From a7052e1b8f99dbcf6a95d15f2ef537f3a2f0382b Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Tue, 17 Jun 2025 12:01:37 +0100
Subject: [PATCH] yevaud/pennykettle: Run SOCKS server

---
 hosts/yevaud/experiments/pennykettle.nix | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix
index a8e2d45..77e6b23 100644
--- a/hosts/yevaud/experiments/pennykettle.nix
+++ b/hosts/yevaud/experiments/pennykettle.nix
@@ -59,7 +59,7 @@
           };
           routes = [
             { Gateway = [ "0.0.0.0" ]; }
-            { Gateway = [ "::" ]; }
+            { Gateway = [ "::" ]; } # TODO: ipv6 out is still not working for unclear reasons
           ];
         };
 
@@ -81,6 +81,11 @@
           }];
         };
       };
+
+      networking.nat.enable = true;
+      networking.nat.enableIPv6 = true;
+      networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
+      networking.nat.externalInterface = "wg-protonvpn";
     };
   };
 
@@ -90,4 +95,16 @@
     group = "systemd-network";
     mode = "640";
   };
+
+  # TODO: password-protect the proxy instead of relying on only listening over Tailscale
+  services.microsocks = {
+    enable = true;
+    port = 1080;
+    ip = "::";
+    outgoingBindIp = "fc00::2";
+    # authUsername = "testusername123";
+    # authPasswordFile = pkgs.writeText "testpassword" "testpassworddonotuse";
+    # execWrapper = "${lib.getExe pkgs.strace}";
+  };
+  networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1080 ];
 }