L-Nafaryus/bonfire
L-Nafaryus/bonfire
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 4 Releases Wiki Activity

nixosModules.zapret: manage filter lists only in service runtime
Some checks failed
nix / check (push) Failing after 5m4s
Details

Browse Source
This commit is contained in:
L-Nafaryus 2024-09-21 18:30:43 +05:00
parent 27d79a8647
commit ec11cf6a7b
Signed by: L-Nafaryus
GPG Key ID: 553C97999B363D38
2 changed files with 40 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
nixosConfigurations/astora/users.nix
View File

@ -641,22 +641,23 @@
services.zapret = { services.zapret = {
enable = true; enable = true;
mode = "tpws"; mode = "nfqws";
firewallType = "iptables"; firewallType = "iptables";
disableIpv6 = true; disableIpv6 = true;
settings = '' settings = ''
MODE_HTTP=1 MODE_HTTP=1
MODE_HTTP_KEEPALIVE=0 MODE_HTTP_KEEPALIVE=0
MODE_HTTPS=1 MODE_HTTPS=1
MODE_QUIC=0 MODE_QUIC=1
MODE_FILTER=ipset MODE_FILTER=ipset
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob" TPWS_OPT="--split-http-req=method --split-pos=1 --oob"
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=7 --dpi-desync-fake-http=0x00000000"
NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake,split2 --dpi-desync-ttl=4"
NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2 --dpi-desync-split-pos=1"
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=split2 --dpi-desync-repeats=6"
INIT_APPLY_FW=1 INIT_APPLY_FW=1
''; '';
filterAddresses = lib.readFile (pkgs.fetchurl { filterAddressesSource = "https://antifilter.network/download/ipsmart.lst";
url = "https://antifilter.network/download/ipsmart.lst";
hash = "sha256-zLq3rgci/rye1oQp2zbJelPaoN9+jqPebIbxfJ44Qlg=";
});
}; };
# TODO: remember who use gvfs # TODO: remember who use gvfs

57
nixosModules/services/zapret.nix
View File

@ -101,14 +101,30 @@ in {
description = "List of addresses to ignore"; description = "List of addresses to ignore";
}; };
# TODO: add filter and anti filter options with optional file paths dataDir = mkOption {
# TODO ipset hashsize and maxelem type = types.path;
default = "/var/lib/zapret";
description = ''
Directory to store zapret files and antifilter lists.
'';
};
filterAddressesSource = mkOption {
type = types.nullOr types.str;
default = null;
example = ''https://antifilter.network/download/ipsmart.lst'';
description = "Link to external list of addresses to download and use.";
};
# TODO: ipset hashsize and maxelem
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users.tpws = { users.users.tpws = {
isSystemUser = true; isSystemUser = true;
group = "tpws"; group = "tpws";
home = cfg.dataDir;
createHome = true;
}; };
users.groups.tpws = {}; users.groups.tpws = {};
@ -126,6 +142,8 @@ in {
) )
gawk gawk
ipset ipset
wget
curl
]; ];
serviceConfig = { serviceConfig = {
@ -133,10 +151,11 @@ in {
Restart = "no"; Restart = "no";
TimeoutSec = "30sec"; TimeoutSec = "30sec";
IgnoreSIGPIPE = "no"; IgnoreSIGPIPE = "no";
KillMode = "none"; #KillMode = "none";
GuessMainPID = "no"; GuessMainPID = "no";
RemainAfterExit = "no"; RemainAfterExit = "no";
WorkingDirectory = cfg.dataDir;
ExecStart = "${cfg.package}/bin/zapret start"; ExecStart = "${cfg.package}/bin/zapret start";
ExecStop = let ExecStop = let
stop_script = pkgs.writeShellScriptBin "zapret-stop" '' stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
@ -157,37 +176,25 @@ in {
DISABLE_IPV6=${toString cfg.disableIPV6} DISABLE_IPV6=${toString cfg.disableIPV6}
'' ''
]); ]);
# hardening
DevicePolicy = "closed";
KeyringMode = "private";
PrivateTmp = true;
PrivateMounts = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "invisible";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
}; };
preStart = let preStart = let
# zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" (lib.readFile cfg.package.passthru.antifilter.ipsmart)); zapretListFile = src: pkgs.writeText "zapretList" (createFilterList "zapret" src);
zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" cfg.filterAddresses); nozapretListFile = src: pkgs.writeText "nozapretList" (createFilterList "nozapret" src);
nozapretListFile = pkgs.writeText "nozapretList" (createFilterList "nozapret" cfg.ignoreAddresses);
in '' in ''
${lib.optionalString (cfg.filterAddressesSource != null) "curl -L '${cfg.filterAddressesSource}' -o ${cfg.dataDir}/zapretList && sed -i -e 's/^/add zapret /' '${cfg.dataDir}/zapretList'"}
ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -! ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
ipset flush zapret ipset flush zapret
ipset restore -! < ${zapretListFile} ipset restore -! < ${
if (cfg.filterAddressesSource != null)
then "${cfg.dataDir}/zapretList"
else (zapretListFile cfg.filterAddresses)
}
ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -! ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
ipset flush nozapret ipset flush nozapret
ipset restore -! < ${nozapretListFile} ipset restore -! < ${nozapretListFile cfg.ignoreAddresses}
''; '';
}; };
}; };