Compare commits
1 Commits
master
...
packages-o
Author | SHA1 | Date | |
---|---|---|---|
f87a1d16b7 |
@ -641,23 +641,22 @@
|
||||
|
||||
services.zapret = {
|
||||
enable = true;
|
||||
mode = "nfqws";
|
||||
mode = "tpws";
|
||||
firewallType = "iptables";
|
||||
disableIpv6 = true;
|
||||
settings = ''
|
||||
MODE_HTTP=1
|
||||
MODE_HTTP_KEEPALIVE=0
|
||||
MODE_HTTPS=1
|
||||
MODE_QUIC=1
|
||||
MODE_QUIC=0
|
||||
MODE_FILTER=ipset
|
||||
TPWS_OPT="--split-http-req=method --split-pos=1 --oob"
|
||||
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=7 --dpi-desync-fake-http=0x00000000"
|
||||
NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake,split2 --dpi-desync-ttl=4"
|
||||
NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2 --dpi-desync-split-pos=1"
|
||||
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=split2 --dpi-desync-repeats=6"
|
||||
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
|
||||
INIT_APPLY_FW=1
|
||||
'';
|
||||
filterAddressesSource = "https://antifilter.network/download/ipsmart.lst";
|
||||
filterAddresses = lib.readFile (pkgs.fetchurl {
|
||||
url = "https://antifilter.network/download/ipsmart.lst";
|
||||
hash = "sha256-zLq3rgci/rye1oQp2zbJelPaoN9+jqPebIbxfJ44Qlg=";
|
||||
});
|
||||
};
|
||||
|
||||
# TODO: remember who use gvfs
|
||||
|
@ -101,30 +101,14 @@ in {
|
||||
description = "List of addresses to ignore";
|
||||
};
|
||||
|
||||
dataDir = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/zapret";
|
||||
description = ''
|
||||
Directory to store zapret files and antifilter lists.
|
||||
'';
|
||||
};
|
||||
|
||||
filterAddressesSource = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = ''https://antifilter.network/download/ipsmart.lst'';
|
||||
description = "Link to external list of addresses to download and use.";
|
||||
};
|
||||
|
||||
# TODO: ipset hashsize and maxelem
|
||||
# TODO: add filter and anti filter options with optional file paths
|
||||
# TODO ipset hashsize and maxelem
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.users.tpws = {
|
||||
isSystemUser = true;
|
||||
group = "tpws";
|
||||
home = cfg.dataDir;
|
||||
createHome = true;
|
||||
};
|
||||
|
||||
users.groups.tpws = {};
|
||||
@ -142,8 +126,6 @@ in {
|
||||
)
|
||||
gawk
|
||||
ipset
|
||||
wget
|
||||
curl
|
||||
];
|
||||
|
||||
serviceConfig = {
|
||||
@ -151,11 +133,10 @@ in {
|
||||
Restart = "no";
|
||||
TimeoutSec = "30sec";
|
||||
IgnoreSIGPIPE = "no";
|
||||
#KillMode = "none";
|
||||
KillMode = "none";
|
||||
GuessMainPID = "no";
|
||||
RemainAfterExit = "no";
|
||||
|
||||
WorkingDirectory = cfg.dataDir;
|
||||
ExecStart = "${cfg.package}/bin/zapret start";
|
||||
ExecStop = let
|
||||
stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
|
||||
@ -176,25 +157,37 @@ in {
|
||||
DISABLE_IPV6=${toString cfg.disableIPV6}
|
||||
''
|
||||
]);
|
||||
|
||||
# hardening
|
||||
DevicePolicy = "closed";
|
||||
KeyringMode = "private";
|
||||
PrivateTmp = true;
|
||||
PrivateMounts = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectProc = "invisible";
|
||||
RemoveIPC = true;
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
};
|
||||
|
||||
preStart = let
|
||||
zapretListFile = src: pkgs.writeText "zapretList" (createFilterList "zapret" src);
|
||||
nozapretListFile = src: pkgs.writeText "nozapretList" (createFilterList "nozapret" src);
|
||||
# zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" (lib.readFile cfg.package.passthru.antifilter.ipsmart));
|
||||
zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" cfg.filterAddresses);
|
||||
nozapretListFile = pkgs.writeText "nozapretList" (createFilterList "nozapret" cfg.ignoreAddresses);
|
||||
in ''
|
||||
${lib.optionalString (cfg.filterAddressesSource != null) "curl -L '${cfg.filterAddressesSource}' -o ${cfg.dataDir}/zapretList && sed -i -e 's/^/add zapret /' '${cfg.dataDir}/zapretList'"}
|
||||
|
||||
ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
|
||||
ipset flush zapret
|
||||
ipset restore -! < ${
|
||||
if (cfg.filterAddressesSource != null)
|
||||
then "${cfg.dataDir}/zapretList"
|
||||
else (zapretListFile cfg.filterAddresses)
|
||||
}
|
||||
ipset restore -! < ${zapretListFile}
|
||||
|
||||
ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
|
||||
ipset flush nozapret
|
||||
ipset restore -! < ${nozapretListFile cfg.ignoreAddresses}
|
||||
ipset restore -! < ${nozapretListFile}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -23,6 +23,29 @@
|
||||
fenixPkgs = inputs.fenix.packages.${system};
|
||||
nixvimPkgs = inputs.nixvim.legacyPackages.${system};
|
||||
weztermPkgs = inputs.wezterm.packages.${system};
|
||||
|
||||
dreamModules = inputs.dream2nix.modules.dream2nix;
|
||||
|
||||
dreamBuildPackage = {
|
||||
module,
|
||||
meta ? {},
|
||||
extraModules ? [],
|
||||
extraArgs ? {},
|
||||
}:
|
||||
(
|
||||
pkgs.lib.evalModules {
|
||||
modules = [module] ++ extraModules;
|
||||
specialArgs =
|
||||
{
|
||||
inherit (inputs) dream2nix;
|
||||
packageSets.nixpkgs = pkgs;
|
||||
}
|
||||
// extraArgs;
|
||||
}
|
||||
)
|
||||
.config
|
||||
.public
|
||||
// {inherit meta;};
|
||||
};
|
||||
in
|
||||
bonLib.collectPackages platformInputs {
|
||||
@ -81,6 +104,12 @@ in
|
||||
builder = {pkgs, ...}: pkgs.callPackage;
|
||||
};
|
||||
|
||||
onetagger = {
|
||||
source = ./onetagger;
|
||||
platforms = ["x86_64-linux"];
|
||||
builder = {pkgs, ...}: pkgs.callPackage;
|
||||
};
|
||||
|
||||
# Pass for cache
|
||||
|
||||
blender = {
|
||||
|
94
packages/onetagger/default.nix
Normal file
94
packages/onetagger/default.nix
Normal file
@ -0,0 +1,94 @@
|
||||
{
|
||||
bonLib,
|
||||
craneLib,
|
||||
lib,
|
||||
pkgs,
|
||||
dreamBuildPackage,
|
||||
dreamModules,
|
||||
version ? "v1.7.0",
|
||||
# TODO: assign hash
|
||||
hash ? "",
|
||||
...
|
||||
}: let
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "Marekkon5";
|
||||
repo = "onetagger";
|
||||
rev = version;
|
||||
hash = hash;
|
||||
};
|
||||
|
||||
client = dreamBuildPackage {
|
||||
extraModules = [
|
||||
{
|
||||
# TODO: locate root
|
||||
paths.projectRoot = ./client;
|
||||
paths.projectRootFile = "flake.nix";
|
||||
paths.package = ./client;
|
||||
}
|
||||
];
|
||||
module = {
|
||||
lib,
|
||||
config,
|
||||
dream2nix,
|
||||
...
|
||||
}: {
|
||||
name = "client";
|
||||
version = "0.0.0";
|
||||
|
||||
imports = [
|
||||
dreamModules.WIP-nodejs-builder-v3
|
||||
];
|
||||
|
||||
mkDerivation = {
|
||||
# TODO: add source path
|
||||
src = src;
|
||||
};
|
||||
|
||||
deps = {nixpkgs, ...}: {
|
||||
inherit
|
||||
(nixpkgs)
|
||||
fetchFromGitHub
|
||||
stdenv
|
||||
;
|
||||
};
|
||||
|
||||
WIP-nodejs-builder-v3 = {
|
||||
# TODO: generate lock and pass here
|
||||
packageLockFile = "${config.mkDerivation.src}/package-lock.json";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
common = rec {
|
||||
pname = "onetagger";
|
||||
inherit version;
|
||||
|
||||
src = pkgs.lib.cleanSourceWith {
|
||||
src = src;
|
||||
filter = path: type: (craneLib.filterCargoSources path type);
|
||||
};
|
||||
|
||||
# TODO: understand broken git+ dependency
|
||||
songrec = craneLib.downloadCargoPackageFromGit {
|
||||
git = "https://github.com/Marekkon5/SongRec.git";
|
||||
rev = "d52238b3aa3b092ffcf9766794583d84c60473bb";
|
||||
};
|
||||
|
||||
cargoVendorDir = craneLib.vendorCargoDeps {
|
||||
src = src;
|
||||
};
|
||||
|
||||
strictDeps = false;
|
||||
|
||||
nativeBuildInputs = with pkgs; [pkg-config];
|
||||
|
||||
buildInputs = with pkgs; [alsa-lib cairo pango webkitgtk_4_1];
|
||||
|
||||
configurePhase = ''
|
||||
cp -rv ${client}/dist ./client/
|
||||
'';
|
||||
};
|
||||
|
||||
cargoArtifacts = craneLib.buildDepsOnly common;
|
||||
in
|
||||
craneLib.buildPackage (common // {inherit cargoArtifacts;})
|
Loading…
Reference in New Issue
Block a user