I would like to run the following commands in order to download country-assigned networks and block them in an iptables firewall. What is the idiomatic way to do such things in NixOS in general?
I’m fine with the files being downloaded on each nixos-rebuild switch
but if there were some kind of cache that keeps the files for a few weeks, that would be even better.
ipset destroy
ipset create blacklist hash:net hashsize 16000
wget https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone -O /tmp/blacklisted_nets
while read -r line; do ipset add blacklist $line; done < /tmp/blacklisted_nets
rm /tmp/blacklisted_nets
iptables -I INPUT -m set --match-set blacklist src -j DROP";
It does not work in networking.firewall.extraCommands
, by the way, because when this is evaluated, the firewall blocks all traffic in and out and nothing can be downloaded. But this is where I tried it first.
Do I have to write a module or make my own mkDerivation
?