nixosModules.zapret: manage filter lists only in service runtime

2024-09-21 18:30:43 +05:00
4 changed files with 40 additions and 155 deletions
--- a/nixosConfigurations/astora/users.nix
+++ b/nixosConfigurations/astora/users.nix
@ -641,22 +641,23 @@

  services.zapret = {
    enable = true;
-    mode = "tpws";
+    mode = "nfqws";
    firewallType = "iptables";
    disableIpv6 = true;
    settings = ''
      MODE_HTTP=1
      MODE_HTTP_KEEPALIVE=0
      MODE_HTTPS=1
-      MODE_QUIC=0
+      MODE_QUIC=1
      MODE_FILTER=ipset
-      TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
+      TPWS_OPT="--split-http-req=method --split-pos=1 --oob"
+      NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=7 --dpi-desync-fake-http=0x00000000"
+      NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake,split2 --dpi-desync-ttl=4"
+      NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=split2 --dpi-desync-split-pos=1"
+      NFQWS_OPT_DESYNC_QUIC="--dpi-desync=split2 --dpi-desync-repeats=6"
      INIT_APPLY_FW=1
    '';
-    filterAddresses = lib.readFile (pkgs.fetchurl {
-      url = "https://antifilter.network/download/ipsmart.lst";
-      hash = "sha256-zLq3rgci/rye1oQp2zbJelPaoN9+jqPebIbxfJ44Qlg=";
-    });
+    filterAddressesSource = "https://antifilter.network/download/ipsmart.lst";
  };

  # TODO: remember who use gvfs
--- a/nixosModules/services/zapret.nix
+++ b/nixosModules/services/zapret.nix
@ -101,14 +101,30 @@ in {
      description = "List of addresses to ignore";
    };

-    # TODO: add filter and anti filter options with optional file paths
-    # TODO ipset hashsize and maxelem
+    dataDir = mkOption {
+      type = types.path;
+      default = "/var/lib/zapret";
+      description = ''
+        Directory to store zapret files and antifilter lists.
+      '';
+    };
+
+    filterAddressesSource = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      example = ''https://antifilter.network/download/ipsmart.lst'';
+      description = "Link to external list of addresses to download and use.";
+    };
+
+    # TODO: ipset hashsize and maxelem
  };

  config = mkIf cfg.enable {
    users.users.tpws = {
      isSystemUser = true;
      group = "tpws";
+      home = cfg.dataDir;
+      createHome = true;
    };

    users.groups.tpws = {};
@ -126,6 +142,8 @@ in {
        )
        gawk
        ipset
+        wget
+        curl
      ];

      serviceConfig = {
@ -133,10 +151,11 @@ in {
        Restart = "no";
        TimeoutSec = "30sec";
        IgnoreSIGPIPE = "no";
-        KillMode = "none";
+        #KillMode = "none";
        GuessMainPID = "no";
        RemainAfterExit = "no";

+        WorkingDirectory = cfg.dataDir;
        ExecStart = "${cfg.package}/bin/zapret start";
        ExecStop = let
          stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
@ -157,37 +176,25 @@ in {
            DISABLE_IPV6=${toString cfg.disableIPV6}
          ''
        ]);
-
-        # hardening
-        DevicePolicy = "closed";
-        KeyringMode = "private";
-        PrivateTmp = true;
-        PrivateMounts = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectSystem = "strict";
-        ProtectProc = "invisible";
-        RemoveIPC = true;
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
      };

      preStart = let
-        # zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" (lib.readFile cfg.package.passthru.antifilter.ipsmart));
-        zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" cfg.filterAddresses);
-        nozapretListFile = pkgs.writeText "nozapretList" (createFilterList "nozapret" cfg.ignoreAddresses);
+        zapretListFile = src: pkgs.writeText "zapretList" (createFilterList "zapret" src);
+        nozapretListFile = src: pkgs.writeText "nozapretList" (createFilterList "nozapret" src);
      in ''
+        ${lib.optionalString (cfg.filterAddressesSource != null) "curl -L '${cfg.filterAddressesSource}' -o ${cfg.dataDir}/zapretList && sed -i -e 's/^/add zapret /' '${cfg.dataDir}/zapretList'"}
+
        ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
        ipset flush zapret
-        ipset restore -! < ${zapretListFile}
+        ipset restore -! < ${
+          if (cfg.filterAddressesSource != null)
+          then "${cfg.dataDir}/zapretList"
+          else (zapretListFile cfg.filterAddresses)
+        }

        ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
        ipset flush nozapret
-        ipset restore -! < ${nozapretListFile}
+        ipset restore -! < ${nozapretListFile cfg.ignoreAddresses}
      '';
    };
  };
--- a/packages/default.nix
+++ b/packages/default.nix
@ -23,29 +23,6 @@
    fenixPkgs = inputs.fenix.packages.${system};
    nixvimPkgs = inputs.nixvim.legacyPackages.${system};
    weztermPkgs = inputs.wezterm.packages.${system};
-
-    dreamModules = inputs.dream2nix.modules.dream2nix;
-
-    dreamBuildPackage = {
-      module,
-      meta ? {},
-      extraModules ? [],
-      extraArgs ? {},
-    }:
-      (
-        pkgs.lib.evalModules {
-          modules = [module] ++ extraModules;
-          specialArgs =
-            {
-              inherit (inputs) dream2nix;
-              packageSets.nixpkgs = pkgs;
-            }
-            // extraArgs;
-        }
-      )
-      .config
-      .public
-      // {inherit meta;};
  };
 in
  bonLib.collectPackages platformInputs {
@ -104,12 +81,6 @@ in
      builder = {pkgs, ...}: pkgs.callPackage;
    };

-    onetagger = {
-      source = ./onetagger;
-      platforms = ["x86_64-linux"];
-      builder = {pkgs, ...}: pkgs.callPackage;
-    };
-
    # Pass for cache

    blender = {
--- a/packages/onetagger/default.nix
+++ b/packages/onetagger/default.nix
@ -1,94 +0,0 @@
-{
-  bonLib,
-  craneLib,
-  lib,
-  pkgs,
-  dreamBuildPackage,
-  dreamModules,
-  version ? "v1.7.0",
-  # TODO: assign hash
-  hash ? "",
-  ...
-}: let
-  src = pkgs.fetchFromGitHub {
-    owner = "Marekkon5";
-    repo = "onetagger";
-    rev = version;
-    hash = hash;
-  };
-
-  client = dreamBuildPackage {
-    extraModules = [
-      {
-        # TODO: locate root
-        paths.projectRoot = ./client;
-        paths.projectRootFile = "flake.nix";
-        paths.package = ./client;
-      }
-    ];
-    module = {
-      lib,
-      config,
-      dream2nix,
-      ...
-    }: {
-      name = "client";
-      version = "0.0.0";
-
-      imports = [
-        dreamModules.WIP-nodejs-builder-v3
-      ];
-
-      mkDerivation = {
-        # TODO: add source path
-        src = src;
-      };
-
-      deps = {nixpkgs, ...}: {
-        inherit
-          (nixpkgs)
-          fetchFromGitHub
-          stdenv
-          ;
-      };
-
-      WIP-nodejs-builder-v3 = {
-        # TODO: generate lock and pass here
-        packageLockFile = "${config.mkDerivation.src}/package-lock.json";
-      };
-    };
-  };
-
-  common = rec {
-    pname = "onetagger";
-    inherit version;
-
-    src = pkgs.lib.cleanSourceWith {
-      src = src;
-      filter = path: type: (craneLib.filterCargoSources path type);
-    };
-
-    # TODO: understand broken git+ dependency
-    songrec = craneLib.downloadCargoPackageFromGit {
-      git = "https://github.com/Marekkon5/SongRec.git";
-      rev = "d52238b3aa3b092ffcf9766794583d84c60473bb";
-    };
-
-    cargoVendorDir = craneLib.vendorCargoDeps {
-      src = src;
-    };
-
-    strictDeps = false;
-
-    nativeBuildInputs = with pkgs; [pkg-config];
-
-    buildInputs = with pkgs; [alsa-lib cairo pango webkitgtk_4_1];
-
-    configurePhase = ''
-      cp -rv ${client}/dist ./client/
-    '';
-  };
-
-  cargoArtifacts = craneLib.buildDepsOnly common;
-in
-  craneLib.buildPackage (common // {inherit cargoArtifacts;})