2024-08-01 18:06:37 +03:00
# TODO: Saved just in case for the dark future.
# в целом просто сделай себе шелл алиас gw-default="sudo ip route del default; sudo ip route add default via айпишник роутера" и шелл алиас gw-vpn="sudo ip route del default; sudo ip route add default via айпишник_впна"
{ container , pkgs , lib , config , . . . }: with lib ; let
cfg = config . container . module . zapret ;
in {
options = {
container . module . zapret = {
enable = mkEnableOption " F R K N " ;
address = mkOption {
default = " 1 0 . 1 . 0 . 6 9 " ;
type = types . str ;
} ;
port = mkOption {
default = 1080 ;
type = types . int ;
} ;
torport = mkOption {
default = 9150 ;
type = types . int ;
} ;
} ;
} ;
config = mkIf cfg . enable {
containers . zapret = container . mkContainer cfg {
forwardPorts = [
{
containerPort = cfg . port ;
hostPort = cfg . port ;
protocol = " t c p " ;
}
{
containerPort = cfg . port ;
hostPort = cfg . port ;
protocol = " u d p " ;
}
{
containerPort = cfg . torport ;
hostPort = cfg . torport ;
protocol = " t c p " ;
}
{
containerPort = cfg . torport ;
hostPort = cfg . torport ;
protocol = " u d p " ;
}
] ;
config = { . . . }: container . mkContainerConfig cfg {
2024-08-08 01:59:00 +03:00
boot . kernel . sysctl = {
" n e t . i p v 4 . c o n f . a l l . s r c _ v a l i d _ m a r k " = 1 ;
" n e t . i p v 4 . i p _ f o r w a r d " = 1 ;
} ;
2024-08-01 19:38:08 +03:00
environment . systemPackages = with pkgs ; [ iptables ] ;
2024-08-01 18:06:37 +03:00
networking = {
2024-08-08 01:59:00 +03:00
nameservers = [
" 1 0 . 1 . 0 . 6 "
" 1 . 1 . 1 . 1 "
] ;
2024-08-01 18:06:37 +03:00
firewall = {
extraCommands = ''
2024-08-01 19:51:04 +03:00
iptables - t mangle - I POSTROUTING - p tcp - m multiport - - dports 80 , 443 - m connbytes - - connbytes-dir = original - - connbytes-mode = packets - - connbytes 1 : 6 - m mark ! - - mark 0x40000000/0x40000000 - j NFQUEUE - - queue-num 200 - - queue-bypass
2024-08-01 18:06:37 +03:00
'' ;
#iptables -A OUTPUT -p tcp -m tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 200 --queue-bypass
} ;
} ;
services = {
microsocks = {
enable = true ;
ip = cfg . address ;
port = cfg . port ;
disableLogging = true ;
#authUsername
#outgoingBindIp
#authOnce
} ;
tor = {
enable = true ;
openFirewall = true ;
settings = let
exclude = " { R U } , { U A } , { B Y } , { K Z } , { C N } , { ? ? } " ;
in {
ExcludeExitNodes = exclude ;
ExcludeNodes = exclude ;
#DNSPort = dnsport;
UseBridges = true ;
ClientTransportPlugin = " o b f s 4 e x e c ${ pkgs . obfs4 } / b i n / l y r e b i r d " ;
Bridge = [
" o b f s 4 9 4 . 1 0 3 . 8 9 . 1 5 3 : 4 4 4 3 5 6 1 7 8 4 8 9 6 4 F D 6 5 4 6 9 6 8 B 5 B F 3 F F A 6 C 1 1 B C C A B E 5 8 B c e r t = t Y s m u u T e 9 p h J S 0 G h 8 N K I p k V Z P / X K s 7 g J C q i 3 1 o 8 L C l w Y e t x z F z 0 f Q Z g s M w h N c I l Z 0 H G 5 L A i a t - m o d e = 0 "
" o b f s 4 1 2 1 . 4 5 . 1 4 0 . 2 4 9 : 1 2 1 2 3 0 9 2 2 E 2 1 2 E 3 3 B 0 4 F 0 B 7 C 1 E 3 9 8 1 6 1 E 8 E D E 0 6 7 3 4 F 2 6 c e r t = 3 A Q 4 i J F A z x z t 7 a / z g X I i F E s 6 f v r X I n X t 1 D t r 0 9 D g n p v U z G / i i y R T d X Y Z K S Y p I 1 2 4 Z t 3 Z U A i a t - m o d e = 0 "
" o b f s 4 7 9 . 1 3 7 . 1 1 . 4 5 : 4 5 0 7 2 E C A 3 1 9 7 D 4 9 A 2 9 D D E C D 4 A C B F 9 B C F 1 5 E 4 9 8 7 B 7 8 1 3 7 c e r t = 2 F K y L W k P g M N C W x B D 3 c N O T R x J H 3 X P + H d S t P G K M j J f w 2 Y b v V j i h I p 3 X 2 B C r t x Q y a 9 m 5 I I 5 X A i a t - m o d e = 0 "
" o b f s 4 1 4 5 . 2 3 9 . 3 1 . 7 1 : 1 0 1 6 1 8 8 2 1 2 5 D 1 5 B 5 9 B B 8 2 B E 6 6 F 9 9 9 0 5 6 C B 6 7 6 D 3 F 0 6 1 F 8 c e r t = A n D + E v c B M u Q D V M 7 P w W 7 N g F A z W 1 M 5 j D m 7 D j Q t I I c B S j o y A f 1 F J 2 p 5 3 5 r r Y L 2 K k 8 P O A d 0 + a w i a t - m o d e = 0 "
] ;
} ;
client = {
enable = true ;
#dns.enable = true;
socksListenAddress = {
IsolateDestAddr = true ;
addr = cfg . address ;
port = cfg . torport ;
} ;
} ;
} ;
} ;
2024-08-01 19:51:04 +03:00
systemd = {
timers = {
tor = {
timerConfig = {
OnBootSec = 5 ;
Unit = " t o r . s e r v i c e " ;
} ;
wantedBy = [ " t i m e r s . t a r g e t " ] ;
} ;
zapret = {
timerConfig = {
OnBootSec = 5 ;
Unit = " z a p r e t . s e r v i c e " ;
} ;
wantedBy = [ " t i m e r s . t a r g e t " ] ;
} ;
routes = {
timerConfig = {
OnBootSec = 5 ;
Unit = " r o u t e s . s e r v i c e " ;
} ;
wantedBy = [ " t i m e r s . t a r g e t " ] ;
} ;
} ;
services = {
tor . wantedBy = lib . mkForce [ ] ;
zapret = {
description = " F R K N " ;
wantedBy = [ ] ;
requires = [ " n e t w o r k . t a r g e t " ] ;
path = with pkgs ; [ zapret ] ;
serviceConfig = {
2024-08-08 01:59:00 +03:00
ExecStart = " ${ pkgs . zapret } / b i n / n f q w s - - p i d f i l e = / r u n / n f q w s . p i d ${ config . setting . zapret . params } - - q n u m = 2 0 0 " ;
2024-08-01 19:51:04 +03:00
Type = " s i m p l e " ;
PIDFile = " / r u n / n f q w s . p i d " ;
ExecReload = " / b i n / k i l l - H U P $ M A I N P I D " ;
Restart = " a l w a y s " ;
RestartSec = " 5 s " ;
} ;
} ;
routes = {
description = " F R K N r o u t e s " ;
wantedBy = [ ] ;
requires = [ " n e t w o r k . t a r g e t " ] ;
path = with pkgs ; [ iptables ] ;
serviceConfig = {
2024-08-01 20:17:27 +03:00
ExecStart = " ${ pkgs . iptables } / b i n / i p t a b l e s - t m a n g l e - I P O S T R O U T I N G - p t c p - m m u l t i p o r t - - d p o r t s 8 0 , 4 4 3 - m c o n n b y t e s - - c o n n b y t e s - d i r = o r i g i n a l - - c o n n b y t e s - m o d e = p a c k e t s - - c o n n b y t e s 1 : 6 - m m a r k ! - - m a r k 0 x 4 0 0 0 0 0 0 0 / 0 x 4 0 0 0 0 0 0 0 - j N F Q U E U E - - q u e u e - n u m 2 0 0 - - q u e u e - b y p a s s " ;
2024-08-01 19:51:04 +03:00
Type = " o n e s h o t " ;
} ;
2024-08-01 18:06:37 +03:00
} ;
} ;
} ;
} ;
} ;
} ;
}