From 09f54a05eeb2118429863af0841240e2c4016c60 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 20 Oct 2024 17:06:36 +0200
Subject: [PATCH] hosts/carbon: Do not fall back IPv6 traffic via VPN, if no
 native IPv6 is available

---
 hosts/carbon/wg-clerie.nix    | 1 +
 modules/wg-clerie/default.nix | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/hosts/carbon/wg-clerie.nix b/hosts/carbon/wg-clerie.nix
index 14bf443..36965c6 100644
--- a/hosts/carbon/wg-clerie.nix
+++ b/hosts/carbon/wg-clerie.nix
@@ -5,5 +5,6 @@
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8111/128" ];
     ipv4s = [ "10.20.30.111/32" ];
+    defaultViaVPN = false;
   };
 }
diff --git a/modules/wg-clerie/default.nix b/modules/wg-clerie/default.nix
index 234bddc..a8a845a 100644
--- a/modules/wg-clerie/default.nix
+++ b/modules/wg-clerie/default.nix
@@ -25,6 +25,11 @@ in
         default = [];
         description = "IPv4 interface addresses";
       };
+      defaultViaVPN = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Use VPN default route for a protocol, if that protocol is unavailable in the underlay";
+      };
     };
   };
 
@@ -45,7 +50,9 @@ in
         { rule = "to 2a01:4f8:c0c:15f1::1/128 ipproto udp dport 51820 unreachable"; prio = 20001; }
         # Try direct routing first, fallback to VPN
         { rule = "lookup main"; prio = 21000; }
+      ] ++ (if cfg.defaultViaVPN then [
         { rule = "lookup wg-clerie"; prio = 21001; }
+      ] else []) ++ [
         { rule = "unreachable"; prio = 22000; }
       ];
       rules4 = (concatMap (ip: [
@@ -57,7 +64,9 @@ in
         { rule = "to 78.47.183.82/32 ipproto udp dport 51820 unreachable"; prio = 20001; }
         # Try direct routing first, fallback to VPN
         { rule = "lookup main"; prio = 21000; }
+      ] ++ (if cfg.defaultViaVPN then [
         { rule = "lookup wg-clerie"; prio = 21001; }
+      ] else []) ++ [
         { rule = "unreachable"; prio = 22000; }
       ];
     };