From d888bc60b74a59e42d76f32bb0b4732fc68c923c Mon Sep 17 00:00:00 2001
From: Hendrik Sokolowski <hensoko@gssws.de>
Date: Fri, 5 Apr 2024 19:29:17 +0200
Subject: [PATCH] nachtigall: forgejo ssh use nat rules

---
 hosts/nachtigall/apps/forgejo.nix | 9 ++++++---
 hosts/nachtigall/networking.nix   | 6 ++++++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/hosts/nachtigall/apps/forgejo.nix b/hosts/nachtigall/apps/forgejo.nix
index 647f83e0..f76e8c97 100644
--- a/hosts/nachtigall/apps/forgejo.nix
+++ b/hosts/nachtigall/apps/forgejo.nix
@@ -43,9 +43,12 @@
 
   # Expose SSH port only for forgejo SSH
   networking.firewall.interfaces.enp35s0.allowedTCPPorts = [ 2223 ];
-  networking.firewall.extraCommands = ''
-    iptables -t nat -i enp35s0 -I PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2223
-  '';
+  networking.nat.forwardPorts = [{
+    proto = "tcp";
+    sourcePort = 22;
+    destination = "127.0.0.1:2223";
+    loopbackIPs = [ "138.201.80.102" "2a01:4f8:172:1c25::1" ];
+  }];
 
   services.forgejo = {
     enable = true;
diff --git a/hosts/nachtigall/networking.nix b/hosts/nachtigall/networking.nix
index 91a09475..3d038f61 100644
--- a/hosts/nachtigall/networking.nix
+++ b/hosts/nachtigall/networking.nix
@@ -25,4 +25,10 @@
   ];
   networking.defaultGateway = "138.201.80.65";
   networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
+
+  networking.nat = {
+    enable = true;
+    enableIPv6 = true;
+    externalInterface = "enp35s0";
+  };
 }