I would like to run the following commands in order to download country-assigned networks and block them in an iptables firewall. What is the idiomatic way to do such things in NixOS in general?
I’m fine with the files being downloaded on each nixos-rebuild switch but if there were some kind of cache that keeps the files for a few weeks, that would be even better.
ipset destroyipset create blacklist hash:net hashsize 16000wget https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone -O /tmp/blacklisted_netswhile read -r line; do ipset add blacklist $line; done < /tmp/blacklisted_netsrm /tmp/blacklisted_netsiptables -I INPUT -m set --match-set blacklist src -j DROP";
It does not work in networking.firewall.extraCommands, by the way, because when this is evaluated, the firewall blocks all traffic in and out and nothing can be downloaded. But this is where I tried it first.
Do I have to write a module or make my own mkDerivation?