From d4e599bd9b105ec9706b0af33cd3dcbb8f53e0f3 Mon Sep 17 00:00:00 2001 From: soraefir Date: Fri, 1 May 2026 22:01:54 +0200 Subject: [PATCH] Fixes --- .../system/network/wireguard/forwarding.nix | 22 +++++++++++-------- modules/shared/sops/common.yaml | 8 +++---- modules/shared/syscfg/default.nix | 6 ++--- systems/gateway/cfg.nix | 8 +++---- 4 files changed, 24 insertions(+), 20 deletions(-) diff --git a/modules/nixos/system/network/wireguard/forwarding.nix b/modules/nixos/system/network/wireguard/forwarding.nix index 7ea3728..97aa96f 100644 --- a/modules/nixos/system/network/wireguard/forwarding.nix +++ b/modules/nixos/system/network/wireguard/forwarding.nix @@ -12,23 +12,27 @@ networking.nftables.ruleset = '' table inet nat { chain prerouting { - type nat hook prerouting priority 0; policy accept; + type nat hook prerouting priority dstnat; policy accept; - ${lib.concatMapStringsSep "\n" (ports: + ${lib.concatMapStringsSep "\n" (rule: let - from = builtins.elemAt ports 0; - to = builtins.elemAt ports 1; - src = builtins.elemAt ports 2; - dst = builtins.elemAt ports 3; + srcInt = builtins.elemAt rule 0; + dstAddr4 = builtins.elemAt rule 1; + dstAddr6 = builtins.elemAt rule 2; + srcPort = toString (builtins.elemAt rule 3); + dstPort = toString (builtins.elemAt rule 4); in '' - iifname "${from}" tcp dport ${toString src} counter dnat to ${to}:${toString dst} - iifname "${from}" udp dport ${toString src} counter dnat to ${to}:${toString dst} + iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort} + iifname "${srcInt}" udp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort} + + iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} + iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} '' ) config.syscfg.net.wg.server.forward} } chain postrouting { - type nat hook postrouting priority 100; policy accept; + type nat hook postrouting priority srcnat; policy accept; oifname { "wg0", "ens3" } masquerade } } diff --git a/modules/shared/sops/common.yaml b/modules/shared/sops/common.yaml index 84f7b42..5cc8fc6 100755 --- a/modules/shared/sops/common.yaml +++ b/modules/shared/sops/common.yaml @@ -1,7 +1,7 @@ gateway_wg_priv: ENC[AES256_GCM,data:3XZxNN3qDNPNlvWeErPujvm0XJR3GUTNodEBL7G8Z+6uhyNTdLDOB34m16k=,iv:QRxE7qLtDOckWhL3GGopTnADlwuRSkT/GLpHkrGOAOA=,tag:xT/UlJg/oQYbJBfQeNak3w==,type:str] gateway_wg_pub: ENC[AES256_GCM,data:yS7PFe/ShzB7FG3gXinPl7VLNfdxA6hxIyuIHUDT2GfP/NWc08Z7ztKVu48=,iv:B45FKQNhg9YTykNHRC2p4ZWHB9+VwfEBh2gW+npE7EA=,tag:j2hU0RLv8gknAmSGp7iMrw==,type:str] -gateway_ssh_priv: null -gateway_ssh_pub: null +gateway_ssh_priv: ENC[AES256_GCM,data:pYYVtKeNp2R3YSY5dm9SabRX0VgSMmtNdgZP26hD0xfPGyKktmdcUAjXubMJMmCtR6yXVAyt+l1eUocJ4G3AhCNHcL0P8+RxiV8O3pYdFAH7yGMNtE2uG+fHZjdSRRxXbGBl5PafYexByHkwc5GA1Nx1o6Cpe7F3kGc/iJyhHxh0bNQKvWjdWnKECQJinyWWwNz9tHrTmaCszyldhzNN6LgrO4Az4HTBkr8KUEEqWgz0KSFxWhug0CxPU5Q+PEIB8x8WX/Sg26IzOhffrEsiRvwzPTy+Btvlym+gdKEuKugTpj0Hd7IFF4Ynm/poYs4kbwJTD4StnE9+4FwT4Z2UngCEuQ/xoBVea4+WjAIAb3zu7V82M5qO9JjlP1hmlQ5ZBvMXsFFgj/ZUvdaJUEypNmCr4i/mTiIpqyj1PNZB8+gvkoKioWwwOv2bb6+OUQm8potQCLPUD3VcOzdACdAPrTAUxY/DWEskj0eQ2qOI5F7zbRjm0ut+/Yf6ZO+z3ThRzFRXu9SmwBUouW9wDJ1r,iv:HhGUgZqgabuincK+vz8hEzRDNUnn3AuhY9t7Wz2494o=,tag:7Jov85/vKIgEmRvnzIyQuw==,type:str] +gateway_ssh_pub: ENC[AES256_GCM,data:zIJ0VXe3IaPeXR8MttmoZqK9V6XYYBFzmvNbqGHHLXInBzVDgsBqRc6lGcyTttTOma9urisWcgC32jTKjsuD9XuTjaxaKWWsG4lo3AGhJsn+GeXAwjv52wtkTmCo,iv:AV63288b3r8NmzJIKL0lOEZl38WqQHWhTGx7CBKlZ8U=,tag:cm3STEwnSVNXTKrWsArZXA==,type:str] valinor_ssh_priv: ENC[AES256_GCM,data:+eeVw/05eU5VW29KhT9+eGXcf+Ola2n0ISbj5Lzyj/bB/8OWDGXkqxWjgZv3cbL9v265AbyqcHfYX94BynTtMITfM6Cwz3D0EcUmIyP3rgjrJZdnksLu41a30dUjLnfVqiPwZaxxccZb6/JNAgXrg4hjkTsrCiZeSGpPl2VqECVt0tfJ3nmJwX+7C95QMvzxCw5S6CbN53AZBPmqBqzmxperc0LegMR+2lXviuqTEL2ZH3mzo0YeJQS/yCVVQL6TWx/wyM4fKD4kavg07sCAoj7E4V9RL4DY75uIbEz2+hvw9yE4nCtg2UgLu2hmragbH5ZseD/BWu+d2JGQeAnSLJBr6lZj/LGsiCe5vdnNqh2igZ9EI8Bhjv2ed2ajAxPYxJ1cAT9noxx6E+KU6sjWaSeKhLsnO/X3Ht1ADiUP4i/j39aE/4U7Gmk8Gs+3LBF0FXS88M06HV1cCKkd8RLkD0v6uKpOd6deOkKZRRGT8XzrF6JGY6fMXksF7GCqYqKhHEvU3nd3MQ/XjZuSycIr6NKdo31iezwjFCELUf2XQCIEtLe77vxfZQQ9lhddLhM7FJVDwlIuVLjN0lzrUoCywOZOG/ipenkCLDD5JmPqbkgyqFEIKpLW3weqlIFPTQblwaW724kKB80E+0lvW+0mG8oiyeqBuFufhtaUEwmg93aCzPW7wJuP7rzBm2i0FPl4Mg0f1d7iJtrHaIcnncw7vzeo+LOq1zvlcCVO3lt/JTRhTbxMEDzzQvvuRnFVExQbNCd9BKErpZAIia/l+5/PYClqapQYuBsx+Y4jUC/ct6PicSz/YtdXgTQc3jqmsLJ46R7Y3qkeaYJvsFDbTtjG1GlQdisNPZEhtkWgvyIcxl62/SSqLJr+ZxWh2ldToVpnX4g9JKcHbHyvsD/JJRsSD8fHlGBlnpXpL4onkQNbtZQ9HUBpaz6rQvp7klM5iI1trpdnv8nf3H0G54mz5c4FY81VIXcy+2nEgadhWNdKlI0rjruvXyJKUvCPmh3ZyPZPL+7rkLI+ywj+0Gz7QGKcDsOy2L1UsHSpCJGRe0ZJO8vuq1relbMF2pz5eQHa+9S3NNG/v5WNWVw4BcCaX8tfuac467mZ+sr2CKAKn+ojhBAkSVWHWg95bURX1NUpjw6d2dPSJbLjen7FDZ1NiZsvW+eNIPnuaOAIoNKW9H2XXmXagJASOnwd+BwNWWB7APlQz/YfQycDG4TjAWCg22aoTagmXoPtiqNqo0gq7NljSbq5EY2hn1RUV7umMR/cqY4XmdBsVqSwnjBtuHGQArn2QRbAYJcHkrxpAzMfJSWNx176ARBFhQDITpI8Y2ROyF+tZaOcNOYuXfAjktV7Elgt5dNypxdo4a/qFt0IkjxRF8WGGTKU3eRnC0EvaVc3xifLIcjrihqiVnB3jb58pT7lSeTH8pnuTS2+jOVphvok+8ddKd+Q5Po2yw8e0PswzPK7dYdMjNNKhbg/W41Bxf5ZKWxGZjxMbwNndzPext/+QWZqTJDw+Cf3rCMpaAU3nRSW7b5TD9fYrmajSbkzHBy9ggt1y+IofLEWlsMkiisxqnggsbVyDlxMb2q5iOFYMWtG/VPE6e5yDUVlwsd1l+Mv+vASCJW0J2i5BJzpYVTnazcQabbVeK/t3t8oA7/aO7omZxbPYDcfBAfc8+ibx3iBW4tIrwe0EvsqkdhTt4C5jpxynfBnvUL4+O5IYFSyz29EKNPZ+2RQti6tMCZYi4/IDBg93WQHGMrUd0pyANwP0vYVH8QGtD3X94nwOjoJO3GXqD3qcGsCrmBmmJtHTYBZ39KZpxxujsYDeccUuRbV9Ivq9vydkjO4fkIKCtlSFWRtkgU6cl4IxoO7alRDvJzadWrBdW5k3ubZG3qV05+iV9KSdh520YrRzxGb0yd8Ii0pgJU38oEywWyLUL9+/Ov5UZALtflS90cLANodWfzNtAxcZP6C+XR3aRyI8dZp5ZcOwwbj9aieSImLDwnC0l1cdtxSu8Iwm29/yeh4v4JXl6t1bBsTkyCoirQnkyBC3lHLCbwE3vfB34BTcChR+qWhiM92rnr6be8M89AtnEfNsdpZAWD96craURM8wfmMh9tM66gjjHyYuJbi1186x4LAtST4VZMHnw6NoG3XK5sMoVZq8jFWfUqrpS6ZMRu1UV0qL1jNbcZifwOlDgmoFXhFMZ6CGax0Up+cFPI2BJ7wGQwsTszifSXah/XgFhrOWgu9Hs5YJYbTxs26yEhG2K9j1J/4dtNdowmPI05iMynybTzrQkB8T/lVE5w9o1wumNhftyXie10+Nc8U1Ok3JugGG1CoM35eLAPTA8vHZzj6819apBCtw2vGeHio9k27164gHhsZUdAhyfC8hxmR/V857ipCchBNGg6aQOh2hVs9+4mNaap1UXGlAOJZMp/O7BNknYi6LVuGOtiS01W86pgPtCrbb8/24RHcybSLXhS4spTDf/LfBHaEWiklQHyq7YU6hsTOcmTkMNLCFuNVbPXPFze30KWtPhyZyQNYPqEwo8dZ8InN3RNBaYCMgYel7kNcmCO/0HlL1Kqjc4i2mguFiw23Tz0YRmUpwDjEe9gfOjlm9EZQs0GQQyB2gNfaoH1oyiM5yvQ9MrY9OADGpos0334ZqW9mykUpjkhrCWKLmVLAzWejbqMw1ZDq7FRa+l6Uyt+2XFPar7dta/TsWYKv6kTqoz1JHMwf5EoGEgCszcwnqkcqd5T9NHoVNwwpkEN/7axF0OqT25NSpXkAcacSHo70998jL3zbdKFVamUmpF/hN6ioniJyKAelESPym7KpjZKBEsHGTzU30t1GgsGlYUwtR07O5FnRVViDiMyQHYAq1PXa1EbCS0b7bbdMYGcExJzHvlT8VmeKnJ1RoOvKWyil2habXd+TbxEWtfAOuWtJzLYwXWKPppsq/EwKxUGNla01hVrfAbm3QNP45gDGFZ0+piA8PLNq6PNFoSlINc/6/Z3WaENpGhxL0mKS2IS/d76AzHjUV+Hw6ylFUdYEjAPp2lR5woslQnxpO5n3oKpFl3jevzJmcNJKuZZEYzGU1leyddx30hzmVMfTliybA5I1GVTIigbdKwuRWL8uYQA1mHUeO5pEPGMv1X4GcoT5BDrdcFAaU6vjhXbjVhCNcPBbjxKHisfOBUr6nx1M/n3AHndhilimrPP5adOGpG2CFqKQtINb0UmpqPQJRB488tuVE3fTPgqNi+PEES1tIumBVdt5m95p+BNHPyVwLloMeGkCVqsTid2251NSpFd/n0BVAOR0zZP1hGRRzgU2tNPK4VAVuvuPQdPw7ZUbVSe/VvphOLXAG72M27W9IbLrsnnmaNeh5ur/9fl5yI52py53z0Zrp6WNociqyeC03xzPAwmYF9BFMG+j9Kto2OfbxOCUdWxhlCGDuUqODcAsvfKNQddq4Fha0HSLjvGOtfEuWmJNTzmfIeO3vg==,iv:pTQbb6nLHJ8BXTIYdiSe4vc5+1hpNuHhQhDkIAsZ9HI=,tag:jyO99VXSsCQlQD+Hh+gtvg==,type:str] valinor_ssh_pub: ENC[AES256_GCM,data:c9s+tEjn+aZAjsxU7+dWmKLVc3dFdtna3ilDJrEb4k9TToyYY5VYEW6exxpbBl6MMAe98/KXgLPI5kTmq3gCqQe2dBnOB3C4f212DOmVyoYGj4AiqzU+Oo0pfg6DRw5BCjYGY7B+zJopqQgDvlIRTdJzAhQe3ZRuJFXKupVpJ+pEx56bo/memAf+BBZgIXChFrYadqze90rMmlw0D5V3L3lmTnqjoniXTXj5QoHh2f873qFAQ72+fSNlJCkasNavSiXKWVPcS3xMmgfiaffkqdO6pte1m/IgevKkKfciIOBbKskgsTZdy9iPGdELLH1wMzO45+vX3h2ATy/v5Hqq/yWlrDbvFFUKoaCb6n7/5O3MhaLwa78Uk09Dvbno2Wb8C5BBZlXBZ/BSooosDFUG/2IG8nKM+FrHJvtwgugCGa3ZQYKQr6iJ9g6tN83YRTEgKTCsZPnSNg+vXSBAib5ABHl8z7oHVB2hJFBnEn7Im99b/GRsCRD+/y9Y+4wF8nzznJgSrqInM59//EJHmwOWrHzSIpyV+cY67cCUXlkYB/ufx510XtEjijr2SOJXKmdAmme0EICkP/LY80Yrsoz2ee/A6w6ZP3HDHuxUVNeGNJvdoFhIyt9pEiRBwl7K2XKYCh/lRiE6E19EM6SmwplEM0+uAWTY+NUKZba2JSqFZLMlBFfWSLHgOHFLPatkZRUTkoNa4BOhtUlAYfuN/uHHimnL7H4O814OnjU5exqHca63VkDDhA==,iv:YT0ZN/Rt6CbMSFU1wZDbrenlwXCh7e4C06YbVL5J/VU=,tag:BqVtzOC1ViEkHHTXbgDJHw==,type:str] valinor_wg_priv: ENC[AES256_GCM,data:1izZF+6G2Uc2MRBH56A07lexZEkyOiiFI4zltyoZco0+Y9EPhH1nJ4sWzs0=,iv:OIBIQvMsrq93/o0r8V6eSzfU63xtCzgQFf8NKXsjRk0=,tag:wdcQOfdaoxe7Vw0QWmngwA==,type:str] @@ -68,8 +68,8 @@ sops: STRtTVpVTCtVZ1FUNENqWFFVNTNuaVUKN6HRiZjTdENeif8dJ29urBxPXDaosjjY InN4Ko6YUaGfvB1DTrKIzrxOpsHS+XjisoGfT71tJwwEOoREklEO/A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-01T15:14:46Z" - mac: ENC[AES256_GCM,data:epSFr7V8a1SRbLqiW0hmxFczzedodtoq69zVy3+kYmoIoQCGh2lHyDr2UPQHpdKZQbaOaForXO8Nlc+hllEcX/uPp/O7Yw/KEsS66wPZW8XW9GubzKVn47K1+tNTzeiLAi0iOMEcl2spXGL+6qlieuqNNrWlMEJak61rPEKSXcA=,iv:ifi1u2LTxGPHhMYRHkwSobpLBouCnOMSv6/f1G3LI+s=,tag:46tMthiGwxITsGbIMYykUg==,type:str] + lastmodified: "2026-05-01T19:34:05Z" + mac: ENC[AES256_GCM,data:D3KYMqNGEQDEud8p9IUjiwNkhfw1KECXImi0k8LkfJYsmru2LBgRmlfMk+0ZWl8zrF4+VWhuvaBiBJbJQIuj63eaaXF36GIqdr5958QjX9DlZyFtzKGvmcGlf+NfCxXr25TbYJOq3lTk4Wt9uWravGHZRwzyWhTxIHPN1M83rO4=,iv:gXDqzyyyv8eMYEMV2Dr4FPsj6bDWoeQNROi33k7/5PY=,tag:ZG5DlN7kNskUTqFeAf+KBQ==,type:str] pgp: - created_at: "2023-04-20T10:20:17Z" enc: |- diff --git a/modules/shared/syscfg/default.nix b/modules/shared/syscfg/default.nix index 3a4fdbb..9ccdd0d 100644 --- a/modules/shared/syscfg/default.nix +++ b/modules/shared/syscfg/default.nix @@ -56,9 +56,9 @@ let default = []; description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]"; example = [ - [ "ens3" "10.10.1.2" 22 2222 ] - [ "ens3" "10.10.1.2" 80 80 ] - [ "ens3" "10.10.1.2" 443 443 ] + [ "ens3" "10.10.1.2" "IPV6" 22 2222 ] + [ "ens3" "10.10.1.2" "IPV6" 80 80 ] + [ "ens3" "10.10.1.2" "IPV6" 443 443 ] ]; }; }; diff --git a/systems/gateway/cfg.nix b/systems/gateway/cfg.nix index 1322e2e..d667e2e 100644 --- a/systems/gateway/cfg.nix +++ b/systems/gateway/cfg.nix @@ -26,10 +26,10 @@ enable = true; peers = ["avalon" "asgard" "iriy" "valinor" ]; forward = [ - [ "ens3" "10.10.1.2" 22 2222 ] # SSH - [ "ens3" "10.10.1.2" 80 80 ] # HTTP - [ "ens3" "10.10.1.2" 443 443 ] # HTTPS - [ "ens3" "10.10.1.2" 3979 3979 ] # OTTD + [ "ens3" "10.10.1.2" "fd10:10:10::2" 22 2222 ] # SSH + [ "ens3" "10.10.1.2" "fd10:10:10::2" 80 80 ] # HTTP + [ "ens3" "10.10.1.2" "fd10:10:10::2" 443 443 ] # HTTPS + [ "ens3" "10.10.1.2" "fd10:10:10::2" 3979 3979 ] # OTTD ]; }; };