zapret integration succsessfully

nixos/modules/minimal/users.nix

@@ -3,6 +3,6 @@
     users.users.ficache = {
         isNormalUser = true;
         description = "ficache";
-        extraGroups = [ "networkmanager" "wheel" "docker" "vboxusers" ];
+        extraGroups = [ "networkmanager" "wheel" "tpws" ];
     };
 }

nixos/modules/zapret.nix

@@ -1,42 +1,49 @@
-{ ... }:
+{ pkgs, ... }: {
+  disabledModules = [ "services/networking/zapret.nix" ]; # необходимо если версия nixpkgs новее 5a5c04d
   
-{
+  imports = [ ./zapret_service.nix ];
-  services = {
+  
-    zapret = {
+  services.zapret = {
-      enable = true;
+    enable = true;
-      params = [
+    mode = "nfqws";
-	"--dpi-desync-autottl=3"
+
-	"--wssize 1:6"
+    settings = ''
-	"--dpi-desync-fake-tls=0x00000000"
+SET_MAXELEM=522288
-	"-dpi-desync-split-pos=1"
+IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
-	"--dpi-desync=syndata,fake,split2"
+
-	"--dpi-desync-repeats=6"
+IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
-	"-dpi-desync-fooling=md5sig"
+IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
-	"--new"
+AUTOHOSTLIST_RETRANS_THRESHOLD=3
-      ];
+AUTOHOSTLIST_FAIL_THRESHOLD=3
-      whitelist = [
+AUTOHOSTLIST_FAIL_TIME=60
-      	"googlevideo.com"
+AUTOHOSTLIST_DEBUGLOG=0
-	"youtu.be"
+
-	"youtube.com"
+MDIG_THREADS=30
-	"youtubei.googleapis.com"
+
-	"youtubeembeddedplayer.googleapis.com"
+GZIP_LISTS=1
-	"ytimg.l.google.com"
+QUIC_PORTS=50000-65535
-	"ytimg.com"
+
-	"jnn-pa.googleapis.com"
+MODE=nfqws
-	"youtube-nocookie.com"
+MODE_HTTP=1
-	"youtube-ui.l.google.com"
+MODE_HTTP_KEEPALIVE=0
-	"yt-video-upload.l.google.com"
+MODE_HTTPS=1
-	"wide-youtube.l.google.com"
+MODE_QUIC=1
-	"youtubekids.com"
+MODE_FILTER=none
-	"ggphs.com"
+
-	"discord.com"
+DESYNC_MARK=0x40000000
-	"gateway.discord.gg"
+DESYNC_MARK_POSTNAT=0x20000000
-	"cdn.discordapp.com"
+NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badseq"
-	"discordapp.net"
+NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake --dpi-desync-ttl=5"
-	"discordapp.com"
+NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=fake --dpi-desync-ttl=5"
-	"discord.gg"
+NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake,tamper --dpi-desync-repeats=6 --dpi-desync-any-protocol"
-	"media.discordapp.net"
+
-      ];
+TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --hostcase --oob"
-    };
+
+FLOWOFFLOAD=donttouch
+
+INIT_APPLY_FW=1
+
+DISABLE_IPV6=1
+    '';
   };
 }

nixos/modules/zapret_service.nix

@@ -0,0 +1,127 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.services.zapret;
+in
+{
+  options.services.zapret = {
+    enable = mkEnableOption "DPI bypass multi platform service";
+
+    package = mkPackageOption pkgs "zapret" { };
+
+    settings = mkOption {
+      type = types.lines;
+      default = "";
+
+      example = ''
+        TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
+        NFQWS_OPT_DESYNC="--dpi-desync-ttl=5"
+      '';
+
+      description = ''
+        Rules for zapret to work. Run ```nix-shell -p zapret --command blockcheck``` to get values to pass here.
+        Config example can be found here https://github.com/bol-van/zapret/blob/master/config.default
+      '';
+    };
+
+    firewallType = mkOption {
+      type = types.enum [
+        "iptables"
+        "nftables"
+      ];
+      default = "iptables";
+      description = ''
+        Which firewall zapret should use
+      '';
+    };
+
+    disableIpv6 = mkOption {
+      type = types.bool;
+      # recommended by upstream
+      default = true;
+      description = ''
+        Disable or enable usage of IpV6 by zapret
+      '';
+    };
+
+    mode = mkOption {
+      type = types.enum [
+        "tpws"
+        "tpws-socks"
+        "nfqws"
+        "filter"
+        "custom"
+      ];
+      default = "tpws";
+      description = ''
+        Which mode zapret should use
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.tpws = {
+      isSystemUser = true;
+      group = "tpws";
+    };
+
+    users.groups.tpws = { };
+
+    systemd.services.zapret = {
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [
+        (if cfg.firewallType == "iptables" then iptables else nftables)
+        gawk
+        ipset
+      ];
+
+      serviceConfig = {
+        Type = "forking";
+        Restart = "no";
+        TimeoutSec = "30sec";
+        IgnoreSIGPIPE = "no";
+        KillMode = "none";
+        GuessMainPID = "no";
+        RemainAfterExit = "no";
+        ExecStart = "${cfg.package}/bin/zapret start";
+        ExecStop = "${cfg.package}/bin/zapret stop";
+
+        EnvironmentFile = pkgs.writeText "${cfg.package.pname}-environment" (concatStrings [
+          ''
+            MODE=${cfg.mode}
+            FWTYPE=${cfg.firewallType}
+            DISABLE_IPV6=${if cfg.disableIpv6 then "1" else "0"}
+          ''
+          cfg.settings
+        ]);
+
+        # hardening
+        DevicePolicy = "closed";
+        KeyringMode = "private";
+        PrivateTmp = true;
+        PrivateMounts = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        ProtectProc = "invisible";
+        RemoveIPC = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+}