40 lines
1.1 KiB
Nix
40 lines
1.1 KiB
Nix
{ ... }:
|
|
{
|
|
# ssh config for forgejo
|
|
# need ip forward for nat
|
|
boot.kernel.sysctl = {
|
|
"net.ipv4.ip_forward" = 1;
|
|
};
|
|
|
|
networking.firewall = {
|
|
# open port explicitly
|
|
allowedTCPPorts = [ 22 ];
|
|
# git.oxapentane.com: port forward 22 to forgejo
|
|
# TODO do a proper thing with ipv6
|
|
extraCommands = ''
|
|
iptables -t nat -I PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222
|
|
iptables ! -o lo -t nat -A POSTROUTING -j MASQUERADE
|
|
'';
|
|
extraStopCommands = ''
|
|
iptables -t nat -D PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222 || true
|
|
'';
|
|
};
|
|
# host sshd: only listen on oxapentane.com and mgmt vpn
|
|
services.openssh.listenAddresses =
|
|
map
|
|
(a: {
|
|
addr = a;
|
|
port = 22;
|
|
})
|
|
[
|
|
# enp1s0
|
|
"188.245.196.27"
|
|
"2a01:4f8:c17:7f8a::1"
|
|
# wg-0xa-mgmt
|
|
"10.89.87.1"
|
|
"fd31:185d:722e::1"
|
|
];
|
|
|
|
services.caddy.virtualHosts."git.oxapentane.com".extraConfig =
|
|
"reverse_proxy 10.89.88.15:3000 [fd31:185d:722f::15]:3000";
|
|
}
|