got tailscale -> proton but not the other idea

flake.lock

@@ -1,26 +1,5 @@
 {
   "nodes": {
-    "erosanix": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1704240213,
-        "narHash": "sha256-77L3ABF6aA94/1dEEABwgtWJ/q5PJ7U0DX6daFhOpOw=",
-        "owner": "emmanuelrosa",
-        "repo": "erosanix",
-        "rev": "9b42da22ad64502690e57fedadf3155150daafbd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "emmanuelrosa",
-        "repo": "erosanix",
-        "type": "github"
-      }
-    },
     "ewwtilities": {
       "inputs": {
         "nixpkgs": "nixpkgs",
@@ -56,22 +35,6 @@
         "type": "github"
       }
     },
-    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
@@ -415,7 +378,7 @@
     },
     "pre-commit-hooks": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
         "flake-utils": "flake-utils_4",
         "gitignore": "gitignore",
         "nixpkgs": [
@@ -440,7 +403,6 @@
     },
     "root": {
       "inputs": {
-        "erosanix": "erosanix",
         "ewwtilities": "ewwtilities",
         "headscale": "headscale",
         "home-manager": "home-manager",

flake.nix

@@ -65,7 +65,6 @@
             {
               networking.hostName = "Alaska";
             }
-            inputs.erosanix.nixosModules.protonvpn
             inputs.nicks_nextcloud_integrations.nixosModules.default
             ./hosts/Alaska
             home-manager.nixosModules.home-manager {
@@ -128,7 +127,6 @@
             {
               networking.hostName = "NicksNixDesktop";
             }
-            inputs.erosanix.nixosModules.protonvpn
             kmonad.nixosModules.default
             ./hosts/desktop
             ./hosts/configuration.nix

home.nix

@@ -38,6 +38,7 @@ let
       fd
       fortune
       neofetch
+      nftables
       pfetch
       rmtrash
       testdisk # file recovery https://itsfoss.com/recover-deleted-files-linux/

hosts/Alaska/modules/headscale.nix

@@ -5,6 +5,9 @@ let
   baseDomain = "nickiel.net";
   domain = "headscale.${baseDomain}";
 in {
+  # headscale routes list
+  # headscale routes enable -r NUMBER
+  # to enable exit node to be used
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
 

hosts/Alaska/modules/protonvpn.nix

@@ -6,7 +6,6 @@ in
   networking.firewall = {
     allowedUDPPorts = [
       53
-      config.services.protonvpn.interface.port
     ];
     allowedTCPPorts = [
       53
@@ -15,7 +14,6 @@ in
 
   networking.wg-quick.interfaces."protonvpn" = {
     autostart = false;
-    #dns = [ 10.2.0.1 ];
     privateKeyFile = "/home/nixolas/.passfiles/protonvpn";
     address = [ "10.2.0.2/32" ];
     listenPort = 51820;
@@ -30,18 +28,48 @@ in
 
     # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
     postUp = ''
-      # ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+      ${pkgs.nftables}/bin/nft -f - <<EOF 
-      # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
+      add table ip tailscale-wg;
-      # ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
+      add chain ip tailscale-wg preraw;
-      # ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
+      flush chain ip tailscale-wg preraw;
+      delete chain ip tailscale-wg preraw;
+
+      table ip tailscale-wg {
+        chain preraw {
+          type filter hook prerouting priority raw; policy accept;
+
+          # ip daddr 100.64.0.1 dport != 22 nftrace set 1;
+          iifname "tailscale0" ip daddr != 100.64.0.1 nftrace set 1;
+          iifname "tailscale0" ip daddr != 100.64.0.0/16 mark set 51820;
+          iifname "protonvpn" mark set 51820;
+        }
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          iifname "tailscale0" ip daddr != 100.64.0.1 masquerade;
+        }
+      }
+      EOF
+      # table inet tailscale-wg { for ipv4 + ipv6
+      ${pkgs.iproute2}/bin/ip -4 rule del not fwmark 51820 table 51820
+      # ${pkgs.iproute2}/bin/ip -6 rule del not fwmark 51820 table 51820
+
+      ${pkgs.iproute2}/bin/ip -4 rule add fwmark 51820 table 51820
+      # ${pkgs.iproute2}/bin/ip -6 rule add fwmark 51820 table 51820
+
     '';
 
     # Undo the above
     preDown = ''
-      # ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+      ${pkgs.nftables}/bin/nft -f - <<EOF
-      # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
+      add table ip tailscale-wg;
-      # ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
+
-      # ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
+      add chain ip tailscale-wg preraw;
+      flush chain ip tailscale-wg preraw;
+      delete chain ip tailscale-wg preraw;
+
+      delete table ip tailscale-wg;
+      EOF
+
     '';
   };