From d2835ceb779c650a015da3c7a0a0696f7d301de2 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Tue, 13 Jul 2021 13:15:38 +0200
Subject: [PATCH] services: paperless: drop external traffic to docker

---
 services/paperless.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/services/paperless.nix b/services/paperless.nix
index a837d38..0183c15 100644
--- a/services/paperless.nix
+++ b/services/paperless.nix
@@ -20,6 +20,14 @@ in
   };
 
   config = mkIf cfg.enable {
+    # HACK: see https://github.com/NixOS/nixpkgs/issues/111852
+    networking.firewall.extraCommands = ''
+      iptables -N DOCKER-USER || true
+      iptables -F DOCKER-USER
+      iptables -A DOCKER-USER -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+      iptables -A DOCKER-USER -i eno1 -j DROP
+    '';
+
     services.nginx.virtualHosts = {
       "paperless.${domain}" = {
         forceSSL = true;