nixos/zapret: init (#347805)

Author: azahi

maintainers/maintainer-list.nix

@@ -22652,6 +22652,13 @@
     githubId = 144771550;
     name = "Luca Uricariu";
   };
+  voronind = {
+    email = "[email protected]";
+    name = "Dmitry Voronin";
+    github = "voronind-com";
+    githubId = 22127600;
+    keys = [ { fingerprint = "3241 FDAD 82A7 E22D 4279  F405 913F 3267 9278 2E1C"; } ];
+  };
   votava = {
     email = "[email protected]";
     github = "janvotava";

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -183,6 +183,8 @@
 
 - [Fedimint](https://github.com/fedimint/fedimint), a module based system for building federated applications (Federated E-Cash Mint). Available as [services.fedimintd](#opt-services.fedimintd).
 
+- [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](option.html#opt-services.zapret).
+
 ## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
 
 - The `sound` options have been removed or renamed, as they had a lot of unintended side effects. See [below](#sec-release-24.11-migration-sound) for details.

nixos/modules/module-list.nix

@@ -1277,6 +1277,7 @@
   ./services/networking/xray.nix
   ./services/networking/xrdp.nix
   ./services/networking/yggdrasil.nix
+  ./services/networking/zapret.nix
   ./services/networking/zerobin.nix
   ./services/networking/zeronet.nix
   ./services/networking/zerotierone.nix

nixos/modules/services/networking/zapret.nix

@@ -0,0 +1,159 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.zapret;
+
+  whitelist = lib.optionalString (
+    cfg.whitelist != null
+  ) "--hostlist ${pkgs.writeText "zapret-whitelist" (lib.concatStringsSep "\n" cfg.whitelist)}";
+
+  blacklist =
+    lib.optionalString (cfg.blacklist != null)
+      "--hostlist-exclude ${pkgs.writeText "zapret-blacklist" (lib.concatStringsSep "\n" cfg.blacklist)}";
+
+  ports = if cfg.httpSupport then "80,443" else "443";
+in
+{
+  options.services.zapret = {
+    enable = lib.mkEnableOption "the Zapret DPI bypass service.";
+    package = lib.mkPackageOption pkgs "zapret" { };
+    params = lib.mkOption {
+      default = [ ];
+      type = with lib.types; listOf str;
+      example = ''
+        [
+          "--dpi-desync=fake,disorder2"
+          "--dpi-desync-ttl=1"
+          "--dpi-desync-autottl=2"
+        ];
+      '';
+      description = ''
+        Specify the bypass parameters for Zapret binary.
+        There are no universal parameters as they vary between different networks, so you'll have to find them yourself.
+
+        This can be done by running the `blockcheck` binary from zapret package, i.e. `nix-shell -p zapret --command blockcheck`.
+        It'll try different params and then tell you which params are working for your network.
+      '';
+    };
+    whitelist = lib.mkOption {
+      default = null;
+      type = with lib.types; nullOr (listOf str);
+      example = ''
+        [
+          "youtube.com"
+          "googlevideo.com"
+          "ytimg.com"
+          "youtu.be"
+        ]
+      '';
+      description = ''
+        Specify a list of domains to bypass. All other domains will be ignored.
+        You can specify either whitelist or blacklist, but not both.
+        If neither are specified, then bypass all domains.
+
+        It is recommended to specify the whitelist. This will make sure that other resources won't be affected by this service.
+      '';
+    };
+    blacklist = lib.mkOption {
+      default = null;
+      type = with lib.types; nullOr (listOf str);
+      example = ''
+        [
+          "example.com"
+        ]
+      '';
+      description = ''
+        Specify a list of domains NOT to bypass. All other domains will be bypassed.
+        You can specify either whitelist or blacklist, but not both.
+        If neither are specified, then bypass all domains.
+      '';
+    };
+    qnum = lib.mkOption {
+      default = 200;
+      type = lib.types.int;
+      description = ''
+        Routing queue number.
+        Only change this if you already use the default queue number somewhere else.
+      '';
+    };
+    configureFirewall = lib.mkOption {
+      default = true;
+      type = lib.types.bool;
+      description = ''
+        Whether to setup firewall routing so that system http(s) traffic is forwarded via this service.
+        Disable if you want to set it up manually.
+      '';
+    };
+    httpSupport = lib.mkOption {
+      default = true;
+      type = lib.types.bool;
+      description = ''
+        Whether to route http traffic on port 80.
+        Http bypass rarely works and you might want to disable it if you don't utilise http connections.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        assertions = [
+          {
+            assertion = (cfg.whitelist == null) || (cfg.blacklist == null);
+            message = "Can't specify both whitelist and blacklist.";
+          }
+          {
+            assertion = (builtins.length cfg.params) != 0;
+            message = "You have to specify zapret parameters. See the params option's description.";
+          }
+        ];
+
+        systemd.services.zapret = {
+          description = "DPI bypass service";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            ExecStart = "${cfg.package}/bin/nfqws --pidfile=/run/nfqws.pid ${lib.concatStringsSep " " cfg.params} ${whitelist} ${blacklist} --qnum=${toString cfg.qnum}";
+            Type = "simple";
+            PIDFile = "/run/nfqws.pid";
+            Restart = "always";
+            RuntimeMaxSec = "1h"; # This service loves to crash silently or cause network slowdowns. It also restarts instantly. In my experience restarting it hourly provided the best experience.
+
+            # hardening
+            DevicePolicy = "closed";
+            KeyringMode = "private";
+            PrivateTmp = true;
+            PrivateMounts = true;
+            ProtectHome = true;
+            ProtectHostname = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectSystem = "strict";
+            ProtectProc = "invisible";
+            RemoveIPC = true;
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+          };
+        };
+      }
+
+      # Route system traffic via service for specified ports.
+      (lib.mkIf cfg.configureFirewall {
+        networking.firewall.extraCommands = ''
+          iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports ${ports} -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${toString cfg.qnum} --queue-bypass
+        '';
+      })
+    ]
+  );
+
+  meta.maintainers = with lib.maintainers; [
+    voronind
+    nishimara
+  ];
+}