Zapret : Move to service.

This commit is contained in:
Dmitry Voronin 2024-08-28 01:31:17 +03:00
parent 7a476f44b8
commit 3d4f38ad58
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
8 changed files with 102 additions and 130 deletions

View file

@ -40,19 +40,6 @@
};
};
# Zapret params.
zapret = mkOption {
default = {};
type = types.submodule {
options = {
params = mkOption {
default = "--dpi-desync=fake,split2 --dpi-desync-fooling=datanoack";
type = types.str;
};
};
};
};
# CPU configurations.
cpu = mkOption {
default = {};

View file

@ -1,4 +1,4 @@
{ container, pkgs, lib, config, ... }: with lib; let
{ container, pkgs, lib, config, __findFile, ... }: with lib; let
cfg = config.container.module.yt;
in {
options = {
@ -26,6 +26,9 @@ in {
config = mkIf cfg.enable {
containers.yt = container.mkContainer cfg {
config = { ... }: container.mkContainerConfig cfg {
imports = [ <module/Zapret.nix> ];
module.zapret.enable = true;
services.invidious = {
enable = true;
domain = cfg.domain;
@ -46,52 +49,6 @@ in {
https_only = true;
};
};
systemd = {
timers = {
zapret = {
timerConfig = {
OnBootSec = 5;
Unit = "zapret.service";
};
wantedBy = [ "timers.target" ];
};
routes = {
timerConfig = {
OnBootSec = 5;
Unit = "routes.service";
};
wantedBy = [ "timers.target" ];
};
};
services = {
zapret = {
description = "FRKN";
wantedBy = [ ];
requires = [ "network.target" ];
path = with pkgs; [ zapret ];
serviceConfig = {
ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200";
Type = "simple";
PIDFile = "/run/nfqws.pid";
ExecReload = "/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "5s";
};
};
routes = {
description = "FRKN routes";
wantedBy = [ ];
requires = [ "network.target" ];
path = with pkgs; [ iptables ];
serviceConfig = {
ExecStart = "${pkgs.iptables}/bin/iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass";
Type = "oneshot";
};
};
};
};
};
};
};

View file

@ -1,6 +1,6 @@
# TODO: Saved just in case for the dark future.
# в целом просто сделай себе шелл алиас gw-default="sudo ip route del default; sudo ip route add default via айпишник роутера" и шелл алиас gw-vpn="sudo ip route del default; sudo ip route add default via айпишник_впна"
{ container, pkgs, lib, config, ... }: with lib; let
{ container, pkgs, lib, config, __findFile, ... }: with lib; let
cfg = config.container.module.zapret;
in {
options = {
@ -29,20 +29,8 @@ in {
"net.ipv4.ip_forward" = 1;
};
environment.systemPackages = with pkgs; [ iptables ];
networking = {
nameservers = [
"10.1.0.6"
"1.1.1.1"
];
firewall = {
extraCommands = ''
iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
'';
#iptables -A OUTPUT -p tcp -m tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 200 --queue-bypass
};
};
imports = [ <module/Zapret.nix> ];
module.zapret.enable = true;
services = {
microsocks = {
@ -87,57 +75,15 @@ in {
};
systemd = {
timers = {
tor = {
services.tor.wantedBy = lib.mkForce [];
timers.tor = {
timerConfig = {
OnBootSec = 5;
Unit = "tor.service";
};
wantedBy = [ "timers.target" ];
};
zapret = {
timerConfig = {
OnBootSec = 5;
Unit = "zapret.service";
};
wantedBy = [ "timers.target" ];
};
routes = {
timerConfig = {
OnBootSec = 5;
Unit = "routes.service";
};
wantedBy = [ "timers.target" ];
};
};
services = {
tor.wantedBy = lib.mkForce [];
zapret = {
description = "FRKN";
wantedBy = [ ];
requires = [ "network.target" ];
path = with pkgs; [ zapret ];
serviceConfig = {
ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200";
Type = "simple";
PIDFile = "/run/nfqws.pid";
ExecReload = "/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "5s";
};
};
routes = {
description = "FRKN routes";
wantedBy = [ ];
requires = [ "network.target" ];
path = with pkgs; [ iptables ];
serviceConfig = {
ExecStart = "${pkgs.iptables}/bin/iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass";
Type = "oneshot";
};
};
};
};
};
};

View file

@ -150,7 +150,8 @@
nixosConfigurations = let
# Function to create a host. It does basic setup, like adding common modules.
mkHost = { system, hostname, modules } @args: nixpkgs.lib.nixosSystem {
mkHost = { system, hostname, modules }: let
in nixpkgs.lib.nixosSystem {
# `Inherit` is just an alias for `system = system;`, which means that
# keep the `system` argument as a property in a resulting set.
inherit system;
@ -167,12 +168,11 @@
{ system.stateVersion = self.const.stateVersion; }
# Add modules.
{ imports =
{ imports = [ ./home/NixOs.nix ] ++
(self.findFiles ./config) ++
(self.findFiles ./container) ++
(self.findFiles ./module) ++
(self.findFiles ./overlay) ++
[ ./home/NixOs.nix ];
(self.findFiles ./overlay);
}
# Add Home Manager module.

View file

@ -3,7 +3,7 @@
# FRKN.
function zapret() {
iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200
nfqws --pidfile=/run/nfqws.pid ${config.module.zapret.params} --qnum=200
}
'';
}

View file

@ -31,6 +31,17 @@
core.enable = true;
desktop.enable = true;
};
zapret = {
enable = true;
whitelist = ''
youtube.com
googlevideo.com
ytimg.com
rutracker.org
rutracker.cc
rutrk.org
'';
};
};
setting = {

View file

@ -45,8 +45,14 @@
# HACK: Fix for upstream issue: https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
# Disable firewall.
firewall.enable = false;
# Configure firewall.
firewall = {
enable = true;
extraCommands = ''
# Full access from the host.
iptables -I INPUT -s ${config.container.host} -j ALLOW
'';
};
};
} extra;

65
module/Zapret.nix Normal file
View file

@ -0,0 +1,65 @@
{ lib, config, pkgs, util, ... }: with lib; let
cfg = config.module.zapret;
whitelist = if cfg.whitelist != null then
"--hostlist ${pkgs.writeText "ZapretWhitelist" (util.trimTabs cfg.whitelist)}"
else "";
blacklist = if cfg.blacklist != null then
"--hostlist-exclude ${pkgs.writeText "ZapretBlacklist" (util.trimTabs cfg.blacklist)}"
else "";
in {
options = {
module.zapret = mkOption {
default = {};
type = types.submodule {
options = {
enable = mkEnableOption "Enable Zapret service.";
params = mkOption {
default = "--dpi-desync=fake,split2 --dpi-desync-fooling=datanoack";
type = types.str;
};
whitelist = mkOption {
default = null;
type = types.nullOr types.str;
};
blacklist = mkOption {
default = null;
type = types.nullOr types.str;
};
};
};
};
};
config = mkIf cfg.enable {
networking.firewall.extraCommands = ''
iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
'';
systemd = {
services.zapret = {
description = "FRKN";
wantedBy = [ ];
requires = [ "network.target" ];
path = with pkgs; [ zapret ];
serviceConfig = {
ExecStart = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${cfg.params} ${whitelist} ${blacklist} --qnum=200";
Type = "simple";
PIDFile = "/run/nfqws.pid";
ExecReload = "/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "5s";
};
};
timers.zapret = {
timerConfig = {
OnBootSec = 5;
Unit = "zapret.service";
};
wantedBy = [ "timers.target" ];
};
};
};
}