From 85c76178209c506149b17c01218b89cc34a78966 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 11 Dec 2022 19:07:58 +0100
Subject: [PATCH] l yellow.r: allow traffic only through vpn

---
 lass/1systems/yellow/config.nix | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index f5071c4b7..519665a3d 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -1,6 +1,6 @@
-with import <stockholm/lib>;
-{ config, lib, pkgs, ... }:
-{
+{ config, lib, pkgs, ... }: let
+  vpnIp = "85.202.81.161";
+in {
   imports = [
     <stockholm/lass>
     <stockholm/lass/2configs>
@@ -11,6 +11,8 @@ with import <stockholm/lib>;
 
   users.groups.download.members = [ "transmission" ];
 
+  networking.useHostResolvConf = false;
+  networking.useNetworkd = true;
   systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
   systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
   services.transmission = {
@@ -159,13 +161,22 @@ with import <stockholm/lib>;
       { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
       { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
     ];
+    tables.filter.OUTPUT = {
+      policy = "DROP";
+      rules = [
+        { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
+        { predicate = "-o tun0"; target = "ACCEPT"; }
+        { predicate = "-o retiolum"; target = "ACCEPT"; }
+        { v6 = false; predicate = "-o eth0 -d 10.233.0.0/24"; target = "ACCEPT"; }
+      ];
+    };
   };
 
   services.openvpn.servers.nordvpn.config = ''
     client
     dev tun
     proto udp
-    remote 194.110.84.106 1194
+    remote ${vpnIp} 1194
     resolv-retry infinite
     remote-random
     nobind