From b6b8e8dc823dcfa5ead3de29199c438b1dbad7f5 Mon Sep 17 00:00:00 2001
From: Dmitriy Pleshevskiy <dmitriy@pleshevski.ru>
Date: Tue, 1 Aug 2023 10:26:56 +0300
Subject: [PATCH] host/tatos: add subnets user list

---
 .../tatos/services/subnets_user_list.secret.txt  |  2 ++
 nixos/hosts/tatos/services/update_ru_routes.nix  |  7 ++++++-
 nixos/hosts/tatos/services/update_ru_routes.sh   | 16 +++++++++-------
 nixos/hosts/tatos/services/wireguard.nix         | 14 +++++++++++---
 4 files changed, 28 insertions(+), 11 deletions(-)
 create mode 100644 nixos/hosts/tatos/services/subnets_user_list.secret.txt

diff --git a/nixos/hosts/tatos/services/subnets_user_list.secret.txt b/nixos/hosts/tatos/services/subnets_user_list.secret.txt
new file mode 100644
index 0000000..9fdd4cb
--- /dev/null
+++ b/nixos/hosts/tatos/services/subnets_user_list.secret.txt
@@ -0,0 +1,2 @@
+# cache.nixos.org
+151.101.86.217/32
diff --git a/nixos/hosts/tatos/services/update_ru_routes.nix b/nixos/hosts/tatos/services/update_ru_routes.nix
index fc2bb15..d015b15 100644
--- a/nixos/hosts/tatos/services/update_ru_routes.nix
+++ b/nixos/hosts/tatos/services/update_ru_routes.nix
@@ -1,4 +1,5 @@
 { writeShellScriptBin
+, substituteAll
 , symlinkJoin
 , makeWrapper
 , bind
@@ -9,7 +10,11 @@
 , curl
 }:
 let
-  update_ru_routes_unwrapped = writeShellScriptBin "update_ru_routes" (builtins.readFile ./update_ru_routes.sh);
+  update_ru_routes_unwrapped = writeShellScriptBin "update_ru_routes"
+    (builtins.readFile (substituteAll {
+      src = ./update_ru_routes.sh;
+      subnetsUserList = "${./subnets_user_list.secret.txt}";
+    }));
 in
 symlinkJoin {
   name = "update_ru_routes";
diff --git a/nixos/hosts/tatos/services/update_ru_routes.sh b/nixos/hosts/tatos/services/update_ru_routes.sh
index 60dd391..ff497cc 100644
--- a/nixos/hosts/tatos/services/update_ru_routes.sh
+++ b/nixos/hosts/tatos/services/update_ru_routes.sh
@@ -11,13 +11,15 @@ function ProgressBar {
 
 # Variables
 file_raw="russian_subnets_list_raw.txt"
-# file_user="subnets_user_list.txt"
+file_user="@subnetsUserList@"
 file_for_calc="russian_subnets_list_raw_for_calc.txt"
 file_processed="russian_subnets_list_processed.txt"
 gateway_for_internal_ip=`ip route | awk '/default/ {print $3; exit}'`
 interface=`ip route | awk '/default/ {print $5; exit}'`
 
 # Get addresses RU segment
+echo "Add stat.ripe.net to $interface"
+ip route add 193.0.6.150/32 via $gateway_for_internal_ip dev $interface
 echo "Download RU subnets..."
 curl --progress-bar "https://stat.ripe.net/data/country-resource-list/data.json?resource=ru" | jq -r ".data.resources.ipv4[]" > $file_raw
 
@@ -28,13 +30,13 @@ for line in $(cat $file_for_calc); do
   ipcalc --no-decorate -d $line >> $file_processed;
 done
 
-# if [ -e $file_user  ]; then echo "Add user subnets..."; cat $file_user |grep -v "#" >> $file_processed; fi
+if [ -e $file_user ]; then
+  echo "Add user subnets..."
+  cat $file_user | grep -v "#" >> $file_processed
+fi
 
-# Flush route table
-echo "Flush route table (down interface $interface)..."
-ifdown $interface > /dev/null 2>&1
-echo "Up interface $interface..."
-ifup $interface > /dev/null 2>&1
+echo "Flush route table (restart interface $interface)..."
+systemctl restart "network-addresses-${interface}.service"
 
 # Add route
 routes_count_in_file=`wc -l $file_processed`
diff --git a/nixos/hosts/tatos/services/wireguard.nix b/nixos/hosts/tatos/services/wireguard.nix
index e70df21..8856ac7 100644
--- a/nixos/hosts/tatos/services/wireguard.nix
+++ b/nixos/hosts/tatos/services/wireguard.nix
@@ -9,6 +9,8 @@ let
   port = tatosData.wireguard.port;
 
   update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { };
+
+  dnsport = 53;
 in
 {
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@@ -22,7 +24,15 @@ in
   };
 
   networking.firewall = {
-    allowedUDPPorts = [ port ];
+    allowedTCPPorts = [ dnsport ];
+    allowedUDPPorts = [ dnsport port ];
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      interface = "wg0";
+    };
   };
 
   environment.systemPackages = [ update_ru_routes ];
@@ -43,14 +53,12 @@ in
         interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
         ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE
         ${pkgs.iproute}/bin/ip rule add from ${tatosData.addr} table main
-        ${pkgs.iproute}/bin/ip route add 193.0.6.150/32 via $gateway dev $interface
       '';
       preDown = ''
         gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
         interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
         ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE
         ${pkgs.iproute}/bin/ip rule del from ${tatosData.addr} table main
-        ${pkgs.iproute}/bin/ip route del 193.0.6.150/32 via $gateway dev $interface
       '';
 
       # Path to the private key file.