From 1ae76003c4146181c078f5043039286a2e75aa3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Fri, 11 Jul 2025 14:05:02 -0300
Subject: [PATCH] docker: add script to fix firewall settings periodically

---
 system/containers.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/system/containers.nix b/system/containers.nix
index ddd3e38..dfa5bf0 100644
--- a/system/containers.nix
+++ b/system/containers.nix
@@ -33,6 +33,18 @@
 
     networking.firewall.extraCommands = lib.getExe pkgs._docker-block-external-connections;
 
+    # Docker punches holes in your firewall
+    systemd.services.docker-update-firewall = {
+      script = lib.getExe pkgs._docker-block-external-connections;
+    };
+    systemd.timers.docker-update-firewall = {
+      timerConfig = {
+        OnCalendar = "minutely";
+        Unit = "docker-update-firewall.service";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
     programs.extra-container.enable = true;
 
     programs.firejail.enable = true;