Compare commits
2 Commits
master
...
catarina-r
Author | SHA1 | Date | |
---|---|---|---|
484529aaa2 | |||
f68d7a7e3a |
@ -641,23 +641,22 @@
|
|||||||
|
|
||||||
services.zapret = {
|
services.zapret = {
|
||||||
enable = true;
|
enable = true;
|
||||||
mode = "nfqws";
|
mode = "tpws";
|
||||||
firewallType = "iptables";
|
firewallType = "iptables";
|
||||||
disableIpv6 = true;
|
disableIpv6 = true;
|
||||||
settings = ''
|
settings = ''
|
||||||
MODE_HTTP=1
|
MODE_HTTP=1
|
||||||
MODE_HTTP_KEEPALIVE=0
|
MODE_HTTP_KEEPALIVE=0
|
||||||
MODE_HTTPS=1
|
MODE_HTTPS=1
|
||||||
MODE_QUIC=1
|
MODE_QUIC=0
|
||||||
MODE_FILTER=ipset
|
MODE_FILTER=ipset
|
||||||
TPWS_OPT="--split-http-req=method --split-pos=1 --oob"
|
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
|
||||||
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=7 --dpi-desync-fake-http=0x00000000"
|
|
||||||
NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake,split2 --dpi-desync-ttl=4"
|
|
||||||
NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2 --dpi-desync-split-pos=1"
|
|
||||||
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=split2 --dpi-desync-repeats=6"
|
|
||||||
INIT_APPLY_FW=1
|
INIT_APPLY_FW=1
|
||||||
'';
|
'';
|
||||||
filterAddressesSource = "https://antifilter.network/download/ipsmart.lst";
|
filterAddresses = lib.readFile (pkgs.fetchurl {
|
||||||
|
url = "https://antifilter.network/download/ipsmart.lst";
|
||||||
|
hash = "sha256-zLq3rgci/rye1oQp2zbJelPaoN9+jqPebIbxfJ44Qlg=";
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO: remember who use gvfs
|
# TODO: remember who use gvfs
|
||||||
|
@ -281,8 +281,6 @@
|
|||||||
fzf
|
fzf
|
||||||
grc
|
grc
|
||||||
|
|
||||||
gcc
|
|
||||||
|
|
||||||
cachix
|
cachix
|
||||||
|
|
||||||
gnupg
|
gnupg
|
||||||
|
@ -150,6 +150,12 @@
|
|||||||
|
|
||||||
defaultGateway = "192.168.156.1";
|
defaultGateway = "192.168.156.1";
|
||||||
nameservers = ["192.168.156.1" "8.8.8.8"];
|
nameservers = ["192.168.156.1" "8.8.8.8"];
|
||||||
|
|
||||||
|
nat = {
|
||||||
|
enable = true;
|
||||||
|
externalInterface = "enp9s0";
|
||||||
|
internalInterfaces = ["ve-+"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.logind.lidSwitchExternalPower = "ignore";
|
services.logind.lidSwitchExternalPower = "ignore";
|
||||||
|
@ -1,32 +1,52 @@
|
|||||||
{config, ...}: {
|
{config, ...}: {
|
||||||
services.mpd = {
|
containers.radio-synthwave = {
|
||||||
enable = true;
|
autoStart = true;
|
||||||
musicDirectory = "/home/l-nafaryus/Music";
|
privateNetwork = true;
|
||||||
network.listenAddress = "any";
|
|
||||||
network.startWhenNeeded = true;
|
config = {
|
||||||
user = "l-nafaryus";
|
config,
|
||||||
extraConfig = ''
|
pkgs,
|
||||||
audio_output {
|
lib,
|
||||||
type "httpd"
|
...
|
||||||
name "Radio"
|
}: {
|
||||||
port "6666"
|
services.mpd = {
|
||||||
bind_to_address "127.0.0.1"
|
enable = true;
|
||||||
encoder "lame"
|
musicDirectory = "/home/l-nafaryus/Music";
|
||||||
max_clients "0"
|
network.listenAddress = "any";
|
||||||
website "https://radio.elnafo.ru"
|
#network.startWhenNeeded = true;
|
||||||
always_on "yes"
|
user = "l-nafaryus";
|
||||||
tags "yes"
|
network.port = 6600;
|
||||||
bitrate "128"
|
extraConfig = ''
|
||||||
format "44100:16:1"
|
audio_output {
|
||||||
}
|
type "httpd"
|
||||||
'';
|
name "Radio"
|
||||||
|
port "6660"
|
||||||
|
bind_to_address "127.0.0.1"
|
||||||
|
encoder "lame"
|
||||||
|
max_clients "0"
|
||||||
|
website "https://radio.elnafo.ru/synthwave"
|
||||||
|
always_on "yes"
|
||||||
|
tags "yes"
|
||||||
|
bitrate "128"
|
||||||
|
format "44100:16:1"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
enable = true;
|
||||||
|
allowedTCPPorts = [6600 6660];
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."radio.elnafo.ru" = {
|
services.nginx.virtualHosts."radio.elnafo.ru" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "elnafo.ru";
|
useACMEHost = "elnafo.ru";
|
||||||
locations."/synthwave".proxyPass = "http://127.0.0.1:6666";
|
locations."/synthwave".proxyPass = "http://127.0.0.1:6660";
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [config.services.mpd.network.port];
|
networking.firewall.allowedTCPPorts = [6600];
|
||||||
}
|
}
|
||||||
|
@ -101,30 +101,14 @@ in {
|
|||||||
description = "List of addresses to ignore";
|
description = "List of addresses to ignore";
|
||||||
};
|
};
|
||||||
|
|
||||||
dataDir = mkOption {
|
# TODO: add filter and anti filter options with optional file paths
|
||||||
type = types.path;
|
# TODO ipset hashsize and maxelem
|
||||||
default = "/var/lib/zapret";
|
|
||||||
description = ''
|
|
||||||
Directory to store zapret files and antifilter lists.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
filterAddressesSource = mkOption {
|
|
||||||
type = types.nullOr types.str;
|
|
||||||
default = null;
|
|
||||||
example = ''https://antifilter.network/download/ipsmart.lst'';
|
|
||||||
description = "Link to external list of addresses to download and use.";
|
|
||||||
};
|
|
||||||
|
|
||||||
# TODO: ipset hashsize and maxelem
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
users.users.tpws = {
|
users.users.tpws = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
group = "tpws";
|
group = "tpws";
|
||||||
home = cfg.dataDir;
|
|
||||||
createHome = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.tpws = {};
|
users.groups.tpws = {};
|
||||||
@ -142,8 +126,6 @@ in {
|
|||||||
)
|
)
|
||||||
gawk
|
gawk
|
||||||
ipset
|
ipset
|
||||||
wget
|
|
||||||
curl
|
|
||||||
];
|
];
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
@ -151,11 +133,10 @@ in {
|
|||||||
Restart = "no";
|
Restart = "no";
|
||||||
TimeoutSec = "30sec";
|
TimeoutSec = "30sec";
|
||||||
IgnoreSIGPIPE = "no";
|
IgnoreSIGPIPE = "no";
|
||||||
#KillMode = "none";
|
KillMode = "none";
|
||||||
GuessMainPID = "no";
|
GuessMainPID = "no";
|
||||||
RemainAfterExit = "no";
|
RemainAfterExit = "no";
|
||||||
|
|
||||||
WorkingDirectory = cfg.dataDir;
|
|
||||||
ExecStart = "${cfg.package}/bin/zapret start";
|
ExecStart = "${cfg.package}/bin/zapret start";
|
||||||
ExecStop = let
|
ExecStop = let
|
||||||
stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
|
stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
|
||||||
@ -176,25 +157,37 @@ in {
|
|||||||
DISABLE_IPV6=${toString cfg.disableIPV6}
|
DISABLE_IPV6=${toString cfg.disableIPV6}
|
||||||
''
|
''
|
||||||
]);
|
]);
|
||||||
|
|
||||||
|
# hardening
|
||||||
|
DevicePolicy = "closed";
|
||||||
|
KeyringMode = "private";
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
};
|
};
|
||||||
|
|
||||||
preStart = let
|
preStart = let
|
||||||
zapretListFile = src: pkgs.writeText "zapretList" (createFilterList "zapret" src);
|
# zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" (lib.readFile cfg.package.passthru.antifilter.ipsmart));
|
||||||
nozapretListFile = src: pkgs.writeText "nozapretList" (createFilterList "nozapret" src);
|
zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" cfg.filterAddresses);
|
||||||
|
nozapretListFile = pkgs.writeText "nozapretList" (createFilterList "nozapret" cfg.ignoreAddresses);
|
||||||
in ''
|
in ''
|
||||||
${lib.optionalString (cfg.filterAddressesSource != null) "curl -L '${cfg.filterAddressesSource}' -o ${cfg.dataDir}/zapretList && sed -i -e 's/^/add zapret /' '${cfg.dataDir}/zapretList'"}
|
|
||||||
|
|
||||||
ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
|
ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
|
||||||
ipset flush zapret
|
ipset flush zapret
|
||||||
ipset restore -! < ${
|
ipset restore -! < ${zapretListFile}
|
||||||
if (cfg.filterAddressesSource != null)
|
|
||||||
then "${cfg.dataDir}/zapretList"
|
|
||||||
else (zapretListFile cfg.filterAddresses)
|
|
||||||
}
|
|
||||||
|
|
||||||
ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
|
ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
|
||||||
ipset flush nozapret
|
ipset flush nozapret
|
||||||
ipset restore -! < ${nozapretListFile cfg.ignoreAddresses}
|
ipset restore -! < ${nozapretListFile}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -1,16 +1,108 @@
|
|||||||
{
|
{
|
||||||
|
bonLib,
|
||||||
|
craneLib,
|
||||||
lib,
|
lib,
|
||||||
weztermPkgs,
|
pkgs,
|
||||||
|
version ? "2d0c5cddc91a9c59aef9a7667d90924e7cedd0ac",
|
||||||
|
hash ? "sha256-ZsDJQSUokodwFMP4FIZm2dYojf5iC4F/EeKC5VuQlqY=",
|
||||||
...
|
...
|
||||||
}:
|
}: let
|
||||||
weztermPkgs.default.overrideAttrs (old: {
|
src = pkgs.fetchFromGitHub {
|
||||||
pname = "wezterm";
|
owner = "wez";
|
||||||
|
repo = "wezterm";
|
||||||
|
rev = version;
|
||||||
|
hash = hash;
|
||||||
|
fetchSubmodules = true;
|
||||||
|
};
|
||||||
|
terminfo =
|
||||||
|
pkgs.runCommand "wezterm-terminfo"
|
||||||
|
{
|
||||||
|
nativeBuildInputs = [pkgs.ncurses];
|
||||||
|
} ''
|
||||||
|
mkdir -p $out/share/terminfo $out/nix-support
|
||||||
|
tic -x -o $out/share/terminfo ${src}/termwiz/data/wezterm.terminfo
|
||||||
|
'';
|
||||||
|
pkg = {
|
||||||
|
pname = "wezterm";
|
||||||
|
inherit version;
|
||||||
|
|
||||||
meta =
|
inherit src;
|
||||||
old.meta
|
|
||||||
// {
|
strictDeps = true;
|
||||||
|
doCheck = false;
|
||||||
|
|
||||||
|
nativeBuildInputs = with pkgs; [
|
||||||
|
installShellFiles
|
||||||
|
ncurses # tic for terminfo
|
||||||
|
pkg-config
|
||||||
|
python3
|
||||||
|
];
|
||||||
|
|
||||||
|
buildInputs = with pkgs; [
|
||||||
|
fontconfig
|
||||||
|
pkgs.zlib
|
||||||
|
libxkbcommon
|
||||||
|
openssl
|
||||||
|
wayland
|
||||||
|
cairo
|
||||||
|
|
||||||
|
xorg.libX11
|
||||||
|
xorg.libxcb
|
||||||
|
xorg.xcbutil
|
||||||
|
xorg.xcbutilimage
|
||||||
|
xorg.xcbutilkeysyms
|
||||||
|
xorg.xcbutilwm # contains xcb-ewmh among others
|
||||||
|
];
|
||||||
|
|
||||||
|
libPath = lib.makeLibraryPath (with pkgs; [
|
||||||
|
xorg.xcbutilimage
|
||||||
|
libGL
|
||||||
|
vulkan-loader
|
||||||
|
]);
|
||||||
|
|
||||||
|
postPatch = ''
|
||||||
|
echo ${version} > .tag
|
||||||
|
|
||||||
|
# tests are failing with: Unable to exchange encryption keys
|
||||||
|
# rm -r wezterm-ssh/tests
|
||||||
|
'';
|
||||||
|
|
||||||
|
preFixup = lib.optionalString pkgs.stdenv.isLinux ''
|
||||||
|
patchelf \
|
||||||
|
--add-needed "${pkgs.libGL}/lib/libEGL.so.1" \
|
||||||
|
--add-needed "${pkgs.vulkan-loader}/lib/libvulkan.so.1" \
|
||||||
|
$out/bin/wezterm-gui
|
||||||
|
'';
|
||||||
|
|
||||||
|
postInstall = ''
|
||||||
|
mkdir -p $out/nix-support
|
||||||
|
echo "${terminfo}" >> $out/nix-support/propagated-user-env-packages
|
||||||
|
|
||||||
|
install -Dm644 assets/icon/terminal.png $out/share/icons/hicolor/128x128/apps/org.wezfurlong.wezterm.png
|
||||||
|
install -Dm644 assets/wezterm.desktop $out/share/applications/org.wezfurlong.wezterm.desktop
|
||||||
|
install -Dm644 assets/wezterm.appdata.xml $out/share/metainfo/org.wezfurlong.wezterm.appdata.xml
|
||||||
|
|
||||||
|
install -Dm644 assets/shell-integration/wezterm.sh -t $out/etc/profile.d
|
||||||
|
installShellCompletion --cmd wezterm \
|
||||||
|
--bash assets/shell-completion/bash \
|
||||||
|
--fish assets/shell-completion/fish \
|
||||||
|
--zsh assets/shell-completion/zsh
|
||||||
|
|
||||||
|
install -Dm644 assets/wezterm-nautilus.py -t $out/share/nautilus-python/extensions
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
homepage = "https://github.com/wez/wezterm";
|
homepage = "https://github.com/wez/wezterm";
|
||||||
description = "A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust";
|
description = "A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust";
|
||||||
license = lib.licenses.mit;
|
license = lib.licenses.mit;
|
||||||
|
maintainers = with bonLib.maintainers; [L-Nafaryus];
|
||||||
|
platforms = platforms.x86_64;
|
||||||
|
mainProgram = "wezterm";
|
||||||
};
|
};
|
||||||
})
|
};
|
||||||
|
in let
|
||||||
|
cargoArtifacts = craneLib.buildDepsOnly pkg;
|
||||||
|
in
|
||||||
|
craneLib.buildPackage (
|
||||||
|
pkg // {inherit cargoArtifacts;}
|
||||||
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user