Zapret : Move to service.
This commit is contained in:
parent
7a476f44b8
commit
3d4f38ad58
|
@ -40,19 +40,6 @@
|
|||
};
|
||||
};
|
||||
|
||||
# Zapret params.
|
||||
zapret = mkOption {
|
||||
default = {};
|
||||
type = types.submodule {
|
||||
options = {
|
||||
params = mkOption {
|
||||
default = "--dpi-desync=fake,split2 --dpi-desync-fooling=datanoack";
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# CPU configurations.
|
||||
cpu = mkOption {
|
||||
default = {};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ container, pkgs, lib, config, ... }: with lib; let
|
||||
{ container, pkgs, lib, config, __findFile, ... }: with lib; let
|
||||
cfg = config.container.module.yt;
|
||||
in {
|
||||
options = {
|
||||
|
@ -26,6 +26,9 @@ in {
|
|||
config = mkIf cfg.enable {
|
||||
containers.yt = container.mkContainer cfg {
|
||||
config = { ... }: container.mkContainerConfig cfg {
|
||||
imports = [ <module/Zapret.nix> ];
|
||||
module.zapret.enable = true;
|
||||
|
||||
services.invidious = {
|
||||
enable = true;
|
||||
domain = cfg.domain;
|
||||
|
@ -46,52 +49,6 @@ in {
|
|||
https_only = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
timers = {
|
||||
zapret = {
|
||||
timerConfig = {
|
||||
OnBootSec = 5;
|
||||
Unit = "zapret.service";
|
||||
};
|
||||
wantedBy = [ "timers.target" ];
|
||||
};
|
||||
routes = {
|
||||
timerConfig = {
|
||||
OnBootSec = 5;
|
||||
Unit = "routes.service";
|
||||
};
|
||||
wantedBy = [ "timers.target" ];
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
zapret = {
|
||||
description = "FRKN";
|
||||
wantedBy = [ ];
|
||||
requires = [ "network.target" ];
|
||||
path = with pkgs; [ zapret ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200";
|
||||
Type = "simple";
|
||||
PIDFile = "/run/nfqws.pid";
|
||||
ExecReload = "/bin/kill -HUP $MAINPID";
|
||||
Restart = "always";
|
||||
RestartSec = "5s";
|
||||
};
|
||||
};
|
||||
routes = {
|
||||
description = "FRKN routes";
|
||||
wantedBy = [ ];
|
||||
requires = [ "network.target" ];
|
||||
path = with pkgs; [ iptables ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.iptables}/bin/iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass";
|
||||
Type = "oneshot";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# TODO: Saved just in case for the dark future.
|
||||
# в целом просто сделай себе шелл алиас gw-default="sudo ip route del default; sudo ip route add default via айпишник роутера" и шелл алиас gw-vpn="sudo ip route del default; sudo ip route add default via айпишник_впна"
|
||||
{ container, pkgs, lib, config, ... }: with lib; let
|
||||
{ container, pkgs, lib, config, __findFile, ... }: with lib; let
|
||||
cfg = config.container.module.zapret;
|
||||
in {
|
||||
options = {
|
||||
|
@ -29,20 +29,8 @@ in {
|
|||
"net.ipv4.ip_forward" = 1;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [ iptables ];
|
||||
|
||||
networking = {
|
||||
nameservers = [
|
||||
"10.1.0.6"
|
||||
"1.1.1.1"
|
||||
];
|
||||
firewall = {
|
||||
extraCommands = ''
|
||||
iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
'';
|
||||
#iptables -A OUTPUT -p tcp -m tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
};
|
||||
};
|
||||
imports = [ <module/Zapret.nix> ];
|
||||
module.zapret.enable = true;
|
||||
|
||||
services = {
|
||||
microsocks = {
|
||||
|
@ -87,57 +75,15 @@ in {
|
|||
};
|
||||
|
||||
systemd = {
|
||||
timers = {
|
||||
tor = {
|
||||
services.tor.wantedBy = lib.mkForce [];
|
||||
|
||||
timers.tor = {
|
||||
timerConfig = {
|
||||
OnBootSec = 5;
|
||||
Unit = "tor.service";
|
||||
};
|
||||
wantedBy = [ "timers.target" ];
|
||||
};
|
||||
zapret = {
|
||||
timerConfig = {
|
||||
OnBootSec = 5;
|
||||
Unit = "zapret.service";
|
||||
};
|
||||
wantedBy = [ "timers.target" ];
|
||||
};
|
||||
routes = {
|
||||
timerConfig = {
|
||||
OnBootSec = 5;
|
||||
Unit = "routes.service";
|
||||
};
|
||||
wantedBy = [ "timers.target" ];
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
tor.wantedBy = lib.mkForce [];
|
||||
zapret = {
|
||||
description = "FRKN";
|
||||
wantedBy = [ ];
|
||||
requires = [ "network.target" ];
|
||||
path = with pkgs; [ zapret ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200";
|
||||
Type = "simple";
|
||||
PIDFile = "/run/nfqws.pid";
|
||||
ExecReload = "/bin/kill -HUP $MAINPID";
|
||||
Restart = "always";
|
||||
RestartSec = "5s";
|
||||
};
|
||||
};
|
||||
routes = {
|
||||
description = "FRKN routes";
|
||||
wantedBy = [ ];
|
||||
requires = [ "network.target" ];
|
||||
path = with pkgs; [ iptables ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.iptables}/bin/iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass";
|
||||
Type = "oneshot";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -150,7 +150,8 @@
|
|||
|
||||
nixosConfigurations = let
|
||||
# Function to create a host. It does basic setup, like adding common modules.
|
||||
mkHost = { system, hostname, modules } @args: nixpkgs.lib.nixosSystem {
|
||||
mkHost = { system, hostname, modules }: let
|
||||
in nixpkgs.lib.nixosSystem {
|
||||
# `Inherit` is just an alias for `system = system;`, which means that
|
||||
# keep the `system` argument as a property in a resulting set.
|
||||
inherit system;
|
||||
|
@ -167,12 +168,11 @@
|
|||
{ system.stateVersion = self.const.stateVersion; }
|
||||
|
||||
# Add modules.
|
||||
{ imports =
|
||||
{ imports = [ ./home/NixOs.nix ] ++
|
||||
(self.findFiles ./config) ++
|
||||
(self.findFiles ./container) ++
|
||||
(self.findFiles ./module) ++
|
||||
(self.findFiles ./overlay) ++
|
||||
[ ./home/NixOs.nix ];
|
||||
(self.findFiles ./overlay);
|
||||
}
|
||||
|
||||
# Add Home Manager module.
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# FRKN.
|
||||
function zapret() {
|
||||
iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200
|
||||
nfqws --pidfile=/run/nfqws.pid ${config.module.zapret.params} --qnum=200
|
||||
}
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -31,6 +31,17 @@
|
|||
core.enable = true;
|
||||
desktop.enable = true;
|
||||
};
|
||||
zapret = {
|
||||
enable = true;
|
||||
whitelist = ''
|
||||
youtube.com
|
||||
googlevideo.com
|
||||
ytimg.com
|
||||
rutracker.org
|
||||
rutracker.cc
|
||||
rutrk.org
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
setting = {
|
||||
|
|
|
@ -45,8 +45,14 @@
|
|||
# HACK: Fix for upstream issue: https://github.com/NixOS/nixpkgs/issues/162686
|
||||
useHostResolvConf = lib.mkForce false;
|
||||
|
||||
# Disable firewall.
|
||||
firewall.enable = false;
|
||||
# Configure firewall.
|
||||
firewall = {
|
||||
enable = true;
|
||||
extraCommands = ''
|
||||
# Full access from the host.
|
||||
iptables -I INPUT -s ${config.container.host} -j ALLOW
|
||||
'';
|
||||
};
|
||||
};
|
||||
} extra;
|
||||
|
||||
|
|
65
module/Zapret.nix
Normal file
65
module/Zapret.nix
Normal file
|
@ -0,0 +1,65 @@
|
|||
{ lib, config, pkgs, util, ... }: with lib; let
|
||||
cfg = config.module.zapret;
|
||||
|
||||
whitelist = if cfg.whitelist != null then
|
||||
"--hostlist ${pkgs.writeText "ZapretWhitelist" (util.trimTabs cfg.whitelist)}"
|
||||
else "";
|
||||
|
||||
blacklist = if cfg.blacklist != null then
|
||||
"--hostlist-exclude ${pkgs.writeText "ZapretBlacklist" (util.trimTabs cfg.blacklist)}"
|
||||
else "";
|
||||
in {
|
||||
options = {
|
||||
module.zapret = mkOption {
|
||||
default = {};
|
||||
type = types.submodule {
|
||||
options = {
|
||||
enable = mkEnableOption "Enable Zapret service.";
|
||||
params = mkOption {
|
||||
default = "--dpi-desync=fake,split2 --dpi-desync-fooling=datanoack";
|
||||
type = types.str;
|
||||
};
|
||||
whitelist = mkOption {
|
||||
default = null;
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
blacklist = mkOption {
|
||||
default = null;
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.firewall.extraCommands = ''
|
||||
iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
'';
|
||||
|
||||
systemd = {
|
||||
services.zapret = {
|
||||
description = "FRKN";
|
||||
wantedBy = [ ];
|
||||
requires = [ "network.target" ];
|
||||
path = with pkgs; [ zapret ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${cfg.params} ${whitelist} ${blacklist} --qnum=200";
|
||||
Type = "simple";
|
||||
PIDFile = "/run/nfqws.pid";
|
||||
ExecReload = "/bin/kill -HUP $MAINPID";
|
||||
Restart = "always";
|
||||
RestartSec = "5s";
|
||||
};
|
||||
};
|
||||
|
||||
timers.zapret = {
|
||||
timerConfig = {
|
||||
OnBootSec = 5;
|
||||
Unit = "zapret.service";
|
||||
};
|
||||
wantedBy = [ "timers.target" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue