Zapret : Update service.

host/x86_64-linux/home/default.nix

@@ -25,21 +25,24 @@
 		};
 		zapret = {
 			enable = true;
-			params = "--dpi-desync=fake,disorder2 --dpi-desync-ttl=1 --dpi-desync-autottl=2";
+			params = [
-			autolist = "${config.container.module.frkn.storage}/Autolist.txt";
+				"--dpi-desync=fake,disorder2"
-			whitelist = ''
+				"--dpi-desync-ttl=1"
-				youtube.com
+				"--dpi-desync-autottl=2"
-				googlevideo.com
+			];
-				ytimg.com
+			whitelist = [
-				youtu.be
+				"youtube.com"
-				rutracker.org
+				"googlevideo.com"
-				rutracker.cc
+				"ytimg.com"
-				rutrk.org
+				"youtu.be"
-				t-ru.org
+				"rutracker.org"
-				medium.com
+				"rutracker.cc"
-				quora.com
+				"rutrk.org"
-				quoracdn.net
+				"t-ru.org"
-			'';
+				"medium.com"
+				"quora.com"
+				"quoracdn.net"
+			];
 		};
 	};
 

module/Zapret.nix

@@ -1,80 +1,156 @@
-# SOURCE: https://github.com/bol-van/zapret
+{
-{ lib, config, pkgs, util, ... }: with lib; let
+	lib,
+	config,
+	pkgs,
+	...
+}:
+let
 	cfg = config.module.zapret;
 
-	whitelist = if cfg.whitelist != null then
+	whitelist =
-		"--hostlist ${pkgs.writeText "ZapretWhitelist" (util.trimTabs cfg.whitelist)}"
+		if cfg.whitelist != null then
-	else "";
+			"--hostlist ${pkgs.writeText "zapret-whitelist" (lib.concatStringsSep "\n" cfg.whitelist)}"
+		else
+			"";
 
-	blacklist = if cfg.blacklist != null then
+	blacklist =
-		"--hostlist-exclude ${pkgs.writeText "ZapretBlacklist" (util.trimTabs cfg.blacklist)}"
+		if cfg.blacklist != null then
-	else "";
+			"--hostlist-exclude ${pkgs.writeText "zapret-blacklist" (lib.concatStringsSep "\n" cfg.blacklist)}"
+		else
+			"";
 
-	# ISSUE: Seems broken. Adds nothing automatically.
+	ports = if cfg.httpSupport then "80,443" else "443";
-	autolist = if cfg.autolist != null then
+in
-		"--hostlist-auto ${cfg.autolist}"
+	{
-	else "";
+	options.module.zapret = {
-in {
+		enable = lib.mkEnableOption "Enable Zapret DPI bypass service.";
-	options = {
+		package = lib.mkPackageOption pkgs "zapret" { };
-		module.zapret = mkOption {
+		params = lib.mkOption {
-			default = {};
+			default = null;
-			type = types.submodule {
+			type = with lib.types; listOf str;
-				options = {
+			example = ''
-					enable = mkEnableOption "Enable Zapret service.";
+				[
-					params = mkOption {
+					"--dpi-desync=fake,disorder2"
-						default = null;
+					"--dpi-desync-ttl=1"
-						type    = types.str;
+					"--dpi-desync-autottl=2"
-					};
+				];
-					whitelist = mkOption {
+			'';
-						default = null;
+			description = ''
-						type    = types.nullOr types.str;
+				Specify the bypass parameters for Zapret binary.
-					};
+				There are no universal parameters as they vary between different networks, so you'll have to find them yourself.
-					blacklist = mkOption {
+
-						default = null;
+				This can be done by running the `blockcheck` binary from zapret package, i.e. `nix-shell -p zapret --command blockcheck`.
-						type    = types.nullOr types.str;
+				It'll try different params and then tell you which params are working for your network.
-					};
+			'';
-					autolist = mkOption {
+		};
-						default = null;
+		whitelist = lib.mkOption {
-						type    = types.nullOr types.str;
+			default = null;
-					};
+			type = with lib.types; nullOr (listOf str);
-					qnum = mkOption {
+			example = ''
-						default = 200;
+				[
-						type    = types.int;
+					"youtube.com"
-					};
+					"googlevideo.com"
-				};
+					"ytimg.com"
-			};
+					"youtu.be"
+				]
+			'';
+			description = ''
+				Specify a list of domains to bypass. All other domains will be ignored.
+				You can specify either whitelist or blacklist, but not both.
+				If neither are specified, then bypass all domains.
+
+				It is recommended to specify the whitelist. This will make sure that other resources won't be affected by this service.
+			'';
+		};
+		blacklist = lib.mkOption {
+			default = null;
+			type = with lib.types; nullOr (listOf str);
+			example = ''
+				[
+					"example.com"
+				]
+			'';
+			description = ''
+				Specify a list of domains NOT to bypass. All other domains will be bypassed.
+				You can specify either whitelist or blacklist, but not both.
+				If neither are specified, then bypass all domains.
+			'';
+		};
+		qnum = lib.mkOption {
+			default = 200;
+			type = lib.types.int;
+			description = ''
+				Routing queue number.
+				Only change this if you already use the default queue number somewhere else.
+			'';
+		};
+		configureFirewall = lib.mkOption {
+			default = true;
+			type = lib.types.bool;
+			description = ''
+				Whether to setup firewall routing so that system http(s) traffic is forwarded via this service.
+				Disable if you want to set it up manually.
+			'';
+		};
+		httpSupport = lib.mkOption {
+			default = true;
+			type = lib.types.bool;
+			description = ''
+				Whether to route http traffic on port 80.
+				Http bypass rarely works and you might want to disable it if you don't utilise http connections.
+			'';
 		};
 	};
 
-	config = mkIf cfg.enable {
+	config = lib.mkIf cfg.enable (
-		networking.firewall.extraCommands = ''
+		lib.mkMerge [
-			iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${toString cfg.qnum} --queue-bypass
+			{
-		'';
+				assertions = [
+					{
+						assertion = cfg.whitelist == null || cfg.blacklist == null;
+						message = "Can't specify both whitelist and blacklist.";
+					}
+				];
 
-		systemd = {
+				systemd.services.zapret = {
-			services.zapret = {
+					description = "DPI bypass service.";
-				description = "FRKN";
+					wantedBy = [ "multi-user.target" ];
-				wantedBy = [ ];
+					after = [ "network.target" ];
-				requires = [ "network.target" ];
+					serviceConfig = {
-				path = with pkgs; [ zapret ];
+						ExecStart = "${cfg.package}/bin/nfqws --pidfile=/run/nfqws.pid ${lib.concatStringsSep " " cfg.params} ${whitelist} ${blacklist} --qnum=${toString cfg.qnum}";
-				serviceConfig = {
+						Type = "simple";
-					ExecStart  = "${pkgs.zapret}/bin/nfqws --pidfile=/run/nfqws.pid ${cfg.params} ${whitelist} ${blacklist} ${autolist} --qnum=${toString cfg.qnum}";
+						PIDFile = "/run/nfqws.pid";
-					Type       = "simple";
+						Restart = "always";
-					PIDFile    = "/run/nfqws.pid";
+						RuntimeMaxSec = "1h"; # This service loves to crash silently or cause network slowdowns. It also restarts instantly. In my experience restarting it hourly provided the best experience.
-					ExecReload = "/bin/kill -HUP $MAINPID";
-					Restart       = "always";
-					# RestartSec    = "5s";
-					RuntimeMaxSec = "1h";
-				};
-			};
 
-			timers.zapret = {
+						# Hardening.
-				timerConfig = {
+						DevicePolicy = "closed";
-					OnBootSec = 5;
+						KeyringMode = "private";
-					Unit      = "zapret.service";
+						PrivateTmp = true;
+						PrivateMounts = true;
+						ProtectHome = true;
+						ProtectHostname = true;
+						ProtectKernelModules = true;
+						ProtectKernelTunables = true;
+						ProtectSystem = "strict";
+						ProtectProc = "invisible";
+						RemoveIPC = true;
+						RestrictNamespaces = true;
+						RestrictRealtime = true;
+						RestrictSUIDSGID = true;
+						SystemCallArchitectures = "native";
+					};
 				};
-				wantedBy = [ "timers.target" ];
+			}
-			};
+
-		};
+			# Route system traffic via service for specified ports.
-	};
+			(lib.mkIf cfg.configureFirewall {
+				networking.firewall.extraCommands = ''
+					iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports ${ports} -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${toString cfg.qnum} --queue-bypass
+				'';
+			})
+		]
+	);
+
+	meta.maintainers = with lib.maintainers; [ voronind ];
 }