From 3696471201e7b1afa0460e0e77fd3f59dc82ef8a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 22 Apr 2021 17:40:27 +0000
Subject: [PATCH] services: adblock: restrict to wireguard interface

---
 services/adblock.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/services/adblock.nix b/services/adblock.nix
index e4ee718..23d63c8 100644
--- a/services/adblock.nix
+++ b/services/adblock.nix
@@ -36,9 +36,11 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    # Needed when connecting from Wireguard clients
-    networking.firewall.allowedUDPPorts = [ 53 ];
-    networking.firewall.allowedTCPPorts = [ 53 ];
+    # Allow wireguard clients to connect to it
+    networking.firewall.interfaces."${wgCfg.iface}" = {
+      allowedUDPPorts = [ 53 ];
+      allowedTCPPorts = [ 53 ];
+    };
 
     services.unbound = {
       enable = true;