Merge master into staging-next

NixOS · Oct 16, 2024 · 961e429 · 961e429
2 parents d32a4e0 + 0c1085e
commit 961e429
Show file tree

Hide file tree

Showing 37 changed files with 400 additions and 185 deletions.
diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -22652,6 +22652,13 @@
     githubId = 144771550;
     name = "Luca Uricariu";
   };
+  voronind = {
+    email = "hi@voronind.com";
+    name = "Dmitry Voronin";
+    github = "voronind-com";
+    githubId = 22127600;
+    keys = [ { fingerprint = "3241 FDAD 82A7 E22D 4279  F405 913F 3267 9278 2E1C"; } ];
+  };
   votava = {
     email = "votava@gmail.com";
     github = "janvotava";

diff --git a/maintainers/team-list.nix b/maintainers/team-list.nix
@@ -752,6 +752,16 @@ with lib.maintainers;
     enableFeatureFreezePing = true;
   };
 
+  ngi = {
+    members = [
+      eljamm
+      fricklerhandwerk
+      wegank
+    ];
+    scope = "Maintain NGI-supported software.";
+    shortName = "NGI";
+  };
+
   node = {
     members = [ winter ];
     scope = "Maintain Node.js runtimes and build tooling.";

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -187,6 +187,8 @@
 
 - [Fedimint](https://github.com/fedimint/fedimint), a module based system for building federated applications (Federated E-Cash Mint). Available as [services.fedimintd](#opt-services.fedimintd).
 
+- [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](option.html#opt-services.zapret).
+
 ## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
 
 - The `sound` options have been removed or renamed, as they had a lot of unintended side effects. See [below](#sec-release-24.11-migration-sound) for details.

diff --git a/nixos/lib/systemd-lib.nix b/nixos/lib/systemd-lib.nix
@@ -17,6 +17,7 @@ let
     filterAttrs
     flatten
     flip
+    hasPrefix
     head
     isInt
     isFloat
@@ -196,6 +197,10 @@ in rec {
     optional (attr ? ${name})
       "Systemd ${group} field `${name}' has been removed. See ${see}";
 
+  assertKeyIsSystemdCredential = name: group: attr:
+    optional (attr ? ${name} && !(hasPrefix "@" attr.${name}))
+      "Systemd ${group} field `${name}' is not a systemd credential";
+
   checkUnitConfig = group: checks: attrs: let
     # We're applied at the top-level type (attrsOf unitOption), so the actual
     # unit options might contain attributes from mkOverride and mkIf that we need to

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -1277,6 +1277,7 @@
   ./services/networking/xray.nix
   ./services/networking/xrdp.nix
   ./services/networking/yggdrasil.nix
+  ./services/networking/zapret.nix
   ./services/networking/zerobin.nix
   ./services/networking/zeronet.nix
   ./services/networking/zerotierone.nix

diff --git a/nixos/modules/services/networking/headscale.nix b/nixos/modules/services/networking/headscale.nix
@@ -20,6 +20,11 @@
   settingsFormat = pkgs.formats.yaml {};
   configFile = settingsFormat.generate "headscale.yaml" cfg.settings;
   cliConfigFile = settingsFormat.generate "headscale.yaml" cliConfig;
+
+  assertRemovedOption = option: message: {
+    assertion = !lib.hasAttrByPath option cfg;
+    message = "The option `services.headscale.${lib.options.showOption option}` was removed. " + message;
+  };
 in {
   options = {
     services.headscale = {
@@ -82,21 +87,6 @@ in {
         type = lib.types.submodule {
           freeformType = settingsFormat.type;
 
-          imports = with lib; [
-            (mkAliasOptionModule ["acl_policy_path"] ["policy" "path"])
-            (mkAliasOptionModule ["db_host"] ["database" "postgres" "host"])
-            (mkAliasOptionModule ["db_name"] ["database" "postgres" "name"])
-            (mkAliasOptionModule ["db_password_file"] ["database" "postgres" "password_file"])
-            (mkAliasOptionModule ["db_path"] ["database" "sqlite" "path"])
-            (mkAliasOptionModule ["db_port"] ["database" "postgres" "port"])
-            (mkAliasOptionModule ["db_type"] ["database" "type"])
-            (mkAliasOptionModule ["db_user"] ["database" "postgres" "user"])
-            (mkAliasOptionModule ["dns_config" "base_domain"] ["dns" "base_domain"])
-            (mkAliasOptionModule ["dns_config" "domains"] ["dns" "search_domains"])
-            (mkAliasOptionModule ["dns_config" "magic_dns"] ["dns" "magic_dns"])
-            (mkAliasOptionModule ["dns_config" "nameservers"] ["dns" "nameservers" "global"])
-          ];
-
           options = {
             server_url = lib.mkOption {
               type = lib.types.str;
@@ -299,7 +289,6 @@ in {
                 default = true;
                 description = ''
                   Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
-                  Only works if there is at least a nameserver defined.
                 '';
                 example = false;
               };
@@ -309,11 +298,13 @@ in {
                 default = "";
                 description = ''
                   Defines the base domain to create the hostnames for MagicDNS.
-                  {option}`baseDomain` must be a FQDNs, without the trailing dot.
-                  The FQDN of the hosts will be
-                  `hostname.namespace.base_domain` (e.g.
-                  `myhost.mynamespace.example.com`).
+                  This domain must be different from the {option}`server_url`
+                  domain.
+                  {option}`base_domain` must be a FQDN, without the trailing dot.
+                  The FQDN of the hosts will be `hostname.base_domain` (e.g.
+                  `myhost.tailnet.example.com`).
                 '';
+                example = "tailnet.example.com";
               };
 
               nameservers = {
@@ -500,6 +491,30 @@ in {
   ];
 
   config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        # This is stricter than it needs to be but is exactly what upstream does:
+        # https://github.com/kradalby/headscale/blob/adc084f20f843d7963c999764fa83939668d2d2c/hscontrol/types/config.go#L799
+        assertion = with cfg.settings; dns.use_username_in_magic_dns or false || dns.base_domain == "" || !lib.hasInfix dns.base_domain server_url;
+        message = "server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.";
+      }
+      {
+        assertion = with cfg.settings; dns.magic_dns -> dns.base_domain != "";
+        message = "dns.base_domain must be set when using MagicDNS";
+      }
+      (assertRemovedOption ["settings" "acl_policy_path"] "Use `policy.path` instead.")
+      (assertRemovedOption ["settings" "db_host"] "Use `database.postgres.host` instead.")
+      (assertRemovedOption ["settings" "db_name"] "Use `database.postgres.name` instead.")
+      (assertRemovedOption ["settings" "db_password_file"] "Use `database.postgres.password_file` instead.")
+      (assertRemovedOption ["settings" "db_path"] "Use `database.sqlite.path` instead.")
+      (assertRemovedOption ["settings" "db_port"] "Use `database.postgres.port` instead.")
+      (assertRemovedOption ["settings" "db_type"] "Use `database.type` instead.")
+      (assertRemovedOption ["settings" "db_user"] "Use `database.postgres.user` instead.")
+      (assertRemovedOption ["settings" "dns_config"] "Use `dns` instead.")
+      (assertRemovedOption ["settings" "dns_config" "domains"] "Use `dns.search_domains` instead.")
+      (assertRemovedOption ["settings" "dns_config" "nameservers"] "Use `dns.nameservers.global` instead.")
+    ];
+
     services.headscale.settings = lib.mkMerge [
       cliConfig
       {

diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix
@@ -5,8 +5,6 @@ with lib;
 let
   cfg = config.services.resilio;
 
-  resilioSync = pkgs.resilio-sync;
-
   sharedFoldersRecord = map (entry: {
     dir = entry.directory;
 
@@ -83,6 +81,8 @@ in
         '';
       };
 
+      package = mkPackageOption pkgs "resilio-sync" { };
+
       deviceName = mkOption {
         type = types.str;
         example = "Voltron";
@@ -285,7 +285,7 @@ in
         RuntimeDirectory = "rslsync";
         ExecStartPre = "${createConfig}/bin/create-resilio-config";
         ExecStart = ''
-          ${resilioSync}/bin/rslsync --nodaemon --config ${runConfigPath}
+          ${lib.getExe cfg.package} --nodaemon --config ${runConfigPath}
         '';
       };
     };

diff --git a/nixos/modules/services/networking/zapret.nix b/nixos/modules/services/networking/zapret.nix
@@ -0,0 +1,159 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.zapret;
+
+  whitelist = lib.optionalString (
+    cfg.whitelist != null
+  ) "--hostlist ${pkgs.writeText "zapret-whitelist" (lib.concatStringsSep "\n" cfg.whitelist)}";
+
+  blacklist =
+    lib.optionalString (cfg.blacklist != null)
+      "--hostlist-exclude ${pkgs.writeText "zapret-blacklist" (lib.concatStringsSep "\n" cfg.blacklist)}";
+
+  ports = if cfg.httpSupport then "80,443" else "443";
+in
+{
+  options.services.zapret = {
+    enable = lib.mkEnableOption "the Zapret DPI bypass service.";
+    package = lib.mkPackageOption pkgs "zapret" { };
+    params = lib.mkOption {
+      default = [ ];
+      type = with lib.types; listOf str;
+      example = ''
+        [
+          "--dpi-desync=fake,disorder2"
+          "--dpi-desync-ttl=1"
+          "--dpi-desync-autottl=2"
+        ];
+      '';
+      description = ''
+        Specify the bypass parameters for Zapret binary.
+        There are no universal parameters as they vary between different networks, so you'll have to find them yourself.
+
+        This can be done by running the `blockcheck` binary from zapret package, i.e. `nix-shell -p zapret --command blockcheck`.
+        It'll try different params and then tell you which params are working for your network.
+      '';
+    };
+    whitelist = lib.mkOption {
+      default = null;
+      type = with lib.types; nullOr (listOf str);
+      example = ''
+        [
+          "youtube.com"
+          "googlevideo.com"
+          "ytimg.com"
+          "youtu.be"
+        ]
+      '';
+      description = ''
+        Specify a list of domains to bypass. All other domains will be ignored.
+        You can specify either whitelist or blacklist, but not both.
+        If neither are specified, then bypass all domains.
+
+        It is recommended to specify the whitelist. This will make sure that other resources won't be affected by this service.
+      '';
+    };
+    blacklist = lib.mkOption {
+      default = null;
+      type = with lib.types; nullOr (listOf str);
+      example = ''
+        [
+          "example.com"
+        ]
+      '';
+      description = ''
+        Specify a list of domains NOT to bypass. All other domains will be bypassed.
+        You can specify either whitelist or blacklist, but not both.
+        If neither are specified, then bypass all domains.
+      '';
+    };
+    qnum = lib.mkOption {
+      default = 200;
+      type = lib.types.int;
+      description = ''
+        Routing queue number.
+        Only change this if you already use the default queue number somewhere else.
+      '';
+    };
+    configureFirewall = lib.mkOption {
+      default = true;
+      type = lib.types.bool;
+      description = ''
+        Whether to setup firewall routing so that system http(s) traffic is forwarded via this service.
+        Disable if you want to set it up manually.
+      '';
+    };
+    httpSupport = lib.mkOption {
+      default = true;
+      type = lib.types.bool;
+      description = ''
+        Whether to route http traffic on port 80.
+        Http bypass rarely works and you might want to disable it if you don't utilise http connections.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        assertions = [
+          {
+            assertion = (cfg.whitelist == null) || (cfg.blacklist == null);
+            message = "Can't specify both whitelist and blacklist.";
+          }
+          {
+            assertion = (builtins.length cfg.params) != 0;
+            message = "You have to specify zapret parameters. See the params option's description.";
+          }
+        ];
+
+        systemd.services.zapret = {
+          description = "DPI bypass service";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            ExecStart = "${cfg.package}/bin/nfqws --pidfile=/run/nfqws.pid ${lib.concatStringsSep " " cfg.params} ${whitelist} ${blacklist} --qnum=${toString cfg.qnum}";
+            Type = "simple";
+            PIDFile = "/run/nfqws.pid";
+            Restart = "always";
+            RuntimeMaxSec = "1h"; # This service loves to crash silently or cause network slowdowns. It also restarts instantly. In my experience restarting it hourly provided the best experience.
+
+            # hardening
+            DevicePolicy = "closed";
+            KeyringMode = "private";
+            PrivateTmp = true;
+            PrivateMounts = true;
+            ProtectHome = true;
+            ProtectHostname = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectSystem = "strict";
+            ProtectProc = "invisible";
+            RemoveIPC = true;
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+          };
+        };
+      }
+
+      # Route system traffic via service for specified ports.
+      (lib.mkIf cfg.configureFirewall {
+        networking.firewall.extraCommands = ''
+          iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports ${ports} -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${toString cfg.qnum} --queue-bypass
+        '';
+      })
+    ]
+  );
+
+  meta.maintainers = with lib.maintainers; [
+    voronind
+    nishimara
+  ];
+}
diff --git a/nixos/modules/services/web-apps/freshrss.nix b/nixos/modules/services/web-apps/freshrss.nix
@@ -4,8 +4,6 @@ with lib;
 let
   cfg = config.services.freshrss;
 
-  poolName = "freshrss";
-
   extension-env = pkgs.buildEnv {
     name = "freshrss-extensions";
     paths = cfg.extensions;
@@ -141,8 +139,8 @@ in
     };
 
     pool = mkOption {
-      type = types.str;
-      default = poolName;
+      type = types.nullOr types.str;
+      default = "freshrss";
       description = ''
         Name of the php-fpm pool to use and setup. If not specified, a pool will be created
         with default values.
@@ -235,8 +233,8 @@ in
       };
 
       # Set up phpfpm pool
-      services.phpfpm.pools = mkIf (cfg.pool == poolName) {
-        ${poolName} = {
+      services.phpfpm.pools = mkIf (cfg.pool != null) {
+        ${cfg.pool} = {
           user = "freshrss";
           settings = {
             "listen.owner" = "nginx";
@@ -271,9 +269,9 @@ in
         let
           settingsFlags = concatStringsSep " \\\n    "
             (mapAttrsToList (k: v: "${k} ${toString v}") {
-              "--default_user" = ''"${cfg.defaultUser}"'';
-              "--auth_type" = ''"${cfg.authType}"'';
-              "--base_url" = ''"${cfg.baseUrl}"'';
+              "--default-user" = ''"${cfg.defaultUser}"'';
+              "--auth-type" = ''"${cfg.authType}"'';
+              "--base-url" = ''"${cfg.baseUrl}"'';
               "--language" = ''"${cfg.language}"'';
               "--db-type" = ''"${cfg.database.type}"'';
               # The following attributes are optional depending on the type of