L-Nafaryus/bonfire
L-Nafaryus/bonfire
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 4 Releases Wiki Activity

Compare commits

base: L-Nafaryus:155ca07aa0861c633ef093a5e630e2d263ef43d1
Branches Tags
L-Nafaryus:master
L-Nafaryus:devel
L-Nafaryus:catarina-radio-service
L-Nafaryus:packages-onetagger
L-Nafaryus:packages-wezterm
..
compare: L-Nafaryus:ce15dc90da9b6ba01aa235979dfaeceaf4cd3506
Branches Tags
L-Nafaryus:devel
L-Nafaryus:master
L-Nafaryus:catarina-radio-service
L-Nafaryus:packages-onetagger
L-Nafaryus:packages-wezterm

No commits in common. "155ca07aa0861c633ef093a5e630e2d263ef43d1" and "ce15dc90da9b6ba01aa235979dfaeceaf4cd3506" have entirely different histories.
155ca07aa0 ... ce15dc90da

9 changed files with 21 additions and 580 deletions
Show Stats Expand all files Collapse all files

153
flake.lock
View File

@ -130,58 +130,6 @@
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"freetype2": {
"flake": false,
"locked": {
"lastModified": 1687587065,
"narHash": "sha256-+Fh+/k+NWL5Ow9sDLtp8Cv/8rLNA1oByQQCIQS/bysY=",
"owner": "wez",
"repo": "freetype2",
"rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d",
"type": "github"
},
"original": {
"owner": "wez",
"repo": "freetype2",
"rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d",
"type": "github"
}
},
"harfbuzz": {
"flake": false,
"locked": {
"lastModified": 1711722720,
"narHash": "sha256-GdxcAPx5QyniSHPAN1ih28AD9JLUPR0ItqW9JEsl3pU=",
"owner": "harfbuzz",
"repo": "harfbuzz",
"rev": "63973005bc07aba599b47fdd4cf788647b601ccd",
"type": "github"
},
"original": {
"owner": "harfbuzz",
"ref": "8.4.0",
"repo": "harfbuzz",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -202,23 +150,6 @@
"type": "github"
}
},
"libpng": {
"flake": false,
"locked": {
"lastModified": 1549245649,
"narHash": "sha256-1+cRp0Ungme/OGfc9kGJbklYIWAFxk8Il1M+NV4KSgw=",
"owner": "glennrp",
"repo": "libpng",
"rev": "8439534daa1d3a5705ba92e653eda9251246dd61",
"type": "github"
},
"original": {
"owner": "glennrp",
"repo": "libpng",
"rev": "8439534daa1d3a5705ba92e653eda9251246dd61",
"type": "github"
}
},
"nixos-mailserver": {
"inputs": {
"blobs": "blobs",
@ -385,29 +316,7 @@
"nixvim": "nixvim",
"obs-image-reaction": "obs-image-reaction",
"oscuro": "oscuro",
"sops-nix": "sops-nix",
"wezterm": "wezterm"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"wezterm",
"nixpkgs"
]
},
"locked": {
"lastModified": 1721441897,
"narHash": "sha256-gYGX9/22tPNeF7dR6bWN5rsrpU4d06GnQNNgZ6ZiXz0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "b7996075da11a2d441cfbf4e77c2939ce51506fd",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
"sops-nix": "sops-nix"
}
},
"sops-nix": {
@ -445,66 +354,6 @@
"repo": "default-linux",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"wezterm": {
"inputs": {
"flake-utils": "flake-utils",
"freetype2": "freetype2",
"harfbuzz": "harfbuzz",
"libpng": "libpng",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay",
"zlib": "zlib"
},
"locked": {
"dir": "nix",
"lastModified": 1722353247,
"narHash": "sha256-pPH+IJ8pljR+PmeOdckoHvbQVfSBdStKbgXcaqdkTRk=",
"owner": "wez",
"repo": "wezterm",
"rev": "56a27e93a9ee50aab50ff4d78308f9b3154b5122",
"type": "github"
},
"original": {
"dir": "nix",
"owner": "wez",
"repo": "wezterm",
"type": "github"
}
},
"zlib": {
"flake": false,
"locked": {
"lastModified": 1484501380,
"narHash": "sha256-j5b6aki1ztrzfCqu8y729sPar8GpyQWIrajdzpJC+ww=",
"owner": "madler",
"repo": "zlib",
"rev": "cacf7f1d4e3d44d871b605da3b647f07d718623f",
"type": "github"
},
"original": {
"owner": "madler",
"ref": "v1.2.11",
"repo": "zlib",
"type": "github"
}
}
},
"root": "root",

4
flake.nix
View File

@ -62,10 +62,6 @@
url = "github:Aylur/ags";
inputs.nixpkgs.follows = "nixpkgs";
};
wezterm = {
url = "github:wez/wezterm?dir=nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = {self, ...} @ inputs: let

145
nixosConfigurations/astora/users.nix
View File

@ -11,7 +11,7 @@
users.users.l-nafaryus = {
isNormalUser = true;
description = "L-Nafaryus";
extraGroups = ["networkmanager" "wheel" "audio" "libvirtd" "input" "video" "disk" "wireshark"];
extraGroups = ["networkmanager" "wheel" "audio" "libvirtd" "input" "video"];
group = "users";
uid = 1000;
initialPassword = "nixos";
@ -36,16 +36,20 @@
home.packages = with pkgs; [
#gnupg
git
#nnn
nnn
pass
taskwarrior
#tmux
gparted
firefox
xclip
(firefox.override {nativeMessagingHosts = [passff-host];})
thunderbird
discord
pipewire.jack # pw-jack
carla
qpwgraph
@ -97,10 +101,6 @@
steamtinkerlaunch
discord
webcord
vesktop
tor
networkmanagerapplet
#rofi-wayland
@ -115,17 +115,17 @@
musikcube
swww
hyprshot
(python3.withPackages (p: [p.click]))
mangohud
gamescope
libstrangle
webcord
wl-clipboard
cliphist
tree
bonPkgs.bonvim
freenect
mpc-cli
];
xdg.portal = {
@ -149,7 +149,6 @@
gtk = {
enable = true;
# TODO: fix catppuccin deprecation. Provide Paper icons to gtk and gnomeShell manually. (+ regreet)
catppuccin = {
enable = true;
accent = "green";
@ -195,7 +194,6 @@
'';
};
};
git = {
enable = true;
lfs.enable = true;
@ -221,10 +219,7 @@
plog = "log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
};
};
# TODO: bat cannot determine catppuccin theme
bat.enable = true;
btop = {
enable = true;
settings = {
@ -232,71 +227,30 @@
proc_tree = true;
};
};
fzf.enable = true;
tmux.enable = true;
lazygit.enable = true;
gpg = {
enable = true;
homedir = "${hmConfig.xdg.configHome}/gnupg";
mutableKeys = true;
mutableTrust = true;
# TODO: replace existing ssh key with gpg provided
};
nnn = {
enable = true;
package = pkgs.nnn.override {withNerdIcons = true;};
bookmarks = {
d = "~/Downloads";
p = "~/projects";
i = "~/Pictures";
m = "~/Music";
v = "~/Videos";
};
plugins = {
src = "${hmConfig.programs.nnn.finalPackage}/share/plugins";
mappings = {
# TODO: add used programs for previews with FIFO support
p = "preview-tui";
};
};
};
ncmpcpp.enable = true;
# Graphical
wezterm = {
alacritty = {
enable = true;
package = inputs.wezterm.packages.x86_64-linux.default;
extraConfig = ''
return {
color_scheme = "Catppuccin Macchiato",
default_prog = { "fish" },
font_size = 10.0,
enable_tab_bar = true,
hide_tab_bar_if_only_one_tab = true,
term = "wezterm",
window_padding = {
left = 0,
right = 0,
top = 0,
bottom = 0
},
# ISSUE: the terminal does not update after some time of use. It only updates with mouse movements. [Wayland, Hyprland]
enable_wayland = false
}
'';
settings = {
font = {
size = 10;
};
};
};
rofi = {
enable = true;
package = pkgs.rofi-wayland;
terminal = "${lib.getExe hmConfig.programs.wezterm.package}";
terminal = "${lib.getExe hmConfig.programs.alacritty.package}";
cycle = true;
extraConfig = {
show-icons = true;
@ -311,7 +265,6 @@
window = {
border-radius = mkLiteral "5px";
};
# TODO: make window bigger, for 2k monitor, yeah
};
};
@ -325,11 +278,6 @@
inputs.obs-image-reaction.packages.${pkgs.system}.default
];
};
mpv = {
enable = true;
# TODO: check ImPlay for packaging, it's may be better alternative to pure mpv
};
};
services = {
@ -344,15 +292,6 @@
enableBashIntegration = true;
};
#mpd = {
# enable = true;
#};
# TODO: meet mpdris2 with system mpd
#mpdris2 = {
# enable = true;
#};
# Graphical
hypridle = {
enable = true;
@ -382,9 +321,9 @@
"$mouse" = "logitech-g102-lightsync-gaming-mouse";
# Main programs
"$terminal" = "${lib.getExe hmConfig.programs.wezterm.package}";
"$terminal" = "${lib.getExe hmConfig.programs.alacritty.package}";
"$menu" = "${lib.getExe hmConfig.programs.rofi.package} -show drun";
"$fileManager" = "$terminal -e ${lib.getExe hmConfig.programs.nnn.package}";
"$fileManager" = "$terminal -e ${lib.getExe pkgs.nnn}";
monitor = [
"desc:$monitor2, 2560x1440@75, 0x0, auto"
@ -400,7 +339,7 @@
"systemctl --user start hypridle"
"wl-paste --type text --watch cliphist store" #Stores only text data
"wl-paste --type image --watch cliphist store" #Stores only image data
"swww-daemon & swww img ~/Pictures/wallpapers/current" # wallpaper symlinked
"swww-daemon & swww img ~/Pictures/wallpapers/emily-in-the-cyberpunk-city.3840x2160.png & swww img ~/Pictures/wallpapers/emily-in-the-cyberpunk-city.3840x2160a.gif"
];
env = [
@ -502,8 +441,6 @@
"float, class:^(steam_app.*)$"
"immediate, class:^(steam_app.*)$"
"float, class:^(steam_proton.*)$"
"float,class:^(org.wezfurlong.wezterm)$"
"tile,class:^(org.wezfurlong.wezterm)$"
];
bind = [
"SUPER, Q, exec, $terminal"
@ -626,50 +563,8 @@
programs.virt-manager.enable = true;
programs.wireshark = {
enable = true;
package = pkgs.wireshark;
};
# Services
services.spoofdpi.enable = false;
services.spoofdpi.enable = true;
services.zapret = {
enable = true;
mode = "tpws";
firewallType = "iptables";
disableIpv6 = true;
settings = ''
MODE_HTTP=1
MODE_HTTP_KEEPALIVE=0
MODE_HTTPS=1
MODE_QUIC=0
MODE_FILTER=ipset
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
INIT_APPLY_FW=1
'';
};
# TODO: remember who use gvfs
services.gvfs.enable = true;
services.mpd = {
enable = true;
musicDirectory = "/media/vault/audio/music";
network.listenAddress = "any";
network.startWhenNeeded = true;
user = "l-nafaryus";
extraConfig = ''
audio_output {
type "pipewire"
name "PipeWire"
}
'';
};
systemd.services.mpd.environment = {
# https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/609
# User-id must match above user. MPD will look inside this directory for the PipeWire socket.
XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.l-nafaryus.uid}";
};
}

1
nixosConfigurations/catarina/default.nix
View File

@ -12,7 +12,6 @@
./users.nix
# ./services/papermc.nix # disabled
./services/gitea.nix
./services/radio.nix
];
# Nix settings

32
nixosConfigurations/catarina/services/radio.nix
View File

@ -1,32 +0,0 @@
{config, ...}: {
services.mpd = {
enable = true;
musicDirectory = "/home/l-nafaryus/Music";
network.listenAddress = "any";
network.startWhenNeeded = true;
user = "l-nafaryus";
extraConfig = ''
audio_output {
type "httpd"
name "Radio"
port "6666"
bind_to_address "127.0.0.1"
encoder "lame"
max_clients "0"
website "https://radio.elnafo.ru"
always_on "yes"
tags "yes"
bitrate "128"
format "44100:16:1"
}
'';
};
services.nginx.virtualHosts."radio.elnafo.ru" = {
forceSSL = true;
useACMEHost = "elnafo.ru";
locations."/synthwave".proxyPass = "http://127.0.0.1:6666";
};
networking.firewall.allowedTCPPorts = [config.services.mpd.network.port];
}

1
nixosModules/default.nix
View File

@ -10,7 +10,6 @@
./services/papermc.nix
./services/qbittorrent-nox.nix
./services/spoofdpi.nix
./services/zapret.nix
];
configModule = {

178
nixosModules/services/zapret.nix
View File

@ -1,178 +0,0 @@
{
lib,
config,
pkgs,
bonPkgs,
...
}:
with lib; let
cfg = config.services.zapret;
createFilterList = name: str: (
lib.concatStringsSep "\n"
(map (ip: "add ${name} ${ip}")
(lib.splitString "\n" (lib.removeSuffix "\n" str)))
);
in {
options.services.zapret = {
enable = mkEnableOption "DPI bypass multi platform service";
package = mkOption {
type = types.package;
default = bonPkgs.zapret;
defaultText = literalExpression "bonPkgs.zapret";
description = "The package to use.";
};
settings = mkOption {
type = types.lines;
default = "";
example = ''
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
NFQWS_OPT_DESYNC="--dpi-desync-ttl=5"
'';
description = ''
Rules for zapret to work. Run ```nix-shell -p zapret --command blockcheck``` to get values to pass here.
Config example can be found here https://github.com/bol-van/zapret/blob/master/config.default
'';
};
firewallType = mkOption {
type = types.enum [
"iptables"
"nftables"
];
default = "nftables";
description = ''
Which firewall zapret should use.
'';
};
disableIPV4 = mkOption {
type = types.bool;
default = false;
description = ''
Enable usage of IpV4.
'';
};
disableIPV6 = mkOption {
type = types.bool;
default = true;
description = ''
Enable usage of IpV6.
'';
};
mode = mkOption {
type = types.enum [
"tpws"
"tpws-socks"
"nfqws"
"filter"
"custom"
];
default = "tpws";
description = ''
Which mode zapret should use.
'';
};
# TODO: add filter and anti filter options with optional file paths
# TODO ipset hashsize and maxelem
};
config = mkIf cfg.enable {
users.users.tpws = {
isSystemUser = true;
group = "tpws";
};
users.groups.tpws = {};
systemd.services.zapret = {
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
path = with pkgs; [
(
if cfg.firewallType == "iptables"
then iptables
else nftables
)
gawk
ipset
];
serviceConfig = {
Type = "forking";
Restart = "no";
TimeoutSec = "30sec";
IgnoreSIGPIPE = "no";
KillMode = "none";
GuessMainPID = "no";
RemainAfterExit = "no";
ExecStart = "${cfg.package}/bin/zapret start";
ExecStop = let
stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
${cfg.package}/bin/zapret stop
ipset destroy zapret -!
ipset destroy nozapret -!
'';
in "${stop_script}/bin/zapret-stop";
StandardOutput = "journal";
StandardError = "journal";
EnvironmentFile = pkgs.writeText "${cfg.package.pname}-environment" (concatStrings [
cfg.settings
''
MODE=${cfg.mode}
FWTYPE=${cfg.firewallType}
DISABLE_IPV4=${toString cfg.disableIPV4}
DISABLE_IPV6=${toString cfg.disableIPV6}
''
]);
# hardening
DevicePolicy = "closed";
KeyringMode = "private";
PrivateTmp = true;
PrivateMounts = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "invisible";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
};
preStart = let
zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" (lib.readFile cfg.package.passthru.antifilter.ipsmart));
nozapretListFile = pkgs.writeText "nozapretList" (createFilterList "nozapret" ''
10.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.168.0.0/16
'');
in ''
ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
ipset flush zapret
ipset restore -! < ${zapretListFile}
ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
ipset flush nozapret
ipset restore -! < ${nozapretListFile}
'';
};
};
}

6
packages/default.nix
View File

@ -70,12 +70,6 @@ in
builder = {...}: import;
};
zapret = {
source = ./zapret;
platforms = ["x86_64-linux"];
builder = {pkgs, ...}: pkgs.callPackage;
};
# Container images
nix-minimal = {

81
packages/zapret/default.nix
View File

@ -1,81 +0,0 @@
{
lib,
bonLib,
pkgs,
version ? "9fcd8f830ebde2491719a5c698e22d1d5210e0fb",
hash ? "sha256-8cqKCNYLLkZXlwrybKUPG6fLd7gmf8zV9tjWoTxAwIY=",
...
}:
pkgs.stdenv.mkDerivation {
pname = "zapret";
inherit version;
src = pkgs.fetchFromGitHub {
owner = "bol-van";
repo = "zapret";
rev = version;
hash = hash;
};
buildInputs = with pkgs; [libcap zlib libnetfilter_queue libnfnetlink];
nativeBuildInputs = with pkgs; [iptables nftables gawk];
buildPhase = ''
mkdir -p $out/bin
make TGT=$out/bin
'';
installPhase = ''
mkdir -p $out/usr/share/zapret/init.d/sysv
mkdir -p $out/usr/share/docs
cp $src/blockcheck.sh $out/bin/blockcheck
substituteInPlace $out/bin/blockcheck \
--replace "ZAPRET_BASE=\"\$EXEDIR\"" "ZAPRET_BASE=$out/usr/share/zapret"
cp $src/init.d/sysv/functions $out/usr/share/zapret/init.d/sysv/functions
cp $src/init.d/sysv/zapret $out/usr/share/zapret/init.d/sysv/init.d
substituteInPlace $out/usr/share/zapret/init.d/sysv/functions \
--replace "ZAPRET_BASE=\$(readlink -f \"\$EXEDIR/../..\")" "ZAPRET_BASE=$out/usr/share/zapret" \
--replace ". \"\$ZAPRET_BASE/config\"" ""
cp -r $src/docs/* $out/usr/share/docs
mkdir -p $out/usr/share/zapret/{common,ipset}
cp $src/common/* $out/usr/share/zapret/common
cp $src/ipset/* $out/usr/share/zapret/ipset
mkdir -p $out/usr/share/zapret/nfq
ln -s ../../../../bin/nfqws $out/usr/share/zapret/nfq/nfqws
for i in ip2net mdig tpws
do
mkdir -p $out/usr/share/zapret/$i
ln -s ../../../../bin/$i $out/usr/share/zapret/$i/$i
done
ln -s ../usr/share/zapret/init.d/sysv/init.d $out/bin/zapret
'';
passthru = {
antifilter = {
ipsmart = pkgs.fetchurl {
url = "https://antifilter.network/download/ipsmart.lst";
hash = "sha256-mg2OFZ3x2q/31wNMZl6R6bTK0TKenSFePRo+B1GJdwo=";
};
};
};
meta = with lib; {
description = "DPI bypass multi platform";
homepage = "https://github.com/bol-van/zapret";
license = licenses.mit;
maintainers = with bonLib.maintainers; [L-Nafaryus];
mainProgram = "zapret";
broken = false;
};
}