-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathnetwork.mod.nix
More file actions
140 lines (116 loc) · 3.51 KB
/
Copy pathnetwork.mod.nix
File metadata and controls
140 lines (116 loc) · 3.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
{
flake.homeModules.network-tools =
{
osConfig,
pkgs,
lib,
...
}:
let
inherit (lib.lists) optionals;
in
{
packages = [
(pkgs.curl.override {
gnutlsSupport = false;
opensslSupport = true; # OpenSSL supports QUIC.
rustlsSupport = false;
brotliSupport = true;
zlibSupport = true;
zstdSupport = true;
c-aresSupport = true;
http2Support = true;
http3Support = true;
gsaslSupport = true;
idnSupport = true;
ldapSupport = true;
pslSupport = true;
rtmpSupport = true;
scpSupport = true;
websocketSupport = true;
})
(pkgs.xh.override {
withNativeTls = false; # Use rustls.
})
pkgs.dig
pkgs.doggo
pkgs.inetutils
]
++ optionals osConfig.nixpkgs.hostPlatform.isDarwin [
pkgs.iproute2mac
];
};
flake.nixosModules.network =
{ config, lib, ... }:
let
inherit (lib.lists) map singleton;
inherit (lib.modules) mkAfter mkDefault;
inherit (lib.strings) concatStringsSep optionalString replaceStrings;
in
{
secrets.wifiEnv = {
file = ./password.env.age;
owner = "root";
mode = "0400";
};
persist.subvolumes = singleton "/var/lib/NetworkManager";
networking.wireless.enable = false;
networking.networkmanager.wifi.backend = "iwd";
networking.networkmanager = {
enable = true;
dns = "none";
ensureProfiles = {
environmentFiles = singleton config.secrets.wifiEnv.path;
profiles.home = {
connection.id = "home";
connection.type = "wifi";
wifi.ssid = "PALA";
wifi-security.key-mgmt = "wpa-psk";
wifi-security.psk = "$WIFI_PSK";
};
};
};
networking.nftables.enable = true;
services.zapret = {
enable = true;
# This configures iptables, we use nftables.
configureFirewall = false;
# Troll packets on port 80 too.
httpSupport = true;
params = mkDefault [
"--dpi-desync=fake,disorder2"
"--dpi-desync-ttl=1"
"--dpi-desync-autottl=2"
];
};
networking.nftables.ruleset = mkAfter /* nft */ ''
table inet zapret {
define desync_mark = 0x40000000
chain postrouting {
type filter hook postrouting priority mangle;
policy accept;
# Skip packets already handled by zapret (mark 0x40000000).
fib daddr type != local \
# Not marked by zapret.
meta mark & $desync_mark == 0 \
tcp dport 443 \
queue num ${toString config.services.zapret.qnum} bypass;
${optionalString config.services.zapret.httpSupport ''
fib daddr type != local \
meta mark & $desync_mark == 0 \
tcp dport 80 \
queue num ${toString config.services.zapret.qnum} bypass;
''}
${optionalString config.services.zapret.udpSupport ''
fib daddr type != local \
meta mark & $desync_mark == 0 \
udp dport { ${
config.services.zapret.udpPorts |> map (replaceStrings [ ":" ] [ "-" ]) |> concatStringsSep ", "
} } \
queue num ${toString config.services.zapret.qnum} bypass;
''}
}
}
'';
};
}