Zapret : Move to service.

2024-08-28 01:31:17 +03:00 · 2024-08-28 01:31:17 +03:00 · 3d4f38ad58
parent 7a476f44b8
commit 3d4f38ad58
8 changed files with 102 additions and 130 deletions
--- a/config/Setting.nix
+++ b/config/Setting.nix
@ -40,19 +40,6 @@
 			};
 		};

-		# Zapret params.
-		zapret = mkOption {
-			default = {};
-			type = types.submodule {
-				options = {
-					params = mkOption {
-						default = "--dpi-desync=fake,split2 --dpi-desync-fooling=datanoack";
-						type    = types.str;
-					};
-				};
-			};
-		};
-
 		# CPU configurations.
 		cpu = mkOption {
 			default = {};
--- a/container/Yt.nix
+++ b/container/Yt.nix
@ -1,4 +1,4 @@
-{ container, pkgs, lib, config, ... }: with lib; let
+{ container, pkgs, lib, config, __findFile, ... }: with lib; let
 	cfg = config.container.module.yt;
 in {
 	options = {
@ -26,6 +26,9 @@ in {
 	config = mkIf cfg.enable {
 		containers.yt = container.mkContainer cfg {
 			config = { ... }: container.mkContainerConfig cfg {
+				imports = [ <module/Zapret.nix> ];
+				module.zapret.enable = true;
+
 				services.invidious = {
 					enable = true;
 					domain = cfg.domain;
@ -46,52 +49,6 @@ in {
 						https_only           = true;
 					};
 				};
-
-				systemd = {
-					timers = {
-						zapret = {
-							timerConfig = {
-								OnBootSec = 5;
-								Unit      = "zapret.service";
-							};
-							wantedBy = [ "timers.target" ];
-						};
-						routes = {
-							timerConfig = {
-								OnBootSec = 5;
-								Unit      = "routes.service";
-							};
-							wantedBy = [ "timers.target" ];
-						};
-					};
-
-					services = {
-						zapret = {
-							description = "FRKN";
-							wantedBy = [ ];
-							requires = [ "network.target" ];
-							path = with pkgs; [ zapret ];
-							serviceConfig = {
-								ExecStart  = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200";
-								Type       = "simple";
-								PIDFile    = "/run/nfqws.pid";
-								ExecReload = "/bin/kill -HUP $MAINPID";
-								Restart    = "always";
-								RestartSec = "5s";
-							};
-						};
-						routes = {
-							description = "FRKN routes";
-							wantedBy = [ ];
-							requires = [ "network.target" ];
-							path = with pkgs; [ iptables ];
-							serviceConfig = {
-								ExecStart = "${pkgs.iptables}/bin/iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass";
-								Type = "oneshot";
-							};
-						};
-					};
-				};
 			};
 		};
 	};
--- a/container/Zapret.nix
+++ b/container/Zapret.nix
@ -1,6 +1,6 @@
 # TODO: Saved just in case for the dark future.
 # в целом просто сделай себе шелл алиас gw-default="sudo ip route del default; sudo ip route add default via айпишник роутера" и шелл алиас gw-vpn="sudo ip route del default; sudo ip route add default via айпишник_впна"
-{ container, pkgs, lib, config, ... }: with lib; let
+{ container, pkgs, lib, config, __findFile, ... }: with lib; let
 	cfg = config.container.module.zapret;
 in {
 	options = {
@ -29,20 +29,8 @@ in {
 					"net.ipv4.ip_forward" = 1;
 				};

-				environment.systemPackages = with pkgs; [ iptables ];
-
-				networking = {
-					nameservers = [
-						"10.1.0.6"
-						"1.1.1.1"
-					];
-					firewall = {
-						extraCommands = ''
-							iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
-						'';
-						#iptables -A OUTPUT -p tcp -m tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 200 --queue-bypass
-					};
-				};
+				imports = [ <module/Zapret.nix> ];
+				module.zapret.enable = true;

 				services = {
 					microsocks = {
@ -87,56 +75,14 @@ in {
 				};

 				systemd = {
-					timers = {
-						tor = {
-							timerConfig = {
-								OnBootSec = 5;
-								Unit      = "tor.service";
-							};
-							wantedBy = [ "timers.target" ];
-						};
-						zapret = {
-							timerConfig = {
-								OnBootSec = 5;
-								Unit      = "zapret.service";
-							};
-							wantedBy = [ "timers.target" ];
-						};
-						routes = {
-							timerConfig = {
-								OnBootSec = 5;
-								Unit      = "routes.service";
-							};
-							wantedBy = [ "timers.target" ];
-						};
-					};
+					services.tor.wantedBy = lib.mkForce [];

-					services = {
-						tor.wantedBy = lib.mkForce [];
-						zapret = {
-							description = "FRKN";
-							wantedBy = [ ];
-							requires = [ "network.target" ];
-							path = with pkgs; [ zapret ];
-							serviceConfig = {
-								ExecStart  = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params} --qnum=200";
-								Type       = "simple";
-								PIDFile    = "/run/nfqws.pid";
-								ExecReload = "/bin/kill -HUP $MAINPID";
-								Restart    = "always";
-								RestartSec = "5s";
-							};
-						};
-						routes = {
-							description = "FRKN routes";
-							wantedBy = [ ];
-							requires = [ "network.target" ];
-							path = with pkgs; [ iptables ];
-							serviceConfig = {
-								ExecStart = "${pkgs.iptables}/bin/iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass";
-								Type = "oneshot";
-							};
+					timers.tor = {
+						timerConfig = {
+							OnBootSec = 5;
+							Unit      = "tor.service";
 						};
+						wantedBy = [ "timers.target" ];
 					};
 				};
 			};
--- a/flake.nix
+++ b/flake.nix
@ -150,7 +150,8 @@

 		nixosConfigurations = let
 			# Function to create a host. It does basic setup, like adding common modules.
-			mkHost = { system, hostname, modules } @args: nixpkgs.lib.nixosSystem {
+			mkHost = { system, hostname, modules }: let
+			in nixpkgs.lib.nixosSystem {
 				# `Inherit` is just an alias for `system = system;`, which means that
 				# keep the `system` argument as a property in a resulting set.
 				inherit system;
@ -167,12 +168,11 @@
 					{ system.stateVersion = self.const.stateVersion; }

 					# Add modules.
-					{ imports =
+					{ imports = [ ./home/NixOs.nix ] ++
 						(self.findFiles ./config) ++
 						(self.findFiles ./container) ++
 						(self.findFiles ./module) ++
-						(self.findFiles ./overlay) ++
-						[ ./home/NixOs.nix ];
+						(self.findFiles ./overlay);
 					}

 					# Add Home Manager module.
--- a/home/program/bash/module/Zapret.nix
+++ b/home/program/bash/module/Zapret.nix
@ -3,7 +3,7 @@
 		# FRKN.
 		function zapret() {
 			iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
-			nfqws --pidfile=/run/nfqws.pid ${config.setting.zapret.params}  --qnum=200
+			nfqws --pidfile=/run/nfqws.pid ${config.module.zapret.params} --qnum=200
 		}
 	'';
 }
--- a/host/x86_64-linux/home/default.nix
+++ b/host/x86_64-linux/home/default.nix
@ -31,6 +31,17 @@
 			core.enable    = true;
 			desktop.enable = true;
 		};
+		zapret = {
+			enable = true;
+			whitelist = ''
+				youtube.com
+				googlevideo.com
+				ytimg.com
+				rutracker.org
+				rutracker.cc
+				rutrk.org
+			'';
+		};
 	};

 	setting = {
--- a/lib/Container.nix
+++ b/lib/Container.nix
@ -45,8 +45,14 @@
 			# HACK: Fix for upstream issue: https://github.com/NixOS/nixpkgs/issues/162686
 			useHostResolvConf = lib.mkForce false;

-			# Disable firewall.
-			firewall.enable = false;
+			# Configure firewall.
+			firewall = {
+				enable = true;
+				extraCommands = ''
+					# Full access from the host.
+					iptables -I INPUT -s ${config.container.host} -j ALLOW
+				'';
+			};
 		};
 	} extra;

--- a/module/Zapret.nix
+++ b/module/Zapret.nix
@ -0,0 +1,65 @@
+{ lib, config, pkgs, util, ... }: with lib; let
+	cfg = config.module.zapret;
+
+	whitelist = if cfg.whitelist != null then
+		"--hostlist ${pkgs.writeText "ZapretWhitelist" (util.trimTabs cfg.whitelist)}"
+	else "";
+
+	blacklist = if cfg.blacklist != null then
+		"--hostlist-exclude ${pkgs.writeText "ZapretBlacklist" (util.trimTabs cfg.blacklist)}"
+	else "";
+in {
+	options = {
+		module.zapret = mkOption {
+			default = {};
+			type = types.submodule {
+				options = {
+					enable = mkEnableOption "Enable Zapret service.";
+					params = mkOption {
+						default = "--dpi-desync=fake,split2 --dpi-desync-fooling=datanoack";
+						type    = types.str;
+					};
+					whitelist = mkOption {
+						default = null;
+						type    = types.nullOr types.str;
+					};
+					blacklist = mkOption {
+						default = null;
+						type    = types.nullOr types.str;
+					};
+				};
+			};
+		};
+	};
+
+	config = mkIf cfg.enable {
+		networking.firewall.extraCommands = ''
+			iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
+		'';
+
+		systemd = {
+			services.zapret = {
+				description = "FRKN";
+				wantedBy = [ ];
+				requires = [ "network.target" ];
+				path = with pkgs; [ zapret ];
+				serviceConfig = {
+					ExecStart  = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${cfg.params} ${whitelist} ${blacklist} --qnum=200";
+					Type       = "simple";
+					PIDFile    = "/run/nfqws.pid";
+					ExecReload = "/bin/kill -HUP $MAINPID";
+					Restart    = "always";
+					RestartSec = "5s";
+				};
+			};
+
+			timers.zapret = {
+				timerConfig = {
+					OnBootSec = 5;
+					Unit      = "zapret.service";
+				};
+				wantedBy = [ "timers.target" ];
+			};
+		};
+	};
+}