From 3365a1652c716cd516050dab2474451cb6ac4dac Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Thu, 26 Feb 2026 00:16:39 -0800
Subject: [PATCH] restore `port` option

---
 common/network/pia-vpn/default.nix       |  9 +++++++++
 common/network/pia-vpn/vpn-container.nix | 14 ++++++++------
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/common/network/pia-vpn/default.nix b/common/network/pia-vpn/default.nix
index cd4edd8..98b92db 100644
--- a/common/network/pia-vpn/default.nix
+++ b/common/network/pia-vpn/default.nix
@@ -51,6 +51,15 @@ let
       receiveForwardedPort = mkOption {
         type = types.nullOr (types.submodule {
           options = {
+            port = mkOption {
+              type = types.nullOr types.port;
+              default = null;
+              description = ''
+                Target port to forward to. If null, forwards to the same PIA-assigned port.
+                PIA-assigned ports below 1000 are rejected to avoid accidentally
+                forwarding traffic to privileged services.
+              '';
+            };
             protocol = mkOption {
               type = types.enum [ "tcp" "udp" "both" ];
               default = "both";
diff --git a/common/network/pia-vpn/vpn-container.nix b/common/network/pia-vpn/vpn-container.nix
index 1413e78..890a17e 100644
--- a/common/network/pia-vpn/vpn-container.nix
+++ b/common/network/pia-vpn/vpn-container.nix
@@ -24,15 +24,17 @@ let
     let
       fwd = forwardingContainer.receiveForwardedPort;
       targetIp = forwardingContainer.ip;
+      dnatTarget = if fwd.port != null then "${targetIp}:${toString fwd.port}" else targetIp;
+      targetPort = if fwd.port != null then toString fwd.port else "$PORT";
       tcpRules = optionalString (fwd.protocol == "tcp" || fwd.protocol == "both") ''
-        echo "Setting up TCP DNAT: port $PORT → ${targetIp}:$PORT"
-        iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p tcp --dport $PORT -j DNAT --to ${targetIp}
-        iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p tcp --dport $PORT -j ACCEPT
+        echo "Setting up TCP DNAT: port $PORT → ${targetIp}:${targetPort}"
+        iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p tcp --dport $PORT -j DNAT --to ${dnatTarget}
+        iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p tcp --dport ${targetPort} -j ACCEPT
       '';
       udpRules = optionalString (fwd.protocol == "udp" || fwd.protocol == "both") ''
-        echo "Setting up UDP DNAT: port $PORT → ${targetIp}:$PORT"
-        iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p udp --dport $PORT -j DNAT --to ${targetIp}
-        iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p udp --dport $PORT -j ACCEPT
+        echo "Setting up UDP DNAT: port $PORT → ${targetIp}:${targetPort}"
+        iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p udp --dport $PORT -j DNAT --to ${dnatTarget}
+        iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p udp --dport ${targetPort} -j ACCEPT
       '';
       onPortForwarded = optionalString (forwardingContainer.onPortForwarded != null) ''
         TARGET_IP="${targetIp}"