From 7a4372dfe74e3c4839385df66696afb9ba3d9ec1 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Mon, 1 Jan 2024 16:28:04 +0000
Subject: [PATCH] nixos/whale2: Add Minecraft server

---
 lib/constants.nix                             |   4 ++
 nixos/boxes/colony/vms/estuary/default.nix    |   3 +-
 nixos/boxes/colony/vms/estuary/dns.nix        |   2 +
 .../vms/shill/containers/middleman/vhosts.nix |   5 ++
 nixos/boxes/colony/vms/whale2/default.nix     |   2 +
 .../colony/vms/whale2/minecraft/default.nix   |  51 ++++++++++++++++++
 .../colony/vms/whale2/minecraft/icon.png      | Bin 0 -> 5516 bytes
 nixos/modules/firewall.nix                    |   2 +-
 8 files changed, 67 insertions(+), 2 deletions(-)
 create mode 100644 nixos/boxes/colony/vms/whale2/minecraft/default.nix
 create mode 100644 nixos/boxes/colony/vms/whale2/minecraft/icon.png

diff --git a/lib/constants.nix b/lib/constants.nix
index 21aceec..7439c36 100644
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -169,6 +169,10 @@ rec {
         port = 8448;
         dst = aa.middleman.internal.ipv4.address;
       }
+      {
+        port = 25565;
+        dst = aa.simpcraft-oci.internal.ipv4.address;
+      }
 
       {
         port = 2456;
diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix
index d86402c..f06973c 100644
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -393,7 +393,8 @@ in
                       # Safe enough to allow all SSH
                       tcp dport ssh accept
 
-                      ${matchInet "tcp dport { http, https, 8448 } accept" "middleman"}
+                      ip6 daddr ${aa.middleman.internal.ipv6.address} tcp dport { http, https, 8448 } accept
+                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport 25565 accept
                       return
                     }
                     chain routing-udp {
diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix
index f213a66..7748158 100644
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -148,6 +148,8 @@ in
 
             valheim IN A ${assignments.internal.ipv4.address}
             valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address}
+            simpcraft IN A ${assignments.internal.ipv4.address}
+            simpcraft IN AAAA ${allAssignments.simpcraft-oci.internal.ipv6.address}
 
             mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
             mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
index bfef99a..77ee9b6 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -352,6 +352,11 @@ in
         locations."/".proxyPass = "http://git-vm.${domain}:3000";
         useACMEHost = pubDomain;
       };
+
+      "mc-map.${pubDomain}" = {
+        locations."/".proxyPass = "http://simpcraft-oci.${domain}:8100";
+        useACMEHost = pubDomain;
+      };
     };
 
     minio =
diff --git a/nixos/boxes/colony/vms/whale2/default.nix b/nixos/boxes/colony/vms/whale2/default.nix
index 6901b95..dd6b157 100644
--- a/nixos/boxes/colony/vms/whale2/default.nix
+++ b/nixos/boxes/colony/vms/whale2/default.nix
@@ -50,6 +50,7 @@ in
       };
     }) {
       valheim-oci = 2;
+      simpcraft-oci = 3;
     };
 
     configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
@@ -63,6 +64,7 @@ in
           "${modulesPath}/profiles/qemu-guest.nix"
 
           ./valheim.nix
+          ./minecraft
         ];
 
         config = mkMerge [
diff --git a/nixos/boxes/colony/vms/whale2/minecraft/default.nix b/nixos/boxes/colony/vms/whale2/minecraft/default.nix
new file mode 100644
index 0000000..7b54d01
--- /dev/null
+++ b/nixos/boxes/colony/vms/whale2/minecraft/default.nix
@@ -0,0 +1,51 @@
+{ lib, config, allAssignments, ... }:
+let
+  inherit (lib) concatStringsSep;
+  inherit (lib.my) dockerNetAssignment;
+
+  # devplayer0
+  op = "6d7d971b-ce10-435b-85c5-c99c0d8d288c";
+in
+{
+  config = {
+    virtualisation.oci-containers.containers = {
+      simpcraft = {
+        image = "ghcr.io/itzg/minecraft-server:2023.12.2-java17-alpine";
+
+        environment = {
+          TYPE = "paper";
+
+          EULA = "true";
+          MOTD = "§4§k----- §9S§ai§bm§cp§dc§er§fa§6f§5t §4§k-----";
+          ICON = "/ext/icon.png";
+          DIFFICULTY = "normal";
+
+          WHITELIST = concatStringsSep "," [
+            op
+            "dcd2ecb9-2b5e-49cb-9d4f-f5a76162df56" # Elderlypug
+            "fcb26db2-c3ce-41aa-b588-efec79d37a8a" # Jesthral_
+            "1d366062-12c0-4e29-aba7-6ab5d8c6bb05" # shr3kas0ras
+            "703b378a-09f9-4c1d-9876-1c9305728c49" # OROURKEIRE
+            "f105bbe6-eda6-4a13-a8cf-894e77cab77b" # Adzerq
+            "1fc94979-41fb-497a-81e9-34ae24ca537a" # johnnyscrims
+          ];
+          OPS = op;
+
+          MAX_MEMORY = "4G";
+          MODRINTH_PROJECTS = concatStringsSep "," [ ];
+
+          TZ = "Europe/Dublin";
+        };
+
+        volumes = [
+          "minecraft_data:/data"
+          "${./icon.png}:/ext/icon.png:ro"
+        ];
+
+        extraOptions = [
+          ''--network=colony:${dockerNetAssignment allAssignments "simpcraft-oci"}''
+        ];
+      };
+    };
+  };
+}
diff --git a/nixos/boxes/colony/vms/whale2/minecraft/icon.png b/nixos/boxes/colony/vms/whale2/minecraft/icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..19829c332381142bb1f4fb2d3acef0a88e0aa65b
GIT binary patch
literal 5516
zcmV;76?5u|P)<h;3K|Lk000e1NJLTq002M$002M;1^@s6s%dfF0004mX+uL$Nkc;*
zaB^>EX>4Tx04R}tkv&MmP!xqvQ$>-ggB?UVWT;MdQ4w*fRVYG*P%E_RVDi#GXws0R
zxHt-~1qXi?s}3&Cx;nTDg5VE`vxAeOi<Ed@QfLw54Uc@BchBLy`v9R)VVczy2Q=L_
z)5(OG&8><(uL#gLfLTOjW*Kvml!9-4-BT~sU5sb>_x)M@YTjZ%KqQVc!?cMvh^IGg
zgY!Odn3ZIe_?&p$qyrK^a$WKGjdRgufoF!zOnRO;Oe_{VSm|I^GBx5U;;5?WlrLmG
zRyl8R)+#mDIw!wjD6g+9bDdTMNi1Rs5=1Ddp^OS_#OSY+Vj)fY2_OH6>zBx-kgE(v
zjs;YqL3aJ%Z}5AzR$+3&O9~}`?ia`T7zKKEfo9!tzK<QJc>)BVfh)c3uQq_0Ptxmc
zEqVkDZUYzBZB5w&E_Z<8Cqp)6R|?V+3I*W(jGie64BY~KYu?;i`#607GBm5y4RCM>
zj1?(+-RIuDopbxQr!~JHoHKH_?pry@00006VoOIv00{sU04UoF5N`kg010qNS#tmY
zE+YT{E+YYWr9XB6000McNliru=m7x_01`|3OYZ;x02y>eSad^gZEa<4bO1wgWnpw>
zWFU8GbZ8()Nlj2!fese{025?ML_t(|+U=WpkQ~L8#(yvC=yMLuq5D7@A#sF+kT|>`
zV-9ne0NV?(V9ZU#Mqq=@8R0YR@P!w!%`VuBcNZ^~FoZE)0bXMW*tIbrFo??tb7~}X
zp^-*&cK7sARhj!oRd-j<AtYH?cy}`*r@Ci)s`7pL-uGU9nGOHPn|x3PlD}(y8k;V$
zWG+H0NHYA3DWe%Q+Pp(RclLsH`TrFF<X3iOaO4!R<TNZf7E2Bm3xyI;fJ8$x1~i}z
zCO{LIw+PJBCNPf>@JRN8b-BMP0P;VZzf5dChb?D|tFkzP*a|E_NjRd>qcTy~AsEIp
z;Au=nkKmhC#^<)|1?!&sKm(A!tLrc<xlvp>MUs}_3gW0}wn1b9<41vDjETSie2pm^
zOi3G4(T@_CFJ>?7e)$6hKz>D68pU_SRiBfTvPde#4GkBO8UVGCL^#ymNA`w4;@%K}
zp}|x%lr*NO1LNs`!sn~mOS+5u9f16bu7z0qha}aZlD3ef0$b{a*JeM8d6{5T4aOTx
z3<L}qZNN8}lE#b#n37(L=B(^R-Rt%n0Qr?&%TfGF($*x&SV%%4u{aksD&}iIOdJ9=
z!(*IabnJBirmQiA08`X`_~wl4#od2+-vAh1+0`OS+1(EhnEb{d5qLgULV1fW?l{y+
z@M}q1S;<DmtNN_hj8`$EmDEQx5eX6zVHJ#Ob}&E?g@rbC5DGz#fRnNpcdywe0OVKB
zp8@6~;B??Hps6~nz%%`o5xu_98>};B{RyW{Wm3};B&WMrNj28+S_q5+Vssdo(Ii-P
z{V4u*42bBp2_g{k0j3b_z;IOdqVA1*4M2Y7{3bBp1}+EO_xijJ45hrLTrr3(B&RxL
zX1J(CBM?$0zzB#jAdKPw6HA3*>^B-tFbagC#^iiVF<4W{?L4;aieYc`SgqZN<;B47
zfzxWA7r>UVTT!nSE+9&9k_tDe&>Fm=rab7Qk_soIz><&;EW+1SFk-~m&|_p75~wtg
zr_{Vg8XZVU2$XMT2v+604-P-EM;?%0IsYgyj{+?rT!JJdOk+-1yogB1%$ksiD;iVQ
z;G5dal`00$fH*>;(<U=Jf!K{6&`<|V!~v$B`f46foAr<ctFuoKT|I-&`RL)wNO@rE
zK^<3ln|I3t@+-S$1CIl32uM<)nru|oMp71%5R@aKA&!6>0wYN)1jv$_yV{nZln_W*
z#ckSBCOg@|aU}%N8mAr@Jxwv7MCu=Uqr1eU77L}~voG~)R8)vBj`2y|`0J5};<r}g
zviqIW6>vAuiGZXnq{T*>Lc=98oLH{{A&#KZ3e{qxCOJr2frJi|RPf5%CI0aTy}Y(2
zAG)z6dq%}V4YZMx=DM%;aL2uU1lrVjB}THMKwN=@LOF?xdvCEi-V*?2r7i=OSB+QA
zHj+}|VC^t|rE2u(?u7gxjv#4;YITsT1qy5fRz-8rp$X=;I~04oz0bi4vP~A(Ue(V1
z59YY>_U-fy`7scxAtklYwNi<cD0SX0Lm<C$egaqpG)q#2GoP#)AI(@qVq!%I$2v+P
zH;qV1MPMKpPcx(4;oyT)*eQkf49XI$l-ld1+`QRIT3UtsR^@o;zjGv#(As2?Nm&h!
zB}TvpUGg(GK2-YYgd~_>*>w@H0!vV>Hj=eMcaPjoR0LZ!e^>7kuhgokDTonLMWcs(
zOfCSR(qe-R$`&$nq7=C|&4kZ*?TsRL{H&i>*Omd8HPhz&Gg~-rSvGvWXD~UR%JxCu
z%k{N)Uh5A7*yG&tG6+ep=JqNwzLvJ)DNAA~SJ&<mUd4b227|aEiE1CrNPs;O;5S=f
zptQp$J<Hu|FAyahvM|NXUz^T`jb*wwl-beilg(O<snij~b!<^A1AaFKfc%PioxpMw
zNGe>o)Qnd&<Zl^g?OrGt?tQSIz=uzKw1tjIHi7}FAPCZIfv-^&gYpbmf-Y;kT!7PL
z?KKDpSeDQ=CqdWD1jdijVqn5-EaCW-V`EIPWLy9cIUcaYQMLNLHrr9m*FcCbXQTF;
z-wpBeUkn5A#M1?C`NnkGnj;X5U`*&)WNplVhgHz{NreEFfdHpEV|(KTBACeIh+l~<
zw3HyW1u$=-Ebt)!+^D*Xm#j+I-siLWg**epK}3d)726|^)zzu(Jpn)cWq+;Os{$xi
zm>ndk5Z|E6It=B&;1z;DPum(-SBRzA$eY2;m<WJH2sOc?7CTB9E(Bcl)vbK<yF0l2
z+Rbd-Qfc_dATVs-78;ODg-?9+u>xDRdq^yMpu&n!GGS^|Bf54EKlf(>F#5HO^MP>H
z**Xybvr$qLEhI)De|o#fKz}&cfj-R*-|L}Nst;Z%A(0Fp^21wZaP?JTz0o)5H>OQ1
ztmP$AhNNQ14F$aVR*`a1qbp{7vNy19Lz$iZ{)8Cp?DyH)Q`v=wNLWgTK|C%1oi#U+
z_yPpB^)^0u{W_1;&*fwE0VkZ0A(<3rOmjK?<QBg3t*I<rkgBK7m?nTNA<+uF`9gso
z{jiUx))eq#9uaS^zFy=rS8n0&uh`7m*T<?|FTOIuWmjzGvMaW*eq(t8O|h1%Ypymr
z4K_6_Nu?18fKyJ(uw+r1n{Mvq#XpX4(s9kTf4=0??VNIAGqxRm_^73s@Y%kJ1QAmQ
zKnW&kffaDzj0BKl=2VBEq{m&NOlq|df&8%M+Uwutl+!XCxio{;hG(8D@c3^>LW69f
zDQh)q39&cE*MJOF-;V~sZXk`A`%IhS0C4QlS&lg>i)BGDDrB3o77OQ(9lTf)>UJvb
z1t#PIS7>WeTzGyf2hL4k0)zGq%5EIQ%;_%IU)Raa-|G$e<&gr9K2jL-tS?>LL1&wd
z@oOf>)FjZJ2e5S_4;aCa8IN3+E=qIWc`YoQA8y#3_~GU~BdD73rh#C^RhSXYv5V8S
zXX(mV002%op_z_$n;+k?lMUUC>xcylT`s?*okQm*LwT$!pU1=$qYb)T0a!l~0R3Px
zjKf38q~fykJN7D1mpA7rZyF$d$W)YVHK;%)+8dCHsjFX}nebjq7pJ-XmRW4tT485j
z$V;7VHnXO>s3_cw8LJ}@>4v(L2jt}{GNVbbw<a%*CrFw-v|JlTUhk*0<y6wgucoxA
zYb?Lmk!Qq=*8Z*^WLd)8*$Iw3Jj0PoGR&FbhT@NI+&37lB%892t`vPyiRUNE0&j#1
z853j8y))kHD>3xMJ80`VTF<%}cltu!Egu`EA!)4RMS=LHu7mDLIiSap$*W4SF?AKm
zH~6^`fM+_cDh^Ks!0Q+yIjb%|*ZZzfFuta;t-$c=O%z@|ob*Q?r}^a1BW{YPpM0GA
z?*1ma<d0E#5DA}Iy^l7#ZM>=O7iu%c<?GUU7*_sJKfo^=S--J8iwT#mMu#gkiEg5c
zK80ttpfU-p<|N9s!c^vKblE2u7$F$Y*auuk>TgcRowFEG;q701{#m|$<=HejDqJ2r
zqYL>_p;q-cc@N_Q6VnDqtHh=*p9cnicm(YgOCt6?;7<U6$TJw@Q85mIsV{4d!S5@Q
zI{HCW%QS+aZRlJ-#xEl2G)}gS#F8mE9kUQO9V?Fm9((xLeDBMbVzkdt03(5_Z6=I~
zEz?-}iA=Cb8k_OaM%QHV*ws`t-p-wX{Iuh0f9HfAkiBqSKEJZ-N#mOnjb{+Ix&aZc
zqSkL8WZvAPNKId`>rgO;b#J}FU3dI5s~=v`V3cyySay!unpZ|JQN?JtT8#l}LXq>J
zt|V=dj?kzE*HvNSVc{FRojG)+Pz39SFh@=t0s!|Dm=jG&W0F;M7p&$4Z>_wLuYG$V
zXPk2>i<T^9+VmNuGZ}2lqF5?3IMC0!x8CHjhwkT(Ppukr<K`AcI;k4sy+&RJZn<@5
zn8Jab6A<Cz#V)shcXmyD87+x7Y?NpSauq5&w*m5<&TE3rjH&#_PT#$V{D5NMkg-Bh
zBnV5{!;Wd^w#VM&u3Nv@;Hw6W$a{+!M=VW-;T~t`NY^ivbi81ju=Vr=7|$Rw&dyML
zZ$KOLh);RTRxtWmux=VX`{M$Ty?A|Zer4Ax<C$|!F$lE*B@n=jt}Gv3mgmVA%5mO6
z*gYlZ@IzCLn;H>8p$!3W>Z#fKu2WKt;Re?gjyo!gm<fz;*cJ;YZG0E)m9~R*PUkhj
zxDvEIfzWshaIP8ANXkSKb9nvqIqj@|>0Pwm^NMis!qk|(JyQwaw;!~COBQK@+-966
z3pXZ@nNjBh2uy5~w4Ms9#_JKE(mU^>OSxgeI-}#7VAC$t^|38`ard*pqo$(Kg`no9
z1Tc5H%XOb=ANOWSE5VhEPvA!<p3ChgeTr)j|0r#Vkn=xwa)znxPGgGl4OBuTt<Fx;
zT?bO>4|NC=n6Ueim-x{k2tO*6s(N3fIum_17%Efjeg|F3^@2LN<C@_4T}_I;i@$vV
z!%3zPSSC>w{lmO{;?Yg?4+i|??!h{eqWJoUKF0h>b#OXnWH_jOGC%&)lbm;^iLrCE
zk6#Hp2v$cs;@YGRI0%364J=1Zus=BJd_d#@#?yE`LsWXVfiZs+an9<v+FSo#UO8d#
z-f;gw&zJwUZ8Dmp2n^yxCp;ufM+eVO(m7f2?2Dl|ady`-j+-^N25a^lpY-uU(}E<+
zk4VrmsXsiyp`#h|3??5ySz~q1!kIe<MB%h%8R_1N!b3SyckNhJSNmNx&Gi*1ZP-GP
z8wfzYFXEoxakbaGJ7H<R$EL%V5I$x~dY&HkQOXW?c#J_TIQ7_O795aZ#i{{5l$u>f
zb&8KW8?Y?gW(#-TTy&v@ptl>7?+sl$Jk%6=&$MZEPIX+ehaFCC^;0Bg*x})d_yLJ%
zeQ!!W-ar9wXD_Bw26zP27do%euRvwrof6Bh=sFtV2?SR%7OKS#HybT!IPu}<rb1yl
zIu8UnlFQn#r?$pICrWYoLHsQn@Hf4KDQdJfc&Rofo%|8Rswz1?#r2yhyz~;OnGRM`
zVY~oc^au(i{Gl9rWH{6>kX0bJc3z{`yl>|O^DDb91%84clD3fM#&bU^k-(WU59}l;
z7hNe)dT9{%kOQzgGUJ!>xdPtCE#zKa`%<xIb7%7jXUu3>cA(UjgSx`-^KUWy<R5UG
zMo^AdEfF?=JcX!-l}i7n{qwoM%t_Jw%C0W~Hz0(@XRT1wv;;9}67%PQ<${#}<pK_c
z-)}}WCrKVYJv<FMzGhJLO5QW3;*Yqk=`*6`Am|F{3PWqwzdrD*SAOTT`OhXN4?WOv
zl{dUEPqXdeA*rtGfg1sZ6{@<D4!4L^at?`w?I8f-L_j!HHV#pGdLz!lPLhXCMiTaJ
zY<OzW<q(9RVuoMaad*#;{<K<be!Jl3@4U6&0Ej?18~Ar16b0?@WQZQNv8K%>wRB3|
z3oJK$gf>*V`zbxY1$$--iA7VfT9dl~Acz3)AgDl4HiOS?yR+}!jV~)pelhQ7-P`vY
z03k8XpNE)#15T{f0oe>BJMcFfQp;yzPiqZ97_~+S`bH?d(t{Z+k~w|h_#UCXS_lw?
zSL2r}+gEM8ZDh^h>zP^R&Z+;fUhg*mV&3pc;4276q?a#35-D^^G4f0=rYxkE&%vJ3
zvS*K}#eWQh2#6q8+_Lqi^><**{c~2l{mQ-oK>a!YoV}>~f$T-yM`EiZK#CZRN-44@
z&m?us6iTb#A$Q-acw2{eQ&TiF)VikH!}8He%goj@+m;}*bYF#l+7~y;p7-_(`TyE+
zTQF26Jcklsx4UG|>>_>AEc}gq4BzuI#b-7V43%~<^B&;|3O~Az1tHz#E)ym5K2QJv
z6rUgd%Fvyg?kT?1kMZk<SWOnGqo>mRse^ImG~@RSkD75E&AJx?P&K~RgRn=QVP|Bf
z(`-%d`^G%`0|mg8e_87fZW+43Tc5jS_?``v-yVR#YcR~7k{~g^r7^Z^L{~LF<^^W7
z7X&~ci8)TIH>`qvF>afE*d~8``t<BElP)*DqV!sU;d}dV7q#PdwW88)?C@Uf`#^P-
zGn(mOtQU*|LRkz<{r)=hfde4eT52<%mlD?{b$Ao0C9PE6EmK^*1uTp7vC|OOZa7z5
zTk6%~JTkUsyw?bX_Km-7@9O^d9e~#B*Q_nfUH(97Nz*6AaX<|23>SB1DmqB$hg-^V
zz1ze*!07r+$H_4E+8^|H1Ud8Az8bT|K5o~|Z23=rhj)O=ve;@;F`09;U?0?7zQ*{~
zt5^SB)eB5Wh?Q;rt*uwBy??(}g1ggpUU}Fj?0Jcsl80p$xCf*V$D;9@5%EkgYI`RR
zj;YVSF8D7DJW%>b$G6@reBc29==tmd%T}p#R7PFnE=nEg9+<+J;*JvnF%aTm(7*@!
z*-9@TPaOa9j{UkA+G~%vV(~H&xl~QE&UFt>b~p#PIGuK=HrGJVF;57+!0!*rdPLtE
z4Ct?=|88w*UytiA{>{;z&mQ8~;+!NRXGxQsX3w@~*&PbWfO5heW?j%m7xe4?R&!r4
z5d3TV&1>I%zs9rQzdXI;ibc~D>Oc|c4D}J+qqTlx%I&ZA@&E1pZ~p_=Hsow9cyRLo
O0000<MNUMnLSTZ(qETu9

literal 0
HcmV?d00001

diff --git a/nixos/modules/firewall.nix b/nixos/modules/firewall.nix
index f44621e..aaf95f3 100644
--- a/nixos/modules/firewall.nix
+++ b/nixos/modules/firewall.nix
@@ -222,7 +222,7 @@ in
                 "iifname ${cfg.nat.externalInterface} jump filter-iif-port-forwards"}
               ${optionalString
                 dipForward
-                (concatMapStringsSep "\n    " (ip: "${ipK ip} daddr ${ip} jump ${natFilterChain ip}") (attrNames cfg.nat.forwardPorts))}
+                (concatMapStringsSep "\n    " (ip: "jump ${natFilterChain ip}") (attrNames cfg.nat.forwardPorts))}
             }
           }