atridad/haschel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update modules/proxy.nix
Some checks failed
Deploy NixOS / deploy (push) Failing after 29s
Details

Browse Source
This commit is contained in:
Atridad Lahiji
2026-03-06 16:08:03 -07:00
parent bdaa68a797
commit f246bad660
1 changed files with 22 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
modules/proxy.nix
View File

@@ -1,6 +1,7 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
@@ -47,16 +48,23 @@ let
abort @fuckai abort @fuckai
''; '';
mkIptablesRule = mkSocatService =
port: proto: action: port: proto:
let lib.nameValuePair "socat-${proto}-${toString port}" {
op = if action == "add" then "-A" else "-D"; description = "Socat ${proto} proxy for port ${toString port}";
ignoreErr = if action == "remove" then "|| true" else ""; after = [
in "network-online.target"
'' "tailscaled.service"
iptables -t nat ${op} PREROUTING -p ${proto} --dport ${toString port} -j DNAT --to-destination ${upstream}:${toString port} ${ignoreErr} ];
iptables -t nat ${op} POSTROUTING -p ${proto} -d ${upstream} --dport ${toString port} -j MASQUERADE ${ignoreErr} wants = [ "network-online.target" ];
''; wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.socat}/bin/socat ${lib.toUpper proto}-LISTEN:${toString port},fork,reuseaddr ${lib.toUpper proto}:${upstream}:${toString port}";
Restart = "on-failure";
RestartSec = "5s";
DynamicUser = true;
};
};
in in
{ {
@@ -152,9 +160,10 @@ in
''; '';
}; };
boot.kernel.sysctl = { systemd.services = lib.listToAttrs (
"net.ipv4.ip_forward" = 1; (map (port: mkSocatService port "tcp") streamPorts)
}; ++ (map (port: mkSocatService port "udp") streamPorts)
);
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
@@ -163,15 +172,5 @@ in
] ]
++ streamPorts; ++ streamPorts;
allowedUDPPorts = streamPorts; allowedUDPPorts = streamPorts;
extraCommands = lib.concatStringsSep "\n" (
(map (port: mkIptablesRule port "tcp" "add") streamPorts)
++ (map (port: mkIptablesRule port "udp" "add") streamPorts)
);
extraStopCommands = lib.concatStringsSep "\n" (
(map (port: mkIptablesRule port "tcp" "remove") streamPorts)
++ (map (port: mkIptablesRule port "udp" "remove") streamPorts)
);
}; };
} }