From aec0ac95d5d411bbba68817ed4a86aedb3c379c7 Mon Sep 17 00:00:00 2001
From: "Casper V. Kristensen" <casper@vkristensen.dk>
Date: Fri, 10 May 2024 16:44:08 +0200
Subject: [PATCH] sigma: routingPolicyRules priorities

Without this, the rule to allow local network hosts direct access to the
sigma-public address might be shadowed by the rule to send traffic from
that address out through wireguard.
---
 hosts/sigma/network.nix | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/hosts/sigma/network.nix b/hosts/sigma/network.nix
index 0fab933..d5e3fbb 100644
--- a/hosts/sigma/network.nix
+++ b/hosts/sigma/network.nix
@@ -51,9 +51,12 @@
       address = ["49.13.33.75/32"];
       routingPolicyRules = [
         {
-          # See the AllowedIPs comment above for why this is necessary
+          # The postfix systemd service has
+          # RestrictNetworkInterfaces=wg-sigma-public, but that does not tell
+          # it to use the correct routing table.
           routingPolicyRuleConfig = {
-            From = "49.13.33.75/32";
+            Priority = 10;
+            User = config.services.postfix.user;
             Table = "wg-sigma-public";
           };
         }
@@ -62,17 +65,17 @@
           # public address instead of routing the packet through Wireguard and
           # back again.
           routingPolicyRuleConfig = {
+            Priority = 500;
             From = "49.13.33.75/32";
             To = "192.168.0.0/24";
             Table = "main";
           };
         }
         {
-          # The postfix systemd service has
-          # RestrictNetworkInterfaces=wg-sigma-public, but that does not tell
-          # it to use the correct routing table.
+          # See the AllowedIPs comment above for why this is necessary
           routingPolicyRuleConfig = {
-            User = config.services.postfix.user;
+            Priority = 1000;
+            From = "49.13.33.75/32";
             Table = "wg-sigma-public";
           };
         }
@@ -108,21 +111,23 @@
       name = "wg-sigma-p2p";
       address = ["${secrets.sigma.sigma-p2p-ip-address}/32"];
       routingPolicyRules = [
-        {
-          routingPolicyRuleConfig = {
-            From = "${secrets.sigma.sigma-p2p-ip-address}/32";
-            Table = "wg-sigma-p2p";
-          };
-        }
         {
           # The deluge systemd service has
           # RestrictNetworkInterfaces=wg-sigma-p2p, but that does not tell it
           # to use the correct routing table.
           routingPolicyRuleConfig = {
+            Priority = 10;
             User = config.services.deluge.user;
             Table = "wg-sigma-p2p";
           };
         }
+        {
+          routingPolicyRuleConfig = {
+            Priority = 1000;
+            From = "${secrets.sigma.sigma-p2p-ip-address}/32";
+            Table = "wg-sigma-p2p";
+          };
+        }
       ];
     };
   };