run monerod only when all network thru wireguard

wg_ba network interface tunnels all network through wireguard to ba. I
would like to only run monerod when this happened due to various reasons
see comments in monerod@.service. Some measures I take are: systemd unit
bind to wg_ba, networkmanager dispatcher stop monerod service pre wg_ba
down, and vpn script kill monerod process before wg_ba down. The former
two measures are in this commit.

For bitmonero.conf, I also limit upload rate, reason see comment. I also
enabled ipv6. I also try bind ip, which seems does not work, but I put
there anyway.

3 files changed, 55 insertions, 8 deletions

diff --git a/etc/NetworkManager/dispatcher.d/pre-down.d/20-monerod b/etc/NetworkManager/dispatcher.d/pre-down.d/20-monerod
new file mode 100755
index 00000000..9c10aa0a
--- /dev/null
+++ b/etc/NetworkManager/dispatcher.d/pre-down.d/20-monerod
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# `man NetworkManager-dispatcher`
+
+if [ "$1" = wg_ba ]; then
+	case "$2" in
+		# my test shows only pre-down will be emitted, vpn-pre-down and down will not be emitted here
+		pre-down) systemctl stop monerod@xyz;;
+	esac
+fi
diff --git a/etc/systemd/system/monerod@.service b/etc/systemd/system/monerod@.service
index 0dfd9e70..f1d91961 100644
--- a/etc/systemd/system/monerod@.service
+++ b/etc/systemd/system/monerod@.service
@@ -1,6 +1,31 @@
 [Unit]
 Description=Monero Full Node for user %I
 After=network.target
+# `man systemd.unit`
+# Notes about my tests with BindsTo= and other options see this url:
+# https://git.flylightning.xyz/public_archive_codes/tree/configs/configs_root_dir/etc/systemd/system/monerod_after_bindsto_mullvad.service
+# I want monerod tunnel all traffic through wireguard, otherwise China ISP will
+# think I mine crypto and will be unhappy. This is one of the measures I take,
+# which is to only run monerod when wg_ba network interface is up. **Note it
+# seems there will still have some traffic being leaked when wg_ba is down**,
+# maybe due to moenrod does not being killed immediately. Maybe use use
+# KillSignal=SIGKILL can kill it faster, see `man systemd.kill`, but I don't
+# want it to be killed with SIGKILL even when proper poweroff computer so maybe
+# don't use it. It can be tested with sth. like `sudo tcpdump -i wlp2s0 port
+# 18080`. wg_ba is tunnelling all computer traffic through ba. I bind it to
+# wg_ba because trying to make monerod tunnel traffic to wireguard when
+# wg_master is up is hard. wg_master does not tunnel all computer traffic.
+# monerod --p2p-bind-ip does not work as expected when under wg_master, see vq
+# bug notes. ba VPS nftables.conf also need `oifname $wg_iface masquerade` for
+# monerod to tunnel some traffic through ba wireguard when insp is under
+# wg_master, but this has issue of insp can't access ib qbt and jackett because
+# I guess this maybe somehow also masquerade my website accessing ib qbt and
+# jackett with other ip which ib nft refuse to let the ip to see its local
+# ports. One way I could think to make monerod tunnel all traffic through
+# wireguard is to use virutal network interface and namespaces but that is very
+# complicated.
+After=sys-subsystem-net-devices-wg_ba.device
+BindsTo=sys-subsystem-net-devices-wg_ba.device
 
 [Service]
 User=%i
@@ -9,8 +34,14 @@ Type=simple
 ExecStart=/usr/bin/monerod --non-interactive
 StandardOutput=null
 StandardError=null
-
-Restart=always
+# `man systemd.service`
+# I would like to kill monerod with my vpn script as one of the measures to
+# bind it to wg_ba wireguard network interface, so no restart. If restart,
+# after me kill monerod, it will be restarted which is not what I want. I don't
+# wish to always make it run, run only for some time after me start the
+# computer is ok for me, just need to sync and share the monero node a little
+# bit, I'm fine if later on moenrod got killed for whatever reason.
+Restart=no
 
 [Install]
 WantedBy=multi-user.target
diff --git a/home/xyz/.bitmonero/bitmonero.conf b/home/xyz/.bitmonero/bitmonero.conf
index 2319f1f1..4743a5cd 100644
--- a/home/xyz/.bitmonero/bitmonero.conf
+++ b/home/xyz/.bitmonero/bitmonero.conf
@@ -1,8 +1,14 @@
-# use home internet limits
-# 20 Mbps \approx 2441 KiB/s
-limit-rate-up=2441
-# 300 Mbps \approx 36621 KiB/s
-limit-rate-down=36621
+# 80 KiB/s is about the actual upload speed, because I would like to contribute
+# back but I don't want to make China ISP unhappy about me uploading too much
+limit-rate-up=80
 # https://monerodocs.org/interacting/monero-config-file/#syntax
 # need =1 for options without value
-#p2p-use-ipv6=1
+p2p-use-ipv6=1
+# Bind to wireguard ips, I want monerod only using network through wireguard,
+# otherwise China ISP will think I mine crypto and will be unhappy. But
+# p2p-bin-ip and p2pbind-ipv6-address seems do not work, see vq buts note. But
+# I still have those configs here because what if they somehow fixed it in the
+# future.
+# Can be tested with sth. like `sudo tcpdump -i wlp2s0 port 18080`
+p2p-bind-ip=10.0.0.1
+p2p-bind-ipv6-address=fdc9:281f:04d7:9ee9::1