From a271e892c3ef8be5307383fc6a246134a03435cb Mon Sep 17 00:00:00 2001
From: Nikolaos Karaolidis <nick@karaolidis.com>
Date: Sat, 1 Mar 2025 23:02:03 +0000
Subject: [PATCH] Add haproxy/mmproxy combo

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
---
 hosts/jupiter-vps/configs/haproxy/default.nix | 26 +++++++++
 .../jupiter-vps/configs/wireguard/default.nix | 54 +++++--------------
 hosts/jupiter-vps/default.nix                 |  2 +
 hosts/jupiter/configs/mmproxy/default.nix     | 42 +++++++++++++++
 hosts/jupiter/default.nix                     |  1 +
 packages/default.nix                          |  2 +
 packages/go-mmproxy/default.nix               | 15 ++++++
 7 files changed, 101 insertions(+), 41 deletions(-)
 create mode 100644 hosts/jupiter-vps/configs/haproxy/default.nix
 create mode 100644 hosts/jupiter/configs/mmproxy/default.nix
 create mode 100644 packages/go-mmproxy/default.nix

diff --git a/hosts/jupiter-vps/configs/haproxy/default.nix b/hosts/jupiter-vps/configs/haproxy/default.nix
new file mode 100644
index 0000000..f4ba9e8
--- /dev/null
+++ b/hosts/jupiter-vps/configs/haproxy/default.nix
@@ -0,0 +1,26 @@
+{ ... }:
+{
+  # TODO: Some way to automatically configure?
+  services.haproxy = {
+    enable = true;
+    config = ''
+      global
+        maxconn 4096
+
+      defaults
+        mode tcp
+        timeout connect 5s
+        timeout client 30s
+        timeout server 30s
+
+      frontend http
+        bind *:80
+        bind *:443
+        default_backend main
+
+      backend main
+        server jupiter 10.0.0.2:80 send-proxy-v2
+        server jupiter_ssl 10.0.0.2:443 send-proxy-v2
+    '';
+  };
+}
diff --git a/hosts/jupiter-vps/configs/wireguard/default.nix b/hosts/jupiter-vps/configs/wireguard/default.nix
index 8980d8d..814abce 100644
--- a/hosts/jupiter-vps/configs/wireguard/default.nix
+++ b/hosts/jupiter-vps/configs/wireguard/default.nix
@@ -1,12 +1,6 @@
-{
-  config,
-  inputs,
-  pkgs,
-  ...
-}:
+{ config, inputs, ... }:
 let
   jupiterConfig = inputs.self.nixosConfigurations.jupiter.config;
-  publicInterface = "ens3";
   wireguardPort = 51820;
 in
 {
@@ -20,40 +14,18 @@ in
       allowedUDPPorts = [ wireguardPort ] ++ jupiterConfig.networking.firewall.allowedUDPPorts;
     };
 
-    wireguard.interfaces.wg0 =
-      let
-        iptables = "${pkgs.iptables}/bin/iptables";
-      in
-      rec {
-        ips = [ "10.0.0.1/24" ];
-        listenPort = wireguardPort;
-        privateKeyFile = config.sops.secrets."wireguard".path;
+    wireguard.interfaces.wg0 = {
+      ips = [ "10.0.0.1/24" ];
+      listenPort = wireguardPort;
+      privateKeyFile = config.sops.secrets."wireguard".path;
 
-        postSetup = [
-          "${iptables} -t nat -A PREROUTING -i ${publicInterface} -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN"
-          "${iptables} -t nat -A PREROUTING -i ${publicInterface} -p udp --dport ${builtins.toString listenPort} -j RETURN"
-          "${iptables} -t nat -A PREROUTING -i ${publicInterface} -j DNAT --to-destination 10.0.0.2"
-          "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN"
-          "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -p udp --dport ${builtins.toString listenPort} -j RETURN"
-          "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -j SNAT --to-source 10.0.0.1"
-        ];
-
-        postShutdown = [
-          "${iptables} -t nat -D PREROUTING -i ${publicInterface} -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN"
-          "${iptables} -t nat -D PREROUTING -i ${publicInterface} -p udp --dport ${builtins.toString listenPort} -j RETURN"
-          "${iptables} -t nat -D PREROUTING -i ${publicInterface} -j DNAT --to-destination 10.0.0.2"
-          "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN"
-          "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -p udp --dport ${builtins.toString listenPort} -j RETURN"
-          "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -j SNAT --to-source 10.0.0.1"
-        ];
-
-        peers = [
-          {
-            name = "jupiter";
-            allowedIPs = [ "10.0.0.2/32" ];
-            publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU=";
-          }
-        ];
-      };
+      peers = [
+        {
+          name = "jupiter";
+          allowedIPs = [ "10.0.0.2/32" ];
+          publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU=";
+        }
+      ];
+    };
   };
 }
diff --git a/hosts/jupiter-vps/default.nix b/hosts/jupiter-vps/default.nix
index 9c9e286..9b92d04 100644
--- a/hosts/jupiter-vps/default.nix
+++ b/hosts/jupiter-vps/default.nix
@@ -7,6 +7,7 @@
     ./hardware
 
     ../common/configs/system/impermanence
+    ../common/configs/system/neovim
     ../common/configs/system/nix
     ../common/configs/system/nixpkgs
     ../common/configs/system/sops
@@ -16,6 +17,7 @@
     ../common/configs/system/zsh
 
     ./configs/boot
+    ./configs/haproxy
     ./configs/sshd
     ./configs/wireguard
   ];
diff --git a/hosts/jupiter/configs/mmproxy/default.nix b/hosts/jupiter/configs/mmproxy/default.nix
new file mode 100644
index 0000000..e4ceae6
--- /dev/null
+++ b/hosts/jupiter/configs/mmproxy/default.nix
@@ -0,0 +1,42 @@
+{
+  inputs,
+  system,
+  pkgs,
+  ...
+}:
+let
+  selfPkgs = inputs.self.packages.${system};
+in
+{
+  environment.systemPackages = [ selfPkgs.go-mmproxy ];
+
+  boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1;
+
+  networking = {
+    iproute2 = {
+      enable = true;
+      rttablesExtraConfig = ''
+        100 mmproxy
+      '';
+    };
+
+    localCommands =
+      let
+        ip = "${pkgs.iproute2}/bin/ip";
+        iptables = "${pkgs.iptables}/bin/iptables";
+      in
+      ''
+        ${iptables} -t mangle -D PREROUTING -m mark --mark 100 -m comment --comment mmproxy -j CONNMARK --save-mark || true
+        ${iptables} -t mangle -I PREROUTING -m mark --mark 100 -m comment --comment mmproxy -j CONNMARK --save-mark
+
+        ${iptables} -t mangle -D OUTPUT -m connmark --mark 100 -m comment --comment mmproxy -j CONNMARK --restore-mark || true
+        ${iptables} -t mangle -I OUTPUT -m connmark --mark 100 -m comment --comment mmproxy -j CONNMARK --restore-mark
+
+        ${ip} rule del fwmark 100 lookup 100 || true
+        ${ip} rule add fwmark 100 lookup 100
+
+        ${ip} route del local 0.0.0.0/0 dev lo table 100 || true
+        ${ip} route add local 0.0.0.0/0 dev lo table 100
+      '';
+  };
+}
diff --git a/hosts/jupiter/default.nix b/hosts/jupiter/default.nix
index d6b8854..082e20c 100644
--- a/hosts/jupiter/default.nix
+++ b/hosts/jupiter/default.nix
@@ -26,6 +26,7 @@
     ../common/configs/system/users
     ../common/configs/system/zsh
 
+    ./configs/mmproxy
     ./configs/wireguard
 
     ./users/storm
diff --git a/packages/default.nix b/packages/default.nix
index 9b03fe3..322976e 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -9,6 +9,8 @@
   darktable-hald-clut = import ./darktable/hald-clut { inherit pkgs; };
   darktable-lua-scripts = import ./darktable/lua-scripts { inherit pkgs; };
 
+  go-mmproxy = import ./go-mmproxy { inherit pkgs; };
+
   obsidian-plugin-better-word-count = import ./obsidian/plugins/better-word-count { inherit pkgs; };
   obsidian-plugin-dataview = import ./obsidian/plugins/dataview { inherit pkgs; };
   obsidian-plugin-excalidraw = import ./obsidian/plugins/excalidraw { inherit pkgs; };
diff --git a/packages/go-mmproxy/default.nix b/packages/go-mmproxy/default.nix
new file mode 100644
index 0000000..9c21193
--- /dev/null
+++ b/packages/go-mmproxy/default.nix
@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+# AUTO-UPDATE: nix-update --flake --version=branch=master go-mmproxy
+pkgs.buildGoModule rec {
+  pname = "go-mmproxy";
+  version = "2.1-unstable-2023-11-20";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "path-network";
+    repo = "go-mmproxy";
+    rev = "006247ca7ec618d2aff02052bac839ca769991a1";
+    hash = "sha256-sU0OYpJ0b/Fq5CzCA0TtC368LOyYCUkXt0pS4IEv8Ak=";
+  };
+
+  vendorHash = null;
+}