From 558ac503379abb7127c8ee0a64f1cd80cd314740 Mon Sep 17 00:00:00 2001
From: Adithya Nair <adtya@adtya.xyz>
Date: Sun, 17 Nov 2024 11:42:28 +0530
Subject: [PATCH] bifrost: setup NAT for git-over-ssh to forgejo

---
 hosts/bifrost/network/default.nix       |  3 +--
 hosts/bifrost/network/firewall.nix      | 27 +++++++++++++++++++++++++
 hosts/bifrost/services/apps/forgejo.nix |  5 +----
 3 files changed, 29 insertions(+), 6 deletions(-)
 create mode 100644 hosts/bifrost/network/firewall.nix

diff --git a/hosts/bifrost/network/default.nix b/hosts/bifrost/network/default.nix
index c192749..f29897e 100644
--- a/hosts/bifrost/network/default.nix
+++ b/hosts/bifrost/network/default.nix
@@ -1,5 +1,5 @@
 { lib, ... }: {
-  imports = [ ./wireguard.nix ];
+  imports = [ ./firewall.nix ./wireguard.nix ];
 
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 
@@ -44,7 +44,6 @@
     ];
     useDHCP = lib.mkDefault false;
     useNetworkd = true;
-    nftables.enable = true;
   };
 
 }
diff --git a/hosts/bifrost/network/firewall.nix b/hosts/bifrost/network/firewall.nix
new file mode 100644
index 0000000..ca08c52
--- /dev/null
+++ b/hosts/bifrost/network/firewall.nix
@@ -0,0 +1,27 @@
+_: {
+  networking = {
+    firewall.allowedTCPPorts = [ 42069 ];
+    nftables = {
+      enable = true;
+      ruleset = ''
+        table ip filter {
+          chain FORWARD {
+            iifname "ens3" oifname "Homelab" tcp dport 42069 tcp flags syn / fin,syn,rst,ack ct state new accept
+            iifname "ens3" oifname "Homelab" ct state related,established accept
+            iifname "Homelab" oifname "ens3" ct state related,established accept
+          }
+        }
+        table ip nat {
+          chain PREROUTING {
+            type nat hook prerouting priority -100 ;
+            iifname ens3 tcp dport 42069 dnat to 10.10.10.13
+          }
+          chain POSTROUTING {
+            type nat hook postrouting priority 100 ;
+            ip daddr 10.10.10.13 masquerade
+          };
+        }
+      '';
+    };
+  };
+}
diff --git a/hosts/bifrost/services/apps/forgejo.nix b/hosts/bifrost/services/apps/forgejo.nix
index 6bb75f9..1f1383c 100644
--- a/hosts/bifrost/services/apps/forgejo.nix
+++ b/hosts/bifrost/services/apps/forgejo.nix
@@ -1,8 +1,5 @@
 _:
-let
-  domainName = "forge.acomputer.lol";
-in
-{
+let domainName = "forge.acomputer.lol"; in {
   services = {
     caddy.virtualHosts."${domainName}" = {
       extraConfig = ''