services.wireguard: do not open port when behind NAT

2026-01-12 04:39:23 +08:00 · 2024-06-01 00:26:12 +08:00
parent 37c5678862
commit 9f27c9dbc9
1 changed files with 5 additions and 1 deletions
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -38,7 +38,11 @@ inputs:
      {
        networking =
        {
-          firewall = { allowedUDPPorts = [ wireguard.listenPort ]; trustedInterfaces = [ "wireguard" ]; };
+          firewall =
+          {
+            allowedUDPPorts = inputs.lib.mkIf (!wireguard.behindNat) [ wireguard.listenPort ];
+            trustedInterfaces = [ "wireguard" ];
+          };
          wireguard.interfaces.wireguard =
          {
            ips = [ "${wireguard.wireguardIp}/24" ];