2024-11-16 06:38:48 +03:00
{
2024-12-18 09:40:11 +03:00
config ,
lib ,
pkgs ,
. . .
} :
let
cfg = config . module . dpi . bypass ;
2024-12-16 06:44:20 +03:00
2024-12-18 09:40:11 +03:00
whitelist = lib . optionalString (
( builtins . length cfg . whitelist ) != 0
) " - - h o s t l i s t ${ pkgs . writeText " z a p r e t - w h i t e l i s t " ( lib . concatStringsSep " \n " cfg . whitelist ) } " ;
2024-12-16 06:44:20 +03:00
2024-12-18 09:40:11 +03:00
blacklist =
lib . optionalString ( ( builtins . length cfg . blacklist ) != 0 )
" - - h o s t l i s t - e x c l u d e ${ pkgs . writeText " z a p r e t - b l a c k l i s t " ( lib . concatStringsSep " \n " cfg . blacklist ) } " ;
2024-12-16 06:44:20 +03:00
2024-12-18 09:40:11 +03:00
params = lib . concatStringsSep " " cfg . params ;
2024-12-16 06:44:20 +03:00
2024-12-18 09:40:11 +03:00
qnum = toString cfg . qnum ;
in
{
disabledModules = [ " s e r v i c e s / n e t w o r k i n g / z a p r e t . n i x " ] ;
# imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ];
2024-12-16 06:44:20 +03:00
2024-12-18 09:40:11 +03:00
config = lib . mkIf cfg . enable (
lib . mkMerge [
{
systemd . services . zapret = {
description = " D P I b y p a s s s e r v i c e " ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
after = [ " n e t w o r k . t a r g e t " ] ;
serviceConfig = {
ExecStart = " ${ cfg . package } / b i n / n f q w s - - p i d f i l e = / r u n / n f q w s . p i d ${ params } ${ whitelist } ${ blacklist } - - q n u m = ${ qnum } " ;
Type = " s i m p l e " ;
PIDFile = " / r u n / n f q w s . p i d " ;
Restart = " a l w a y s " ;
RuntimeMaxSec = " 1 h " ; # This service loves to crash silently or cause network slowdowns. It also restarts instantly. Restarting it at least hourly provided the best experience.
2024-12-16 06:44:20 +03:00
2024-12-18 09:40:11 +03:00
# Hardening.
DevicePolicy = " c l o s e d " ;
KeyringMode = " p r i v a t e " ;
PrivateTmp = true ;
PrivateMounts = true ;
ProtectHome = true ;
ProtectHostname = true ;
ProtectKernelModules = true ;
ProtectKernelTunables = true ;
ProtectSystem = " s t r i c t " ;
ProtectProc = " i n v i s i b l e " ;
RemoveIPC = true ;
RestrictNamespaces = true ;
RestrictRealtime = true ;
RestrictSUIDSGID = true ;
SystemCallArchitectures = " n a t i v e " ;
} ;
} ;
}
# Route system traffic via service for specified ports.
( lib . mkIf cfg . configureFirewall {
networking . firewall . extraCommands =
let
httpParams = lib . optionalString (
cfg . httpMode == " f i r s t "
) " - m c o n n b y t e s - - c o n n b y t e s - d i r = o r i g i n a l - - c o n n b y t e s - m o d e = p a c k e t s - - c o n n b y t e s 1 : 6 " ;
2024-11-16 06:38:48 +03:00
2024-12-18 09:40:11 +03:00
udpPorts = lib . concatStringsSep " , " cfg . udpPorts ;
in
''
iptables - t mangle - I POSTROUTING - p tcp - - dport 443 - m connbytes - - connbytes-dir = original - - connbytes-mode = packets - - connbytes 1 : 6 - m mark ! - - mark 0x40000000/0x40000000 - j NFQUEUE - - queue-num $ { qnum } - - queue-bypass
''
+ lib . optionalString ( cfg . httpSupport ) ''
iptables - t mangle - I POSTROUTING - p tcp - - dport 80 $ { httpParams } - m mark ! - - mark 0x40000000/0x40000000 - j NFQUEUE - - queue-num $ { qnum } - - queue-bypass
''
+ lib . optionalString ( cfg . udpSupport ) ''
iptables - t mangle - A POSTROUTING - p udp - m multiport - - dports $ { udpPorts } - m mark ! - - mark 0x40000000/0x40000000 - j NFQUEUE - - queue-num $ { qnum } - - queue-bypass
'' ;
} )
]
) ;
2024-11-16 06:38:48 +03:00
}
