crony/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move auto-cpufreq/firewall for wireguard to modules.

Browse source
This commit is contained in:
CronyAkatsuki 2025-02-01 19:07:40 +01:00
parent 74c1b18ce2
commit e3dbd06b82
4 changed files with 58 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

26
modules/nixos/wireguard.nix Normal file
View file

@ -0,0 +1,26 @@
{
config,
lib,
...
}: {
options = {
crony.wireguard.enable = lib.mkEnableOption "Open ports in firewall for wireguard to work.";
};
config = lib.mkIf config.crony.wireguard.enable {
# Allow for wireguard traffic
networking.firewall = {
# if packets are still dropped, they will show up in dmesg
logReversePathDrops = true;
# wireguard trips rpfilter up
extraCommands = ''
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
'';
extraStopCommands = ''
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
'';
};
};
}