From 6da5cb8a2615236341cbc2109312a911de66829f Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Tue, 16 Sep 2025 09:55:18 +0200
Subject: [PATCH] Refactor rules

---
 hosts/iron/services/public-ip-tunnel.nix | 47 +++++++++++++-----------
 1 file changed, 25 insertions(+), 22 deletions(-)

diff --git a/hosts/iron/services/public-ip-tunnel.nix b/hosts/iron/services/public-ip-tunnel.nix
index 4f17dde..d6b4fcc 100644
--- a/hosts/iron/services/public-ip-tunnel.nix
+++ b/hosts/iron/services/public-ip-tunnel.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 
 let
   inherit (config.networking) ports;
@@ -21,27 +21,30 @@ in
       '';
     };
     firewall.allowedUDPPorts = [ listenPort ];
-    wireguard.interfaces.hetzner-ha = {
-      ips = [ "${externalIp}/32" ];
-      privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
-      inherit listenPort;
-      table = rtTable.name;
-      postSetup = ''
-        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} to 192.168.0.0/16 table main priority 10
-        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} table ${rtTable.name} priority 20
-      '';
-      postShutdown = ''
-        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} to 192.168.0.0/16 table main priority 10
-        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} table ${rtTable.name} priority 20
-      '';
-      peers = [{
-        inherit publicKey;
-        endpoint = "${remoteHost}:${toString remotePort}";
-        persistentKeepalive = 25;
-        allowedIPs = [
-          "0.0.0.0/0"
+    wireguard.interfaces.hetzner-ha =
+      let
+        addRule = rule: "ip rule add " + rule;
+        deleteRule = rule: "ip rule delete " + rule;
+        rules = [
+          "from ${externalIp} to 192.168.0.0/16 table main priority 10"
+          "from ${externalIp} table ${rtTable.name} priority 20"
         ];
-      }];
-    };
+      in
+      {
+        ips = [ "${externalIp}/32" ];
+        privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
+        inherit listenPort;
+        table = rtTable.name;
+        postSetup = lib.concatLines (map addRule rules);
+        postShutdown = lib.concatLines (map deleteRule rules);
+        peers = [{
+          inherit publicKey;
+          endpoint = "${remoteHost}:${toString remotePort}";
+          persistentKeepalive = 25;
+          allowedIPs = [
+            "0.0.0.0/0"
+          ];
+        }];
+      };
   };
 }