I would like to run the following commands in order to download country-assigned networks and block them in an iptables firewall. What is the idiomatic way to do such things in NixOS in general?
I’m fine with the files being downloaded on each
nixos-rebuild switch but if there were some kind of cache that keeps the files for a few weeks, that would be even better.
ipset create blacklist hash:net hashsize 16000
wget https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone -O /tmp/blacklisted_nets
while read -r line; do ipset add blacklist $line; done < /tmp/blacklisted_nets
iptables -I INPUT -m set --match-set blacklist src -j DROP";
It does not work in
networking.firewall.extraCommands, by the way, because when this is evaluated, the firewall blocks all traffic in and out and nothing can be downloaded. But this is where I tried it first.
Do I have to write a module or make my own