From 138d4389cc1e2e22637ced70cf3a45c3eaa4f8f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Na=C3=AFm=20Favier?= <n@monade.li>
Date: Mon, 26 Dec 2022 13:00:47 +0100
Subject: [PATCH] wireguard-tools: move `iptables` to PATH suffix

The firewall package in the environment should take precedence.
---
 pkgs/tools/networking/wireguard-tools/default.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/networking/wireguard-tools/default.nix b/pkgs/tools/networking/wireguard-tools/default.nix
index 6430eeeb0b7..b0bc3346526 100644
--- a/pkgs/tools/networking/wireguard-tools/default.nix
+++ b/pkgs/tools/networking/wireguard-tools/default.nix
@@ -37,10 +37,11 @@ stdenv.mkDerivation rec {
       --replace /usr/bin $out/bin
   '' + lib.optionalString stdenv.isLinux ''
     for f in $out/bin/*; do
-      # allow users to provide their own resolvconf implementation, e.g. the one provided by systemd-resolved
+      # Which firewall and resolvconf implementations to use should be determined by the
+      # environment, we provide the "default" ones as fallback.
       wrapProgram $f \
-        --prefix PATH : ${lib.makeBinPath [ procps iproute2 iptables ]} \
-        --suffix PATH : ${lib.makeBinPath [ openresolv ]}
+        --prefix PATH : ${lib.makeBinPath [ procps iproute2 ]} \
+        --suffix PATH : ${lib.makeBinPath [ iptables openresolv ]}
     done
   '';