Update modules/proxy.nix

2026-03-06 16:08:03 -07:00
parent bdaa68a797
commit f246bad660
1 changed files with 22 additions and 23 deletions
--- a/modules/proxy.nix
+++ b/modules/proxy.nix
@@ -1,6 +1,7 @@
 {
  config,
  lib,
+  pkgs,
  ...
 }:

@@ -47,16 +48,23 @@ let
    abort @fuckai
  '';

-  mkIptablesRule =
-    port: proto: action:
-    let
-      op = if action == "add" then "-A" else "-D";
-      ignoreErr = if action == "remove" then "|| true" else "";
-    in
-    ''
-      iptables -t nat ${op} PREROUTING -p ${proto} --dport ${toString port} -j DNAT --to-destination ${upstream}:${toString port} ${ignoreErr}
-      iptables -t nat ${op} POSTROUTING -p ${proto} -d ${upstream} --dport ${toString port} -j MASQUERADE ${ignoreErr}
-    '';
+  mkSocatService =
+    port: proto:
+    lib.nameValuePair "socat-${proto}-${toString port}" {
+      description = "Socat ${proto} proxy for port ${toString port}";
+      after = [
+        "network-online.target"
+        "tailscaled.service"
+      ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.socat}/bin/socat ${lib.toUpper proto}-LISTEN:${toString port},fork,reuseaddr ${lib.toUpper proto}:${upstream}:${toString port}";
+        Restart = "on-failure";
+        RestartSec = "5s";
+        DynamicUser = true;
+      };
+    };

 in
 {
@@ -152,9 +160,10 @@ in
    '';
  };

-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-  };
+  systemd.services = lib.listToAttrs (
+    (map (port: mkSocatService port "tcp") streamPorts)
+    ++ (map (port: mkSocatService port "udp") streamPorts)
+  );

  networking.firewall = {
    allowedTCPPorts = [
@@ -163,15 +172,5 @@ in
    ]
    ++ streamPorts;
    allowedUDPPorts = streamPorts;
-
-    extraCommands = lib.concatStringsSep "\n" (
-      (map (port: mkIptablesRule port "tcp" "add") streamPorts)
-      ++ (map (port: mkIptablesRule port "udp" "add") streamPorts)
-    );
-
-    extraStopCommands = lib.concatStringsSep "\n" (
-      (map (port: mkIptablesRule port "tcp" "remove") streamPorts)
-      ++ (map (port: mkIptablesRule port "udp" "remove") streamPorts)
-    );
  };
 }