diff --git a/config/Setting.nix b/config/Setting.nix index f265230..2ad2da3 100644 --- a/config/Setting.nix +++ b/config/Setting.nix @@ -40,19 +40,6 @@ }; }; - # Zapret params. - zapret = mkOption { - default = {}; - type = types.submodule { - options = { - params = mkOption { - default = "--dpi-desync=fake,split2 --dpi-desync-fooling=datanoack"; - type = types.str; - }; - }; - }; - }; - # CPU configurations. cpu = mkOption { default = {}; diff --git a/container/Yt.nix b/container/Yt.nix index dc3a5d8..64aa557 100644 --- a/container/Yt.nix +++ b/container/Yt.nix @@ -1,4 +1,4 @@ -{ container, pkgs, lib, config, ... }: with lib; let +{ container, pkgs, lib, config, __findFile, ... }: with lib; let cfg = config.container.module.yt; in { options = { @@ -26,6 +26,9 @@ in { config = mkIf cfg.enable { containers.yt = container.mkContainer cfg { config = { ... }: container.mkContainerConfig cfg { + imports = [ ]; + module.zapret.enable = true; + services.invidious = { enable = true; domain = cfg.domain; @@ -46,52 +49,6 @@ in { https_only = true; }; }; - - systemd = { - timers = { - zapret = { - timerConfig = { - OnBootSec = 5; - Unit = "zapret.service"; - }; - wantedBy = [ "timers.target" ]; - }; - routes = { - timerConfig = { - OnBootSec = 5; - Unit = "routes.service"; - }; - wantedBy = [ "timers.target" ]; - }; - }; - - services = { - zapret = { - description = "FRKN"; - wantedBy = [ ]; - requires = [ "network.target" ]; - path = with pkgs; [ zapret ]; - serviceConfig = { - ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200"; - Type = "simple"; - PIDFile = "/run/nfqws.pid"; - ExecReload = "/bin/kill -HUP $MAINPID"; - Restart = "always"; - RestartSec = "5s"; - }; - }; - routes = { - description = "FRKN routes"; - wantedBy = [ ]; - requires = [ "network.target" ]; - path = with pkgs; [ iptables ]; - serviceConfig = { - ExecStart = "${pkgs.iptables}/bin/iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass"; - Type = "oneshot"; - }; - }; - }; - }; }; }; }; diff --git a/container/Zapret.nix b/container/Zapret.nix index 979c58d..fbd31e6 100644 --- a/container/Zapret.nix +++ b/container/Zapret.nix @@ -1,6 +1,6 @@ # TODO: Saved just in case for the dark future. # в целом просто сделай себе шелл алиас gw-default="sudo ip route del default; sudo ip route add default via айпишник роутера" и шелл алиас gw-vpn="sudo ip route del default; sudo ip route add default via айпишник_впна" -{ container, pkgs, lib, config, ... }: with lib; let +{ container, pkgs, lib, config, __findFile, ... }: with lib; let cfg = config.container.module.zapret; in { options = { @@ -29,20 +29,8 @@ in { "net.ipv4.ip_forward" = 1; }; - environment.systemPackages = with pkgs; [ iptables ]; - - networking = { - nameservers = [ - "10.1.0.6" - "1.1.1.1" - ]; - firewall = { - extraCommands = '' - iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass - ''; - #iptables -A OUTPUT -p tcp -m tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 200 --queue-bypass - }; - }; + imports = [ ]; + module.zapret.enable = true; services = { microsocks = { @@ -87,56 +75,14 @@ in { }; systemd = { - timers = { - tor = { - timerConfig = { - OnBootSec = 5; - Unit = "tor.service"; - }; - wantedBy = [ "timers.target" ]; - }; - zapret = { - timerConfig = { - OnBootSec = 5; - Unit = "zapret.service"; - }; - wantedBy = [ "timers.target" ]; - }; - routes = { - timerConfig = { - OnBootSec = 5; - Unit = "routes.service"; - }; - wantedBy = [ "timers.target" ]; - }; - }; + services.tor.wantedBy = lib.mkForce []; - services = { - tor.wantedBy = lib.mkForce []; - zapret = { - description = "FRKN"; - wantedBy = [ ]; - requires = [ "network.target" ]; - path = with pkgs; [ zapret ]; - serviceConfig = { - ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200"; - Type = "simple"; - PIDFile = "/run/nfqws.pid"; - ExecReload = "/bin/kill -HUP $MAINPID"; - Restart = "always"; - RestartSec = "5s"; - }; - }; - routes = { - description = "FRKN routes"; - wantedBy = [ ]; - requires = [ "network.target" ]; - path = with pkgs; [ iptables ]; - serviceConfig = { - ExecStart = "${pkgs.iptables}/bin/iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass"; - Type = "oneshot"; - }; + timers.tor = { + timerConfig = { + OnBootSec = 5; + Unit = "tor.service"; }; + wantedBy = [ "timers.target" ]; }; }; }; diff --git a/flake.nix b/flake.nix index cdd7a43..6a8ff3b 100644 --- a/flake.nix +++ b/flake.nix @@ -150,7 +150,8 @@ nixosConfigurations = let # Function to create a host. It does basic setup, like adding common modules. - mkHost = { system, hostname, modules } @args: nixpkgs.lib.nixosSystem { + mkHost = { system, hostname, modules }: let + in nixpkgs.lib.nixosSystem { # `Inherit` is just an alias for `system = system;`, which means that # keep the `system` argument as a property in a resulting set. inherit system; @@ -167,12 +168,11 @@ { system.stateVersion = self.const.stateVersion; } # Add modules. - { imports = + { imports = [ ./home/NixOs.nix ] ++ (self.findFiles ./config) ++ (self.findFiles ./container) ++ (self.findFiles ./module) ++ - (self.findFiles ./overlay) ++ - [ ./home/NixOs.nix ]; + (self.findFiles ./overlay); } # Add Home Manager module. diff --git a/home/program/bash/module/Zapret.nix b/home/program/bash/module/Zapret.nix index 7204a9f..2d60476 100644 --- a/home/program/bash/module/Zapret.nix +++ b/home/program/bash/module/Zapret.nix @@ -3,7 +3,7 @@ # FRKN. function zapret() { iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass - nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200 + nfqws --pidfile=/run/nfqws.pid ${config.module.zapret.params} --qnum=200 } ''; } diff --git a/host/x86_64-linux/home/default.nix b/host/x86_64-linux/home/default.nix index f8fb08c..06360db 100644 --- a/host/x86_64-linux/home/default.nix +++ b/host/x86_64-linux/home/default.nix @@ -31,6 +31,17 @@ core.enable = true; desktop.enable = true; }; + zapret = { + enable = true; + whitelist = '' + youtube.com + googlevideo.com + ytimg.com + rutracker.org + rutracker.cc + rutrk.org + ''; + }; }; setting = { diff --git a/lib/Container.nix b/lib/Container.nix index 013eae1..7e2d959 100644 --- a/lib/Container.nix +++ b/lib/Container.nix @@ -45,8 +45,14 @@ # HACK: Fix for upstream issue: https://github.com/NixOS/nixpkgs/issues/162686 useHostResolvConf = lib.mkForce false; - # Disable firewall. - firewall.enable = false; + # Configure firewall. + firewall = { + enable = true; + extraCommands = '' + # Full access from the host. + iptables -I INPUT -s ${config.container.host} -j ALLOW + ''; + }; }; } extra; diff --git a/module/Zapret.nix b/module/Zapret.nix new file mode 100644 index 0000000..e9a2828 --- /dev/null +++ b/module/Zapret.nix @@ -0,0 +1,65 @@ +{ lib, config, pkgs, util, ... }: with lib; let + cfg = config.module.zapret; + + whitelist = if cfg.whitelist != null then + "--hostlist ${pkgs.writeText "ZapretWhitelist" (util.trimTabs cfg.whitelist)}" + else ""; + + blacklist = if cfg.blacklist != null then + "--hostlist-exclude ${pkgs.writeText "ZapretBlacklist" (util.trimTabs cfg.blacklist)}" + else ""; +in { + options = { + module.zapret = mkOption { + default = {}; + type = types.submodule { + options = { + enable = mkEnableOption "Enable Zapret service."; + params = mkOption { + default = "--dpi-desync=fake,split2 --dpi-desync-fooling=datanoack"; + type = types.str; + }; + whitelist = mkOption { + default = null; + type = types.nullOr types.str; + }; + blacklist = mkOption { + default = null; + type = types.nullOr types.str; + }; + }; + }; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.extraCommands = '' + iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass + ''; + + systemd = { + services.zapret = { + description = "FRKN"; + wantedBy = [ ]; + requires = [ "network.target" ]; + path = with pkgs; [ zapret ]; + serviceConfig = { + ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${cfg.params} ${whitelist} ${blacklist} --qnum=200"; + Type = "simple"; + PIDFile = "/run/nfqws.pid"; + ExecReload = "/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "5s"; + }; + }; + + timers.zapret = { + timerConfig = { + OnBootSec = 5; + Unit = "zapret.service"; + }; + wantedBy = [ "timers.target" ]; + }; + }; + }; +}