Compare commits
1 Commits
master
...
packages-w
Author | SHA1 | Date | |
---|---|---|---|
f68d7a7e3a |
@ -641,23 +641,22 @@
|
|||||||
|
|
||||||
services.zapret = {
|
services.zapret = {
|
||||||
enable = true;
|
enable = true;
|
||||||
mode = "nfqws";
|
mode = "tpws";
|
||||||
firewallType = "iptables";
|
firewallType = "iptables";
|
||||||
disableIpv6 = true;
|
disableIpv6 = true;
|
||||||
settings = ''
|
settings = ''
|
||||||
MODE_HTTP=1
|
MODE_HTTP=1
|
||||||
MODE_HTTP_KEEPALIVE=0
|
MODE_HTTP_KEEPALIVE=0
|
||||||
MODE_HTTPS=1
|
MODE_HTTPS=1
|
||||||
MODE_QUIC=1
|
MODE_QUIC=0
|
||||||
MODE_FILTER=ipset
|
MODE_FILTER=ipset
|
||||||
TPWS_OPT="--split-http-req=method --split-pos=1 --oob"
|
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
|
||||||
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=7 --dpi-desync-fake-http=0x00000000"
|
|
||||||
NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake,split2 --dpi-desync-ttl=4"
|
|
||||||
NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2 --dpi-desync-split-pos=1"
|
|
||||||
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=split2 --dpi-desync-repeats=6"
|
|
||||||
INIT_APPLY_FW=1
|
INIT_APPLY_FW=1
|
||||||
'';
|
'';
|
||||||
filterAddressesSource = "https://antifilter.network/download/ipsmart.lst";
|
filterAddresses = lib.readFile (pkgs.fetchurl {
|
||||||
|
url = "https://antifilter.network/download/ipsmart.lst";
|
||||||
|
hash = "sha256-zLq3rgci/rye1oQp2zbJelPaoN9+jqPebIbxfJ44Qlg=";
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO: remember who use gvfs
|
# TODO: remember who use gvfs
|
||||||
|
@ -101,30 +101,14 @@ in {
|
|||||||
description = "List of addresses to ignore";
|
description = "List of addresses to ignore";
|
||||||
};
|
};
|
||||||
|
|
||||||
dataDir = mkOption {
|
# TODO: add filter and anti filter options with optional file paths
|
||||||
type = types.path;
|
# TODO ipset hashsize and maxelem
|
||||||
default = "/var/lib/zapret";
|
|
||||||
description = ''
|
|
||||||
Directory to store zapret files and antifilter lists.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
filterAddressesSource = mkOption {
|
|
||||||
type = types.nullOr types.str;
|
|
||||||
default = null;
|
|
||||||
example = ''https://antifilter.network/download/ipsmart.lst'';
|
|
||||||
description = "Link to external list of addresses to download and use.";
|
|
||||||
};
|
|
||||||
|
|
||||||
# TODO: ipset hashsize and maxelem
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
users.users.tpws = {
|
users.users.tpws = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
group = "tpws";
|
group = "tpws";
|
||||||
home = cfg.dataDir;
|
|
||||||
createHome = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.tpws = {};
|
users.groups.tpws = {};
|
||||||
@ -142,8 +126,6 @@ in {
|
|||||||
)
|
)
|
||||||
gawk
|
gawk
|
||||||
ipset
|
ipset
|
||||||
wget
|
|
||||||
curl
|
|
||||||
];
|
];
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
@ -151,11 +133,10 @@ in {
|
|||||||
Restart = "no";
|
Restart = "no";
|
||||||
TimeoutSec = "30sec";
|
TimeoutSec = "30sec";
|
||||||
IgnoreSIGPIPE = "no";
|
IgnoreSIGPIPE = "no";
|
||||||
#KillMode = "none";
|
KillMode = "none";
|
||||||
GuessMainPID = "no";
|
GuessMainPID = "no";
|
||||||
RemainAfterExit = "no";
|
RemainAfterExit = "no";
|
||||||
|
|
||||||
WorkingDirectory = cfg.dataDir;
|
|
||||||
ExecStart = "${cfg.package}/bin/zapret start";
|
ExecStart = "${cfg.package}/bin/zapret start";
|
||||||
ExecStop = let
|
ExecStop = let
|
||||||
stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
|
stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
|
||||||
@ -176,25 +157,37 @@ in {
|
|||||||
DISABLE_IPV6=${toString cfg.disableIPV6}
|
DISABLE_IPV6=${toString cfg.disableIPV6}
|
||||||
''
|
''
|
||||||
]);
|
]);
|
||||||
|
|
||||||
|
# hardening
|
||||||
|
DevicePolicy = "closed";
|
||||||
|
KeyringMode = "private";
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
};
|
};
|
||||||
|
|
||||||
preStart = let
|
preStart = let
|
||||||
zapretListFile = src: pkgs.writeText "zapretList" (createFilterList "zapret" src);
|
# zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" (lib.readFile cfg.package.passthru.antifilter.ipsmart));
|
||||||
nozapretListFile = src: pkgs.writeText "nozapretList" (createFilterList "nozapret" src);
|
zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" cfg.filterAddresses);
|
||||||
|
nozapretListFile = pkgs.writeText "nozapretList" (createFilterList "nozapret" cfg.ignoreAddresses);
|
||||||
in ''
|
in ''
|
||||||
${lib.optionalString (cfg.filterAddressesSource != null) "curl -L '${cfg.filterAddressesSource}' -o ${cfg.dataDir}/zapretList && sed -i -e 's/^/add zapret /' '${cfg.dataDir}/zapretList'"}
|
|
||||||
|
|
||||||
ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
|
ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
|
||||||
ipset flush zapret
|
ipset flush zapret
|
||||||
ipset restore -! < ${
|
ipset restore -! < ${zapretListFile}
|
||||||
if (cfg.filterAddressesSource != null)
|
|
||||||
then "${cfg.dataDir}/zapretList"
|
|
||||||
else (zapretListFile cfg.filterAddresses)
|
|
||||||
}
|
|
||||||
|
|
||||||
ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
|
ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
|
||||||
ipset flush nozapret
|
ipset flush nozapret
|
||||||
ipset restore -! < ${nozapretListFile cfg.ignoreAddresses}
|
ipset restore -! < ${nozapretListFile}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -1,16 +1,108 @@
|
|||||||
{
|
{
|
||||||
|
bonLib,
|
||||||
|
craneLib,
|
||||||
lib,
|
lib,
|
||||||
weztermPkgs,
|
pkgs,
|
||||||
|
version ? "2d0c5cddc91a9c59aef9a7667d90924e7cedd0ac",
|
||||||
|
hash ? "sha256-ZsDJQSUokodwFMP4FIZm2dYojf5iC4F/EeKC5VuQlqY=",
|
||||||
...
|
...
|
||||||
}:
|
}: let
|
||||||
weztermPkgs.default.overrideAttrs (old: {
|
src = pkgs.fetchFromGitHub {
|
||||||
pname = "wezterm";
|
owner = "wez";
|
||||||
|
repo = "wezterm";
|
||||||
|
rev = version;
|
||||||
|
hash = hash;
|
||||||
|
fetchSubmodules = true;
|
||||||
|
};
|
||||||
|
terminfo =
|
||||||
|
pkgs.runCommand "wezterm-terminfo"
|
||||||
|
{
|
||||||
|
nativeBuildInputs = [pkgs.ncurses];
|
||||||
|
} ''
|
||||||
|
mkdir -p $out/share/terminfo $out/nix-support
|
||||||
|
tic -x -o $out/share/terminfo ${src}/termwiz/data/wezterm.terminfo
|
||||||
|
'';
|
||||||
|
pkg = {
|
||||||
|
pname = "wezterm";
|
||||||
|
inherit version;
|
||||||
|
|
||||||
meta =
|
inherit src;
|
||||||
old.meta
|
|
||||||
// {
|
strictDeps = true;
|
||||||
|
doCheck = false;
|
||||||
|
|
||||||
|
nativeBuildInputs = with pkgs; [
|
||||||
|
installShellFiles
|
||||||
|
ncurses # tic for terminfo
|
||||||
|
pkg-config
|
||||||
|
python3
|
||||||
|
];
|
||||||
|
|
||||||
|
buildInputs = with pkgs; [
|
||||||
|
fontconfig
|
||||||
|
pkgs.zlib
|
||||||
|
libxkbcommon
|
||||||
|
openssl
|
||||||
|
wayland
|
||||||
|
cairo
|
||||||
|
|
||||||
|
xorg.libX11
|
||||||
|
xorg.libxcb
|
||||||
|
xorg.xcbutil
|
||||||
|
xorg.xcbutilimage
|
||||||
|
xorg.xcbutilkeysyms
|
||||||
|
xorg.xcbutilwm # contains xcb-ewmh among others
|
||||||
|
];
|
||||||
|
|
||||||
|
libPath = lib.makeLibraryPath (with pkgs; [
|
||||||
|
xorg.xcbutilimage
|
||||||
|
libGL
|
||||||
|
vulkan-loader
|
||||||
|
]);
|
||||||
|
|
||||||
|
postPatch = ''
|
||||||
|
echo ${version} > .tag
|
||||||
|
|
||||||
|
# tests are failing with: Unable to exchange encryption keys
|
||||||
|
# rm -r wezterm-ssh/tests
|
||||||
|
'';
|
||||||
|
|
||||||
|
preFixup = lib.optionalString pkgs.stdenv.isLinux ''
|
||||||
|
patchelf \
|
||||||
|
--add-needed "${pkgs.libGL}/lib/libEGL.so.1" \
|
||||||
|
--add-needed "${pkgs.vulkan-loader}/lib/libvulkan.so.1" \
|
||||||
|
$out/bin/wezterm-gui
|
||||||
|
'';
|
||||||
|
|
||||||
|
postInstall = ''
|
||||||
|
mkdir -p $out/nix-support
|
||||||
|
echo "${terminfo}" >> $out/nix-support/propagated-user-env-packages
|
||||||
|
|
||||||
|
install -Dm644 assets/icon/terminal.png $out/share/icons/hicolor/128x128/apps/org.wezfurlong.wezterm.png
|
||||||
|
install -Dm644 assets/wezterm.desktop $out/share/applications/org.wezfurlong.wezterm.desktop
|
||||||
|
install -Dm644 assets/wezterm.appdata.xml $out/share/metainfo/org.wezfurlong.wezterm.appdata.xml
|
||||||
|
|
||||||
|
install -Dm644 assets/shell-integration/wezterm.sh -t $out/etc/profile.d
|
||||||
|
installShellCompletion --cmd wezterm \
|
||||||
|
--bash assets/shell-completion/bash \
|
||||||
|
--fish assets/shell-completion/fish \
|
||||||
|
--zsh assets/shell-completion/zsh
|
||||||
|
|
||||||
|
install -Dm644 assets/wezterm-nautilus.py -t $out/share/nautilus-python/extensions
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
homepage = "https://github.com/wez/wezterm";
|
homepage = "https://github.com/wez/wezterm";
|
||||||
description = "A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust";
|
description = "A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust";
|
||||||
license = lib.licenses.mit;
|
license = lib.licenses.mit;
|
||||||
|
maintainers = with bonLib.maintainers; [L-Nafaryus];
|
||||||
|
platforms = platforms.x86_64;
|
||||||
|
mainProgram = "wezterm";
|
||||||
};
|
};
|
||||||
})
|
};
|
||||||
|
in let
|
||||||
|
cargoArtifacts = craneLib.buildDepsOnly pkg;
|
||||||
|
in
|
||||||
|
craneLib.buildPackage (
|
||||||
|
pkg // {inherit cargoArtifacts;}
|
||||||
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user