From ef0fd54cbf5bbfb019a5743e5da226196c012d5a Mon Sep 17 00:00:00 2001 From: ficache Date: Sun, 10 Nov 2024 18:20:35 +0300 Subject: [PATCH] zapret integration succsessfully --- nixos/modules/minimal/users.nix | 2 +- nixos/modules/zapret.nix | 85 +++++++++++---------- nixos/modules/zapret_service.nix | 127 +++++++++++++++++++++++++++++++ 3 files changed, 174 insertions(+), 40 deletions(-) create mode 100644 nixos/modules/zapret_service.nix diff --git a/nixos/modules/minimal/users.nix b/nixos/modules/minimal/users.nix index aaf6107..db7b460 100644 --- a/nixos/modules/minimal/users.nix +++ b/nixos/modules/minimal/users.nix @@ -3,6 +3,6 @@ users.users.ficache = { isNormalUser = true; description = "ficache"; - extraGroups = [ "networkmanager" "wheel" "docker" "vboxusers" ]; + extraGroups = [ "networkmanager" "wheel" "tpws" ]; }; } diff --git a/nixos/modules/zapret.nix b/nixos/modules/zapret.nix index 97eab5f..3698401 100644 --- a/nixos/modules/zapret.nix +++ b/nixos/modules/zapret.nix @@ -1,42 +1,49 @@ -{ ... }: +{ pkgs, ... }: { + disabledModules = [ "services/networking/zapret.nix" ]; # необходимо если версия nixpkgs новее 5a5c04d + + imports = [ ./zapret_service.nix ]; + + services.zapret = { + enable = true; + mode = "nfqws"; -{ - services = { - zapret = { - enable = true; - params = [ - "--dpi-desync-autottl=3" - "--wssize 1:6" - "--dpi-desync-fake-tls=0x00000000" - "-dpi-desync-split-pos=1" - "--dpi-desync=syndata,fake,split2" - "--dpi-desync-repeats=6" - "-dpi-desync-fooling=md5sig" - "--new" - ]; - whitelist = [ - "googlevideo.com" - "youtu.be" - "youtube.com" - "youtubei.googleapis.com" - "youtubeembeddedplayer.googleapis.com" - "ytimg.l.google.com" - "ytimg.com" - "jnn-pa.googleapis.com" - "youtube-nocookie.com" - "youtube-ui.l.google.com" - "yt-video-upload.l.google.com" - "wide-youtube.l.google.com" - "youtubekids.com" - "ggphs.com" - "discord.com" - "gateway.discord.gg" - "cdn.discordapp.com" - "discordapp.net" - "discordapp.com" - "discord.gg" - "media.discordapp.net" - ]; - }; + settings = '' +SET_MAXELEM=522288 +IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM" + +IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4" +IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5" +AUTOHOSTLIST_RETRANS_THRESHOLD=3 +AUTOHOSTLIST_FAIL_THRESHOLD=3 +AUTOHOSTLIST_FAIL_TIME=60 +AUTOHOSTLIST_DEBUGLOG=0 + +MDIG_THREADS=30 + +GZIP_LISTS=1 +QUIC_PORTS=50000-65535 + +MODE=nfqws +MODE_HTTP=1 +MODE_HTTP_KEEPALIVE=0 +MODE_HTTPS=1 +MODE_QUIC=1 +MODE_FILTER=none + +DESYNC_MARK=0x40000000 +DESYNC_MARK_POSTNAT=0x20000000 +NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badseq" +NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake --dpi-desync-ttl=5" +NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=fake --dpi-desync-ttl=5" +NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake,tamper --dpi-desync-repeats=6 --dpi-desync-any-protocol" + +TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --hostcase --oob" + +FLOWOFFLOAD=donttouch + +INIT_APPLY_FW=1 + +DISABLE_IPV6=1 + ''; }; } diff --git a/nixos/modules/zapret_service.nix b/nixos/modules/zapret_service.nix new file mode 100644 index 0000000..c08a296 --- /dev/null +++ b/nixos/modules/zapret_service.nix @@ -0,0 +1,127 @@ +{ + lib, + config, + pkgs, + ... +}: + +with lib; + +let + cfg = config.services.zapret; +in +{ + options.services.zapret = { + enable = mkEnableOption "DPI bypass multi platform service"; + + package = mkPackageOption pkgs "zapret" { }; + + settings = mkOption { + type = types.lines; + default = ""; + + example = '' + TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob" + NFQWS_OPT_DESYNC="--dpi-desync-ttl=5" + ''; + + description = '' + Rules for zapret to work. Run ```nix-shell -p zapret --command blockcheck``` to get values to pass here. + Config example can be found here https://github.com/bol-van/zapret/blob/master/config.default + ''; + }; + + firewallType = mkOption { + type = types.enum [ + "iptables" + "nftables" + ]; + default = "iptables"; + description = '' + Which firewall zapret should use + ''; + }; + + disableIpv6 = mkOption { + type = types.bool; + # recommended by upstream + default = true; + description = '' + Disable or enable usage of IpV6 by zapret + ''; + }; + + mode = mkOption { + type = types.enum [ + "tpws" + "tpws-socks" + "nfqws" + "filter" + "custom" + ]; + default = "tpws"; + description = '' + Which mode zapret should use + ''; + }; + }; + + config = mkIf cfg.enable { + users.users.tpws = { + isSystemUser = true; + group = "tpws"; + }; + + users.groups.tpws = { }; + + systemd.services.zapret = { + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + path = with pkgs; [ + (if cfg.firewallType == "iptables" then iptables else nftables) + gawk + ipset + ]; + + serviceConfig = { + Type = "forking"; + Restart = "no"; + TimeoutSec = "30sec"; + IgnoreSIGPIPE = "no"; + KillMode = "none"; + GuessMainPID = "no"; + RemainAfterExit = "no"; + ExecStart = "${cfg.package}/bin/zapret start"; + ExecStop = "${cfg.package}/bin/zapret stop"; + + EnvironmentFile = pkgs.writeText "${cfg.package.pname}-environment" (concatStrings [ + '' + MODE=${cfg.mode} + FWTYPE=${cfg.firewallType} + DISABLE_IPV6=${if cfg.disableIpv6 then "1" else "0"} + '' + cfg.settings + ]); + + # hardening + DevicePolicy = "closed"; + KeyringMode = "private"; + PrivateTmp = true; + PrivateMounts = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + }; + }; + }; +}