diff --git a/common/network/pia-vpn/default.nix b/common/network/pia-vpn/default.nix index 4484991..cd4edd8 100644 --- a/common/network/pia-vpn/default.nix +++ b/common/network/pia-vpn/default.nix @@ -51,10 +51,6 @@ let receiveForwardedPort = mkOption { type = types.nullOr (types.submodule { options = { - port = mkOption { - type = types.port; - description = "Target port to forward PIA-assigned port to"; - }; protocol = mkOption { type = types.enum [ "tcp" "udp" "both" ]; default = "both"; diff --git a/common/network/pia-vpn/vpn-container.nix b/common/network/pia-vpn/vpn-container.nix index 32ed038..1413e78 100644 --- a/common/network/pia-vpn/vpn-container.nix +++ b/common/network/pia-vpn/vpn-container.nix @@ -24,16 +24,15 @@ let let fwd = forwardingContainer.receiveForwardedPort; targetIp = forwardingContainer.ip; - targetPort = toString fwd.port; tcpRules = optionalString (fwd.protocol == "tcp" || fwd.protocol == "both") '' - echo "Setting up TCP DNAT: port $PORT → ${targetIp}:${targetPort}" - iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p tcp --dport $PORT -j DNAT --to ${targetIp}:${targetPort} - iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p tcp --dport ${targetPort} -j ACCEPT + echo "Setting up TCP DNAT: port $PORT → ${targetIp}:$PORT" + iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p tcp --dport $PORT -j DNAT --to ${targetIp} + iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p tcp --dport $PORT -j ACCEPT ''; udpRules = optionalString (fwd.protocol == "udp" || fwd.protocol == "both") '' - echo "Setting up UDP DNAT: port $PORT → ${targetIp}:${targetPort}" - iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p udp --dport $PORT -j DNAT --to ${targetIp}:${targetPort} - iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p udp --dport ${targetPort} -j ACCEPT + echo "Setting up UDP DNAT: port $PORT → ${targetIp}:$PORT" + iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p udp --dport $PORT -j DNAT --to ${targetIp} + iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p udp --dport $PORT -j ACCEPT ''; onPortForwarded = optionalString (forwardingContainer.onPortForwarded != null) '' TARGET_IP="${targetIp}" @@ -43,9 +42,13 @@ let ''; in '' - ${tcpRules} - ${udpRules} - ${onPortForwarded} + if [ "$PORT" -lt 1000 ]; then + echo "ERROR: PIA assigned privileged port $PORT (< 1000), refusing to set up DNAT" >&2 + else + ${tcpRules} + ${udpRules} + ${onPortForwarded} + fi '' ); in diff --git a/machines/storage/s0/default.nix b/machines/storage/s0/default.nix index 8f918aa..053e011 100644 --- a/machines/storage/s0/default.nix +++ b/machines/storage/s0/default.nix @@ -63,17 +63,17 @@ ip = "10.100.0.10"; mounts."/var/lib".hostPath = "/var/lib"; mounts."/data/samba/Public".hostPath = "/data/samba/Public"; - receiveForwardedPort = { port = 51413; protocol = "both"; }; + receiveForwardedPort = { protocol = "both"; }; onPortForwarded = '' # Notify Transmission of the PIA-assigned peer port via RPC for i in $(seq 1 30); do - curlout=$(curl -s "http://$TARGET_IP:9091/transmission/rpc" 2>/dev/null) && break + curlout=$(curl -s "http://$TARGET_IP:80/transmission/rpc" 2>/dev/null) && break sleep 2 done regex='X-Transmission-Session-Id: (\w*)' if [[ $curlout =~ $regex ]]; then sessionId=''${BASH_REMATCH[1]} - curl -s "http://$TARGET_IP:9091/transmission/rpc" \ + curl -s "http://$TARGET_IP:80/transmission/rpc" \ -d "{\"method\":\"session-set\",\"arguments\":{\"peer-port\":$PORT}}" \ -H "X-Transmission-Session-Id: $sessionId" fi @@ -91,6 +91,7 @@ "incomplete-dir-enabled" = true; "rpc-enabled" = true; + "rpc-port" = 80; "rpc-bind-address" = "0.0.0.0"; "rpc-whitelist" = "127.0.0.1,10.100.*.*,192.168.*.*"; "rpc-host-whitelist-enabled" = false; @@ -231,7 +232,7 @@ (mkVirtualHost "lidarr.s0.neet.dev" "http://servarr.containers:8686") (mkVirtualHost "sonarr.s0.neet.dev" "http://servarr.containers:8989") (mkVirtualHost "prowlarr.s0.neet.dev" "http://servarr.containers:9696") - (mkVirtualHost "transmission.s0.neet.dev" "http://transmission.containers:9091") + (mkVirtualHost "transmission.s0.neet.dev" "http://transmission.containers:80") (mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443") (mkVirtualHost "music.s0.neet.dev" "http://localhost:4533") (mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")