From 29d990f33c4f971a03cb68e1ec6846cab5b3fc11 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Thu, 8 Jun 2023 19:52:29 +0800
Subject: [PATCH] hosts/plover: improve firewall settings for Wireguard service

---
 hosts/plover/modules/services/wireguard.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix
index 14c2724c..f01bb482 100644
--- a/hosts/plover/modules/services/wireguard.nix
+++ b/hosts/plover/modules/services/wireguard.nix
@@ -16,7 +16,16 @@ in
 {
   environment.systemPackages = [ pkgs.wireguard-tools ];
 
-  networking.firewall.allowedUDPPorts = [ wireguardPort ];
+  networking.firewall = {
+    # Allow the UDP traffic for the Wireguard service.
+    allowedUDPPorts = [ wireguardPort ];
+
+    # Accept the traffic from the Wireguard interface.
+    trustedInterfaces = [ wireguardIFName ];
+
+    # IP forwarding for specific interfaces.
+    filterForward = true;
+  };
 
   systemd.network = {
     wait-online.ignoredInterfaces = [ wireguardIFName ];