Lillian-Violet/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

try this postup postdown setting

Browse source
This commit is contained in:
Lillian-Violet 2024-01-06 16:48:52 +01:00
parent f60f11e220
commit 1d2fe4b2db
1 changed files with 36 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

37
nixos/server/package-configs/aria2/configuration.nix
View file

@ -40,7 +40,7 @@
}: {
system.stateVersion = "unstable";
networking.firewall.allowedTCPPorts = [6969];
networking.firewall.allowedUDPPorts = [6969];
networking.firewall.allowedUDPPorts = [6969 51820];
users.users = {
aria2.extraGroups = ["jellyfin" "nextcloud"];
};
@ -51,6 +51,41 @@
};
networking.wg-quick.interfaces = {
wg0 = {
postUp = ''
# Mark packets on the wg0 interface
wg set wg0 fwmark 51820
# Forbid anything else which doesn't go through wireguard VPN on
# ipV4 and ipV6
${pkgs.iptables}/bin/iptables -A OUTPUT \
! -d 192.168.0.0/16 \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/ip6tables -A OUTPUT \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \
--dport 8112 -m state --state NEW,ESTABLISHED -j ACCEPT
${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \
-j ACCEPT
'';
postDown = ''
${pkgs.iptables}/bin/iptables -D OUTPUT \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/ip6tables -D OUTPUT \
! -o wg0 -m mark \
! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
'';
address = ["10.2.0.2/32"];
dns = ["10.2.0.1"];
privateKeyFile = "/var/lib/wg/private-key";