgejo = {
+        after = ["hook"];
+        rules = [
+          "iifname wan ip daddr ${config.meta.wireguard.proxy-sentinel.ipv4} tcp dport 22 masquerade random"
+          "iifname wan ip6 daddr ${config.meta.wireguard.proxy-sentinel.ipv6} tcp dport 22 masquerade random"
+        ];
+      };
+      prerouting.to-forgejo = {
+        after = ["hook"];
+        rules = [
+          "iifname wan tcp dport 9922 dnat ip to ${config.meta.wireguard.proxy-sentinel.ipv4}:22"
+          "iifname wan tcp dport 9922 dnat ip6 to ${config.meta.wireguard.proxy-sentinel.ipv6}:22"
+        ];
+      };
+    };
+
     services.nginx = {
       upstreams.forgejo = {
         servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.gitea.settings.server.HTTP_PORT}" = {};

modules/distributed-config.nix

@@ -41,6 +41,7 @@
   forwardedOptions = [
     ["age" "secrets"]
     ["networking" "providedDomains"]
+    ["networking" "nftables" "chains"]
     ["services" "nginx" "upstreams"]
     ["services" "nginx" "virtualHosts"]
     ["services" "influxdb2" "provision" "organizations"]