vpn: Add config

2024-11-08 01:21:28 +03:00 · 2024-11-08 01:21:28 +03:00 · 07cd80e41a
commit 07cd80e41a
parent 8dce0a7147
14 changed files with 87 additions and 179 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -5,3 +5,7 @@ creation_rules:
    key_groups:
      - age:
          - *primary
  - path_regex: nixos/hosts/(Rias|Senko|Eclipse)/secrets/.+$
    key_groups:
      - age:
          - *primary
--- a/flake.nix
+++ b/flake.nix
@ -33,6 +33,7 @@
        };
        modules = [
          ./nixos/hosts/Rias/configuration.nix
          inputs.sops-nix.nixosModules.sops
        ];
      };
@ -46,6 +47,7 @@
        };
        modules = [
          ./nixos/hosts/Senko/configuration.nix
          inputs.sops-nix.nixosModules.sops
        ];
      };
@ -59,6 +61,7 @@
        };
        modules = [
          ./nixos/hosts/Eclipse/configuration.nix
          inputs.sops-nix.nixosModules.sops
        ];
      };
    };
--- a/nixos/hosts/Eclipse/configuration.nix
+++ b/nixos/hosts/Eclipse/configuration.nix
@ -1,6 +1,7 @@
 { config, pkgs, ...}: {
  imports = [
    ./hardware-configuration.nix
    ./secrets/secrets.nix
    ../../packages.nix
    ../../modules/bundle.nix
    ../../modules/gamemode.nix
--- a/nixos/hosts/Eclipse/secrets/secrets.nix
+++ b/nixos/hosts/Eclipse/secrets/secrets.nix
@ -0,0 +1,9 @@
 {
  sops = {
    age.keyFile = "/root/age.key";
    secrets.vpn_bolt = {
      format = "binary";
      sopsFile = ./vpn_bolt.db;
    };
  };
 }
--- a/nixos/hosts/Eclipse/secrets/vpn_bolt.db
+++ b/nixos/hosts/Eclipse/secrets/vpn_bolt.db
--- a/nixos/hosts/Rias/configuration.nix
+++ b/nixos/hosts/Rias/configuration.nix
@ -1,6 +1,7 @@
-{ config, pkgs, ...}: {
+{ config, pkgs, inputs, ...}: {
  imports = [
    ./hardware-configuration.nix
    ./secrets/secrets.nix
    ../../packages.nix
    ../../modules/bundle.nix
    ../../modules/adb.nix
--- a/nixos/hosts/Rias/secrets/secrets.nix
+++ b/nixos/hosts/Rias/secrets/secrets.nix
@ -0,0 +1,9 @@
 {
  sops = {
    age.keyFile = "/root/age.key";
    secrets.vpn_bolt = {
      format = "binary";
      sopsFile = ./vpn_bolt.db;
    };
  };
 }
--- a/nixos/hosts/Rias/secrets/vpn_bolt.db
+++ b/nixos/hosts/Rias/secrets/vpn_bolt.db
--- a/nixos/hosts/Senko/configuration.nix
+++ b/nixos/hosts/Senko/configuration.nix
@ -1,6 +1,7 @@
 { config, pkgs, ...}: {
  imports = [
    ./hardware-configuration.nix
    ./secrets/secrets.nix
    ../../packages.nix
    ../../modules/bundle.nix
    ../../modules/adb.nix
--- a/nixos/hosts/Senko/secrets
+++ b/nixos/hosts/Senko/secrets
@ -0,0 +1 @@
 ../Rias/secrets
--- a/nixos/modules/bundle.nix
+++ b/nixos/modules/bundle.nix
@ -12,6 +12,5 @@
    ./vpn.nix
    ./printing.nix
    ./shutdown-on-lan.nix
    ./zapret/zapret.nix
  ];
 }
--- a/nixos/modules/vpn.nix
+++ b/nixos/modules/vpn.nix
@ -1,4 +1,4 @@
-{pkgs, ...}: {
+{pkgs, config, ...}: {
  systemd.services.v2raya = {
    enable = true;
    description = "v2rayA gui client";
@ -7,7 +7,22 @@
      Restart = "always";
      ExecStart = "${pkgs.v2raya}/bin/v2rayA";
    };
-    path = with pkgs; [ iptables bash ];
+    path = with pkgs; [ iptables bash iproute2 ];
    wantedBy = [ "multi-user.target" ];
    environment = {
      V2RAYA_LOG_FILE = "/var/log/v2raya/v2raya.log";
      V2RAY_LOCATION_ASSET = "/etc/v2raya";
      XRAY_LOCATION_ASSET = "/etc/v2raya";
    };
  };
  environment.etc = {
    "v2raya/ru_geoip.dat".source = pkgs.fetchurl {
      name = "geoip.dat";
      url = "https://github.com/runetfreedom/russia-blocked-geoip/releases/download/202411071531/geoip.dat";
      hash = "sha256-BBQUTzUIWpSjFxv3R6hGfoE+WTeNcVpc7Ge3eOCKxuY=";
    };
    "v2raya/bolt.db".source = config.sops.secrets.vpn_bolt.path;
  };
 }
--- a/nixos/modules/zapret/zapret.nix
+++ b/nixos/modules/zapret/zapret.nix
@ -1,48 +0,0 @@
 { pkgs, ... }: {
  disabledModules = [ "services/networking/zapret.nix" ]; # необходимо если версия nixpkgs новее 5a5c04d
  imports = [ ./zapret_service.nix ];
  services.zapret = {
    enable = true;
    mode = "nfqws";
    settings = ''
 SET_MAXELEM=522288
 IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 AUTOHOSTLIST_RETRANS_THRESHOLD=3
 AUTOHOSTLIST_FAIL_THRESHOLD=3
 AUTOHOSTLIST_FAIL_TIME=60
 AUTOHOSTLIST_DEBUGLOG=0
 MDIG_THREADS=30
 GZIP_LISTS=1
 QUIC_PORTS=50000-65535
 MODE_HTTP=1
 MODE_HTTP_KEEPALIVE=0
 MODE_HTTPS=1
 MODE_QUIC=1
 MODE_FILTER=none
 DESYNC_MARK=0x40000000
 DESYNC_MARK_POSTNAT=0x20000000
 NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badsum"
 NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=5"
 NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=fake --dpi-desync-ttl=5"
 NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake,tamper --dpi-desync-repeats=6 --dpi-desync-any-protocol"
 TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --hostcase --oob"
 FLOWOFFLOAD=donttouch
 INIT_APPLY_FW=1
 DISABLE_IPV6=1
    '';
  };
 }
--- a/nixos/modules/zapret/zapret_service.nix
+++ b/nixos/modules/zapret/zapret_service.nix
@ -1,127 +0,0 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib;
 let
  cfg = config.services.zapret;
 in
 {
  options.services.zapret = {
    enable = mkEnableOption "DPI bypass multi platform service";
    package = mkPackageOption pkgs "zapret" { };
    settings = mkOption {
      type = types.lines;
      default = "";
      example = ''
        TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
        NFQWS_OPT_DESYNC="--dpi-desync-ttl=5"
      '';
      description = ''
        Rules for zapret to work. Run ```nix-shell -p zapret --command blockcheck``` to get values to pass here.
        Config example can be found here https://github.com/bol-van/zapret/blob/master/config.default
      '';
    };
    firewallType = mkOption {
      type = types.enum [
        "iptables"
        "nftables"
      ];
      default = "iptables";
      description = ''
        Which firewall zapret should use
      '';
    };
    disableIpv6 = mkOption {
      type = types.bool;
      # recommended by upstream
      default = true;
      description = ''
        Disable or enable usage of IpV6 by zapret
      '';
    };
    mode = mkOption {
      type = types.enum [
        "tpws"
        "tpws-socks"
        "nfqws"
        "filter"
        "custom"
      ];
      default = "tpws";
      description = ''
        Which mode zapret should use
      '';
    };
  };
  config = mkIf cfg.enable {
    users.users.tpws = {
      isSystemUser = true;
      group = "tpws";
    };
    users.groups.tpws = { };
    systemd.services.zapret = {
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [
        (if cfg.firewallType == "iptables" then iptables else nftables)
        gawk
        ipset
      ];
      serviceConfig = {
        Type = "forking";
        Restart = "no";
        TimeoutSec = "30sec";
        IgnoreSIGPIPE = "no";
        KillMode = "none";
        GuessMainPID = "no";
        RemainAfterExit = "no";
        ExecStart = "${cfg.package}/bin/zapret start";
        ExecStop = "${cfg.package}/bin/zapret stop";
        EnvironmentFile = pkgs.writeText "${cfg.package.pname}-environment" (concatStrings [
          ''
            MODE=${cfg.mode}
            FWTYPE=${cfg.firewallType}
            DISABLE_IPV6=${if cfg.disableIpv6 then "1" else "0"}
          ''
          cfg.settings
        ]);
        # hardening
        DevicePolicy = "closed";
        KeyringMode = "private";
        PrivateTmp = true;
        PrivateMounts = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "strict";
        ProtectProc = "invisible";
        RemoveIPC = true;
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
      };
    };
  };
 }