From f246bad66035688951ef26ffa3c6e038575959b4 Mon Sep 17 00:00:00 2001
From: Atridad Lahiji <me@atri.dad>
Date: Fri, 6 Mar 2026 16:08:03 -0700
Subject: [PATCH] Update modules/proxy.nix

---
 modules/proxy.nix | 45 ++++++++++++++++++++++-----------------------
 1 file changed, 22 insertions(+), 23 deletions(-)

diff --git a/modules/proxy.nix b/modules/proxy.nix
index 597c9fc..6aec33d 100644
--- a/modules/proxy.nix
+++ b/modules/proxy.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 
@@ -47,16 +48,23 @@ let
     abort @fuckai
   '';
 
-  mkIptablesRule =
-    port: proto: action:
-    let
-      op = if action == "add" then "-A" else "-D";
-      ignoreErr = if action == "remove" then "|| true" else "";
-    in
-    ''
-      iptables -t nat ${op} PREROUTING -p ${proto} --dport ${toString port} -j DNAT --to-destination ${upstream}:${toString port} ${ignoreErr}
-      iptables -t nat ${op} POSTROUTING -p ${proto} -d ${upstream} --dport ${toString port} -j MASQUERADE ${ignoreErr}
-    '';
+  mkSocatService =
+    port: proto:
+    lib.nameValuePair "socat-${proto}-${toString port}" {
+      description = "Socat ${proto} proxy for port ${toString port}";
+      after = [
+        "network-online.target"
+        "tailscaled.service"
+      ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.socat}/bin/socat ${lib.toUpper proto}-LISTEN:${toString port},fork,reuseaddr ${lib.toUpper proto}:${upstream}:${toString port}";
+        Restart = "on-failure";
+        RestartSec = "5s";
+        DynamicUser = true;
+      };
+    };
 
 in
 {
@@ -152,9 +160,10 @@ in
     '';
   };
 
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-  };
+  systemd.services = lib.listToAttrs (
+    (map (port: mkSocatService port "tcp") streamPorts)
+    ++ (map (port: mkSocatService port "udp") streamPorts)
+  );
 
   networking.firewall = {
     allowedTCPPorts = [
@@ -163,15 +172,5 @@ in
     ]
     ++ streamPorts;
     allowedUDPPorts = streamPorts;
-
-    extraCommands = lib.concatStringsSep "\n" (
-      (map (port: mkIptablesRule port "tcp" "add") streamPorts)
-      ++ (map (port: mkIptablesRule port "udp" "add") streamPorts)
-    );
-
-    extraStopCommands = lib.concatStringsSep "\n" (
-      (map (port: mkIptablesRule port "tcp" "remove") streamPorts)
-      ++ (map (port: mkIptablesRule port "udp" "remove") streamPorts)
-    );
   };
 }