How to idiomatically download and and process files for firewall rules?

I would like to run the following commands in order to download country-assigned networks and block them in an iptables firewall. What is the idiomatic way to do such things in NixOS in general?

I’m fine with the files being downloaded on each nixos-rebuild switch but if there were some kind of cache that keeps the files for a few weeks, that would be even better.

  1. ipset destroy
  2. ipset create blacklist hash:net hashsize 16000
  3. wget https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone -O /tmp/blacklisted_nets
  4. while read -r line; do ipset add blacklist $line; done < /tmp/blacklisted_nets
  5. rm /tmp/blacklisted_nets
  6. iptables -I INPUT -m set --match-set blacklist src -j DROP";

It does not work in networking.firewall.extraCommands, by the way, because when this is evaluated, the firewall blocks all traffic in and out and nothing can be downloaded. But this is where I tried it first.

Do I have to write a module or make my own mkDerivation?

1 Like