catarina: try to split radio service to isolated services (incomplete)

packages.wezterm: own derivation build (incomplete)
2024-09-20 23:09:45 +05:00 · 2024-09-20 23:07:48 +05:00
6 changed files with 181 additions and 73 deletions
--- a/nixosConfigurations/astora/users.nix
+++ b/nixosConfigurations/astora/users.nix
@ -641,23 +641,22 @@

  services.zapret = {
    enable = true;
-    mode = "nfqws";
+    mode = "tpws";
    firewallType = "iptables";
    disableIpv6 = true;
    settings = ''
      MODE_HTTP=1
      MODE_HTTP_KEEPALIVE=0
      MODE_HTTPS=1
-      MODE_QUIC=1
+      MODE_QUIC=0
      MODE_FILTER=ipset
-      TPWS_OPT="--split-http-req=method --split-pos=1 --oob"
-      NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=7 --dpi-desync-fake-http=0x00000000"
-      NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake,split2 --dpi-desync-ttl=4"
-      NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2 --dpi-desync-split-pos=1"
-      NFQWS_OPT_DESYNC_QUIC="--dpi-desync=split2 --dpi-desync-repeats=6"
+      TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
      INIT_APPLY_FW=1
    '';
-    filterAddressesSource = "https://antifilter.network/download/ipsmart.lst";
+    filterAddresses = lib.readFile (pkgs.fetchurl {
+      url = "https://antifilter.network/download/ipsmart.lst";
+      hash = "sha256-zLq3rgci/rye1oQp2zbJelPaoN9+jqPebIbxfJ44Qlg=";
+    });
  };

  # TODO: remember who use gvfs
--- a/nixosConfigurations/catarina/default.nix
+++ b/nixosConfigurations/catarina/default.nix
@ -281,8 +281,6 @@
    fzf
    grc

-    gcc
-
    cachix

    gnupg
--- a/nixosConfigurations/catarina/hardware.nix
+++ b/nixosConfigurations/catarina/hardware.nix
@ -150,6 +150,12 @@

    defaultGateway = "192.168.156.1";
    nameservers = ["192.168.156.1" "8.8.8.8"];
+
+    nat = {
+      enable = true;
+      externalInterface = "enp9s0";
+      internalInterfaces = ["ve-+"];
+    };
  };

  services.logind.lidSwitchExternalPower = "ignore";
--- a/nixosConfigurations/catarina/services/radio.nix
+++ b/nixosConfigurations/catarina/services/radio.nix
@ -1,32 +1,52 @@
 {config, ...}: {
-  services.mpd = {
-    enable = true;
-    musicDirectory = "/home/l-nafaryus/Music";
-    network.listenAddress = "any";
-    network.startWhenNeeded = true;
-    user = "l-nafaryus";
-    extraConfig = ''
-      audio_output {
-        type "httpd"
-        name "Radio"
-        port "6666"
-        bind_to_address "127.0.0.1"
-        encoder "lame"
-        max_clients "0"
-        website "https://radio.elnafo.ru"
-        always_on "yes"
-        tags "yes"
-        bitrate "128"
-        format "44100:16:1"
-      }
-    '';
+  containers.radio-synthwave = {
+    autoStart = true;
+    privateNetwork = true;
+
+    config = {
+      config,
+      pkgs,
+      lib,
+      ...
+    }: {
+      services.mpd = {
+        enable = true;
+        musicDirectory = "/home/l-nafaryus/Music";
+        network.listenAddress = "any";
+        #network.startWhenNeeded = true;
+        user = "l-nafaryus";
+        network.port = 6600;
+        extraConfig = ''
+          audio_output {
+            type "httpd"
+            name "Radio"
+            port "6660"
+            bind_to_address "127.0.0.1"
+            encoder "lame"
+            max_clients "0"
+            website "https://radio.elnafo.ru/synthwave"
+            always_on "yes"
+            tags "yes"
+            bitrate "128"
+            format "44100:16:1"
+          }
+        '';
+      };
+
+      system.stateVersion = "24.05";
+
+      networking.firewall = {
+        enable = true;
+        allowedTCPPorts = [6600 6660];
+      };
+    };
  };

  services.nginx.virtualHosts."radio.elnafo.ru" = {
    forceSSL = true;
    useACMEHost = "elnafo.ru";
-    locations."/synthwave".proxyPass = "http://127.0.0.1:6666";
+    locations."/synthwave".proxyPass = "http://127.0.0.1:6660";
  };

-  networking.firewall.allowedTCPPorts = [config.services.mpd.network.port];
+  networking.firewall.allowedTCPPorts = [6600];
 }
--- a/nixosModules/services/zapret.nix
+++ b/nixosModules/services/zapret.nix
@ -101,30 +101,14 @@ in {
      description = "List of addresses to ignore";
    };

-    dataDir = mkOption {
-      type = types.path;
-      default = "/var/lib/zapret";
-      description = ''
-        Directory to store zapret files and antifilter lists.
-      '';
-    };
-
-    filterAddressesSource = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      example = ''https://antifilter.network/download/ipsmart.lst'';
-      description = "Link to external list of addresses to download and use.";
-    };
-
-    # TODO: ipset hashsize and maxelem
+    # TODO: add filter and anti filter options with optional file paths
+    # TODO ipset hashsize and maxelem
  };

  config = mkIf cfg.enable {
    users.users.tpws = {
      isSystemUser = true;
      group = "tpws";
-      home = cfg.dataDir;
-      createHome = true;
    };

    users.groups.tpws = {};
@ -142,8 +126,6 @@ in {
        )
        gawk
        ipset
-        wget
-        curl
      ];

      serviceConfig = {
@ -151,11 +133,10 @@ in {
        Restart = "no";
        TimeoutSec = "30sec";
        IgnoreSIGPIPE = "no";
-        #KillMode = "none";
+        KillMode = "none";
        GuessMainPID = "no";
        RemainAfterExit = "no";

-        WorkingDirectory = cfg.dataDir;
        ExecStart = "${cfg.package}/bin/zapret start";
        ExecStop = let
          stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
@ -176,25 +157,37 @@ in {
            DISABLE_IPV6=${toString cfg.disableIPV6}
          ''
        ]);
+
+        # hardening
+        DevicePolicy = "closed";
+        KeyringMode = "private";
+        PrivateTmp = true;
+        PrivateMounts = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        ProtectProc = "invisible";
+        RemoveIPC = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
      };

      preStart = let
-        zapretListFile = src: pkgs.writeText "zapretList" (createFilterList "zapret" src);
-        nozapretListFile = src: pkgs.writeText "nozapretList" (createFilterList "nozapret" src);
+        # zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" (lib.readFile cfg.package.passthru.antifilter.ipsmart));
+        zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" cfg.filterAddresses);
+        nozapretListFile = pkgs.writeText "nozapretList" (createFilterList "nozapret" cfg.ignoreAddresses);
      in ''
-        ${lib.optionalString (cfg.filterAddressesSource != null) "curl -L '${cfg.filterAddressesSource}' -o ${cfg.dataDir}/zapretList && sed -i -e 's/^/add zapret /' '${cfg.dataDir}/zapretList'"}
-
        ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
        ipset flush zapret
-        ipset restore -! < ${
-          if (cfg.filterAddressesSource != null)
-          then "${cfg.dataDir}/zapretList"
-          else (zapretListFile cfg.filterAddresses)
-        }
+        ipset restore -! < ${zapretListFile}

        ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
        ipset flush nozapret
-        ipset restore -! < ${nozapretListFile cfg.ignoreAddresses}
+        ipset restore -! < ${nozapretListFile}
      '';
    };
  };
--- a/packages/wezterm/default.nix
+++ b/packages/wezterm/default.nix
@ -1,16 +1,108 @@
 {
+  bonLib,
+  craneLib,
  lib,
-  weztermPkgs,
+  pkgs,
+  version ? "2d0c5cddc91a9c59aef9a7667d90924e7cedd0ac",
+  hash ? "sha256-ZsDJQSUokodwFMP4FIZm2dYojf5iC4F/EeKC5VuQlqY=",
  ...
-}:
-weztermPkgs.default.overrideAttrs (old: {
-  pname = "wezterm";
+}: let
+  src = pkgs.fetchFromGitHub {
+    owner = "wez";
+    repo = "wezterm";
+    rev = version;
+    hash = hash;
+    fetchSubmodules = true;
+  };
+  terminfo =
+    pkgs.runCommand "wezterm-terminfo"
+    {
+      nativeBuildInputs = [pkgs.ncurses];
+    } ''
+      mkdir -p $out/share/terminfo $out/nix-support
+      tic -x -o $out/share/terminfo ${src}/termwiz/data/wezterm.terminfo
+    '';
+  pkg = {
+    pname = "wezterm";
+    inherit version;

-  meta =
-    old.meta
-    // {
+    inherit src;
+
+    strictDeps = true;
+    doCheck = false;
+
+    nativeBuildInputs = with pkgs; [
+      installShellFiles
+      ncurses # tic for terminfo
+      pkg-config
+      python3
+    ];
+
+    buildInputs = with pkgs; [
+      fontconfig
+      pkgs.zlib
+      libxkbcommon
+      openssl
+      wayland
+      cairo
+
+      xorg.libX11
+      xorg.libxcb
+      xorg.xcbutil
+      xorg.xcbutilimage
+      xorg.xcbutilkeysyms
+      xorg.xcbutilwm # contains xcb-ewmh among others
+    ];
+
+    libPath = lib.makeLibraryPath (with pkgs; [
+      xorg.xcbutilimage
+      libGL
+      vulkan-loader
+    ]);
+
+    postPatch = ''
+      echo ${version} > .tag
+
+      # tests are failing with: Unable to exchange encryption keys
+      # rm -r wezterm-ssh/tests
+    '';
+
+    preFixup = lib.optionalString pkgs.stdenv.isLinux ''
+      patchelf \
+        --add-needed "${pkgs.libGL}/lib/libEGL.so.1" \
+        --add-needed "${pkgs.vulkan-loader}/lib/libvulkan.so.1" \
+        $out/bin/wezterm-gui
+    '';
+
+    postInstall = ''
+      mkdir -p $out/nix-support
+      echo "${terminfo}" >> $out/nix-support/propagated-user-env-packages
+
+      install -Dm644 assets/icon/terminal.png $out/share/icons/hicolor/128x128/apps/org.wezfurlong.wezterm.png
+      install -Dm644 assets/wezterm.desktop $out/share/applications/org.wezfurlong.wezterm.desktop
+      install -Dm644 assets/wezterm.appdata.xml $out/share/metainfo/org.wezfurlong.wezterm.appdata.xml
+
+      install -Dm644 assets/shell-integration/wezterm.sh -t $out/etc/profile.d
+      installShellCompletion --cmd wezterm \
+        --bash assets/shell-completion/bash \
+        --fish assets/shell-completion/fish \
+        --zsh assets/shell-completion/zsh
+
+      install -Dm644 assets/wezterm-nautilus.py -t $out/share/nautilus-python/extensions
+    '';
+
+    meta = with lib; {
      homepage = "https://github.com/wez/wezterm";
      description = "A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust";
      license = lib.licenses.mit;
+      maintainers = with bonLib.maintainers; [L-Nafaryus];
+      platforms = platforms.x86_64;
+      mainProgram = "wezterm";
    };
-})
+  };
+in let
+  cargoArtifacts = craneLib.buildDepsOnly pkg;
+in
+  craneLib.buildPackage (
+    pkg // {inherit cargoArtifacts;}
+  )
Author	SHA1	Message	Date
L-Nafaryus	484529aaa2	catarina: try to split radio service to isolated services (incomplete)	2024-09-20 23:09:45 +05:00
L-Nafaryus	f68d7a7e3a	packages.wezterm: own derivation build (incomplete)	2024-09-20 23:07:48 +05:00