port forwarding in gluetun container

hosts/common/optional/arion-containers/arrstack.nix

@@ -1,5 +1,4 @@
-{config, ...}: 
+{config, ...}: let
-let
   openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path;
   openVpnUser = config.sops.secrets."software/proton/openvpn_user".path;
 in {
@@ -8,6 +7,18 @@ in {
     "software/proton/openvpn_user" = {};
   };
 
+  networking = {
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        6887
+      ];
+      allowedUDPPorts = [
+        6887
+      ];
+    };
+  };
+
   virtualisation.arion = {
     backend = "podman-socket";
     projects.arrstack = {
@@ -19,7 +30,7 @@ in {
             "6887:6887/udp" # qbittorrent torrenting port
           ];
           image = "qmcgaw/gluetun";
-          capabilities = { NET_ADMIN = true; };
+          capabilities = {NET_ADMIN = true;};
           container_name = "glutun";
           restart = "always";
           volumes = [
@@ -31,6 +42,7 @@ in {
             VPN_SERVICE_PROVIDER = "protonvpn";
             VPN_TYPE = "openvpn";
             SERVER_COUNTRIES = "Switzerland";
+            VPN_PORT_FORWARDING = "on";
           };
           devices = ["/dev/net/tun:/dev/net/tun"];
         };
@@ -44,15 +56,14 @@ in {
             "/media/media:/media"
           ];
           environment = {
-            TZ="Europe/London";
+            TZ = "Europe/London";
-            WEBUI_PORT=8076;
+            WEBUI_PORT = 8076;
-            TORRENTING_PORT=6887;
+            TORRENTING_PORT = 6887;
-            PUID=1000;
+            PUID = 1000;
-            PGID=1000;
+            PGID = 1000;
           };
           network_mode = "service:gluetun";
         };
-
       };
     };
   };