devices.vps6: add port forwarding for nas

2026-01-12 01:29:24 +08:00 · 2025-09-06 15:24:46 +08:00
parent 1ea6614a9e
commit f793e2d42a
1 changed files with 26 additions and 17 deletions
--- a/devices/vps6/default.nix
+++ b/devices/vps6/default.nix
@@ -68,23 +68,32 @@ inputs:
    networking.nftables.tables.forward =
    {
      family = "inet";
-      content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0"; in
-      ''
-        chain prerouting {
-          type nat hook prerouting priority dstnat; policy accept;
-          tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
-        }
-        chain output {
-          type nat hook output priority dstnat; policy accept;
-          # 需要忽略透明代理发出的流量（gid 不是 nginx）
-          meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} tcp dport 7011 fib daddr type local \
-            counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
-        }
-        chain postrouting {
-          type nat hook postrouting priority srcnat; policy accept;
-          oifname wg0 meta mark & 4 == 4 counter masquerade
-        }
-      '';
+      content =
+        let
+          srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0";
+          nas = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.nas";
+        in
+        ''
+          chain prerouting {
+            type nat hook prerouting priority dstnat; policy accept;
+            tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+            tcp dport 7012 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${nas}:22
+          }
+          chain output {
+            type nat hook output priority dstnat; policy accept;
+            # 需要忽略透明代理发出的流量（gid 不是 nginx）
+            meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \
+              tcp dport 7011 fib daddr type local \
+              counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+            meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \
+              tcp dport 7012 fib daddr type local \
+              counter meta mark set meta mark | 4 dnat ip to ${nas}:22
+          }
+          chain postrouting {
+            type nat hook postrouting priority srcnat; policy accept;
+            oifname wg0 meta mark & 4 == 4 counter masquerade
+          }
+        '';
    };
  };
 }