From f793e2d42aa78c40c80fa94d6f985881865e3b76 Mon Sep 17 00:00:00 2001
From: chn <chn@chn.moe>
Date: Sat, 6 Sep 2025 15:24:46 +0800
Subject: [PATCH] devices.vps6: add port forwarding for nas

---
 devices/vps6/default.nix | 43 ++++++++++++++++++++++++----------------
 1 file changed, 26 insertions(+), 17 deletions(-)

diff --git a/devices/vps6/default.nix b/devices/vps6/default.nix
index adadf3fc..a1461521 100644
--- a/devices/vps6/default.nix
+++ b/devices/vps6/default.nix
@@ -68,23 +68,32 @@ inputs:
     networking.nftables.tables.forward =
     {
       family = "inet";
-      content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0"; in
-      ''
-        chain prerouting {
-          type nat hook prerouting priority dstnat; policy accept;
-          tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
-        }
-        chain output {
-          type nat hook output priority dstnat; policy accept;
-          # 需要忽略透明代理发出的流量（gid 不是 nginx）
-          meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} tcp dport 7011 fib daddr type local \
-            counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
-        }
-        chain postrouting {
-          type nat hook postrouting priority srcnat; policy accept;
-          oifname wg0 meta mark & 4 == 4 counter masquerade
-        }
-      '';
+      content =
+        let
+          srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0";
+          nas = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.nas";
+        in
+        ''
+          chain prerouting {
+            type nat hook prerouting priority dstnat; policy accept;
+            tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+            tcp dport 7012 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${nas}:22
+          }
+          chain output {
+            type nat hook output priority dstnat; policy accept;
+            # 需要忽略透明代理发出的流量（gid 不是 nginx）
+            meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \
+              tcp dport 7011 fib daddr type local \
+              counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
+            meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \
+              tcp dport 7012 fib daddr type local \
+              counter meta mark set meta mark | 4 dnat ip to ${nas}:22
+          }
+          chain postrouting {
+            type nat hook postrouting priority srcnat; policy accept;
+            oifname wg0 meta mark & 4 == 4 counter masquerade
+          }
+        '';
     };
   };
 }