Zapret : Move to service.

This commit is contained in:
Dmitry Voronin 2024-08-28 01:31:17 +03:00
parent 7a476f44b8
commit 3d4f38ad58
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
8 changed files with 102 additions and 130 deletions

View file

@ -40,19 +40,6 @@
}; };
}; };
# Zapret params.
zapret = mkOption {
default = {};
type = types.submodule {
options = {
params = mkOption {
default = "--dpi-desync=fake,split2 --dpi-desync-fooling=datanoack";
type = types.str;
};
};
};
};
# CPU configurations. # CPU configurations.
cpu = mkOption { cpu = mkOption {
default = {}; default = {};

View file

@ -1,4 +1,4 @@
{ container, pkgs, lib, config, ... }: with lib; let { container, pkgs, lib, config, __findFile, ... }: with lib; let
cfg = config.container.module.yt; cfg = config.container.module.yt;
in { in {
options = { options = {
@ -26,6 +26,9 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
containers.yt = container.mkContainer cfg { containers.yt = container.mkContainer cfg {
config = { ... }: container.mkContainerConfig cfg { config = { ... }: container.mkContainerConfig cfg {
imports = [ <module/Zapret.nix> ];
module.zapret.enable = true;
services.invidious = { services.invidious = {
enable = true; enable = true;
domain = cfg.domain; domain = cfg.domain;
@ -46,52 +49,6 @@ in {
https_only = true; https_only = true;
}; };
}; };
systemd = {
timers = {
zapret = {
timerConfig = {
OnBootSec = 5;
Unit = "zapret.service";
};
wantedBy = [ "timers.target" ];
};
routes = {
timerConfig = {
OnBootSec = 5;
Unit = "routes.service";
};
wantedBy = [ "timers.target" ];
};
};
services = {
zapret = {
description = "FRKN";
wantedBy = [ ];
requires = [ "network.target" ];
path = with pkgs; [ zapret ];
serviceConfig = {
ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200";
Type = "simple";
PIDFile = "/run/nfqws.pid";
ExecReload = "/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "5s";
};
};
routes = {
description = "FRKN routes";
wantedBy = [ ];
requires = [ "network.target" ];
path = with pkgs; [ iptables ];
serviceConfig = {
ExecStart = "${pkgs.iptables}/bin/iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass";
Type = "oneshot";
};
};
};
};
}; };
}; };
}; };

View file

@ -1,6 +1,6 @@
# TODO: Saved just in case for the dark future. # TODO: Saved just in case for the dark future.
# в целом просто сделай себе шелл алиас gw-default="sudo ip route del default; sudo ip route add default via айпишник роутера" и шелл алиас gw-vpn="sudo ip route del default; sudo ip route add default via айпишник_впна" # в целом просто сделай себе шелл алиас gw-default="sudo ip route del default; sudo ip route add default via айпишник роутера" и шелл алиас gw-vpn="sudo ip route del default; sudo ip route add default via айпишник_впна"
{ container, pkgs, lib, config, ... }: with lib; let { container, pkgs, lib, config, __findFile, ... }: with lib; let
cfg = config.container.module.zapret; cfg = config.container.module.zapret;
in { in {
options = { options = {
@ -29,20 +29,8 @@ in {
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
}; };
environment.systemPackages = with pkgs; [ iptables ]; imports = [ <module/Zapret.nix> ];
module.zapret.enable = true;
networking = {
nameservers = [
"10.1.0.6"
"1.1.1.1"
];
firewall = {
extraCommands = ''
iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
'';
#iptables -A OUTPUT -p tcp -m tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 200 --queue-bypass
};
};
services = { services = {
microsocks = { microsocks = {
@ -87,57 +75,15 @@ in {
}; };
systemd = { systemd = {
timers = { services.tor.wantedBy = lib.mkForce [];
tor = {
timers.tor = {
timerConfig = { timerConfig = {
OnBootSec = 5; OnBootSec = 5;
Unit = "tor.service"; Unit = "tor.service";
}; };
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
}; };
zapret = {
timerConfig = {
OnBootSec = 5;
Unit = "zapret.service";
};
wantedBy = [ "timers.target" ];
};
routes = {
timerConfig = {
OnBootSec = 5;
Unit = "routes.service";
};
wantedBy = [ "timers.target" ];
};
};
services = {
tor.wantedBy = lib.mkForce [];
zapret = {
description = "FRKN";
wantedBy = [ ];
requires = [ "network.target" ];
path = with pkgs; [ zapret ];
serviceConfig = {
ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200";
Type = "simple";
PIDFile = "/run/nfqws.pid";
ExecReload = "/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "5s";
};
};
routes = {
description = "FRKN routes";
wantedBy = [ ];
requires = [ "network.target" ];
path = with pkgs; [ iptables ];
serviceConfig = {
ExecStart = "${pkgs.iptables}/bin/iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass";
Type = "oneshot";
};
};
};
}; };
}; };
}; };

View file

@ -150,7 +150,8 @@
nixosConfigurations = let nixosConfigurations = let
# Function to create a host. It does basic setup, like adding common modules. # Function to create a host. It does basic setup, like adding common modules.
mkHost = { system, hostname, modules } @args: nixpkgs.lib.nixosSystem { mkHost = { system, hostname, modules }: let
in nixpkgs.lib.nixosSystem {
# `Inherit` is just an alias for `system = system;`, which means that # `Inherit` is just an alias for `system = system;`, which means that
# keep the `system` argument as a property in a resulting set. # keep the `system` argument as a property in a resulting set.
inherit system; inherit system;
@ -167,12 +168,11 @@
{ system.stateVersion = self.const.stateVersion; } { system.stateVersion = self.const.stateVersion; }
# Add modules. # Add modules.
{ imports = { imports = [ ./home/NixOs.nix ] ++
(self.findFiles ./config) ++ (self.findFiles ./config) ++
(self.findFiles ./container) ++ (self.findFiles ./container) ++
(self.findFiles ./module) ++ (self.findFiles ./module) ++
(self.findFiles ./overlay) ++ (self.findFiles ./overlay);
[ ./home/NixOs.nix ];
} }
# Add Home Manager module. # Add Home Manager module.

View file

@ -3,7 +3,7 @@
# FRKN. # FRKN.
function zapret() { function zapret() {
iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200 nfqws --pidfile=/run/nfqws.pid ${config.module.zapret.params} --qnum=200
} }
''; '';
} }

View file

@ -31,6 +31,17 @@
core.enable = true; core.enable = true;
desktop.enable = true; desktop.enable = true;
}; };
zapret = {
enable = true;
whitelist = ''
youtube.com
googlevideo.com
ytimg.com
rutracker.org
rutracker.cc
rutrk.org
'';
};
}; };
setting = { setting = {

View file

@ -45,8 +45,14 @@
# HACK: Fix for upstream issue: https://github.com/NixOS/nixpkgs/issues/162686 # HACK: Fix for upstream issue: https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
# Disable firewall. # Configure firewall.
firewall.enable = false; firewall = {
enable = true;
extraCommands = ''
# Full access from the host.
iptables -I INPUT -s ${config.container.host} -j ALLOW
'';
};
}; };
} extra; } extra;

65
module/Zapret.nix Normal file
View file

@ -0,0 +1,65 @@
{ lib, config, pkgs, util, ... }: with lib; let
cfg = config.module.zapret;
whitelist = if cfg.whitelist != null then
"--hostlist ${pkgs.writeText "ZapretWhitelist" (util.trimTabs cfg.whitelist)}"
else "";
blacklist = if cfg.blacklist != null then
"--hostlist-exclude ${pkgs.writeText "ZapretBlacklist" (util.trimTabs cfg.blacklist)}"
else "";
in {
options = {
module.zapret = mkOption {
default = {};
type = types.submodule {
options = {
enable = mkEnableOption "Enable Zapret service.";
params = mkOption {
default = "--dpi-desync=fake,split2 --dpi-desync-fooling=datanoack";
type = types.str;
};
whitelist = mkOption {
default = null;
type = types.nullOr types.str;
};
blacklist = mkOption {
default = null;
type = types.nullOr types.str;
};
};
};
};
};
config = mkIf cfg.enable {
networking.firewall.extraCommands = ''
iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
'';
systemd = {
services.zapret = {
description = "FRKN";
wantedBy = [ ];
requires = [ "network.target" ];
path = with pkgs; [ zapret ];
serviceConfig = {
ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${cfg.params} ${whitelist} ${blacklist} --qnum=200";
Type = "simple";
PIDFile = "/run/nfqws.pid";
ExecReload = "/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "5s";
};
};
timers.zapret = {
timerConfig = {
OnBootSec = 5;
Unit = "zapret.service";
};
wantedBy = [ "timers.target" ];
};
};
};
}