Merge master into staging-next (f66e2100) · Commits · nix / nixpkgs

.git-blame-ignore-revs

+3 −0

Original line number	Diff line number	Diff line
		@@ -212,3 +212,6 @@ ce21e97a1f20dee15da85c084f9d1148d84f853b

		# format files with nixfmt (#347275)
		adb9714bd909df283c66bbd641bd631ff50a4260

		# treewide: incus packages
		9ab59bb5fb943ad6740f64f5a79eae9642fb8211

nixos/modules/services/networking/zapret.nix

+76 −15

Original line number	Diff line number	Diff line
		@@ -8,14 +8,16 @@ let
		cfg = config.services.zapret;

		whitelist = lib.optionalString (
		cfg.whitelist != null
		(builtins.length cfg.whitelist) != 0
		) "--hostlist ${pkgs.writeText "zapret-whitelist" (lib.concatStringsSep "\n" cfg.whitelist)}";

		blacklist =
		lib.optionalString (cfg.blacklist != null)
		lib.optionalString ((builtins.length cfg.blacklist) != 0)
		"--hostlist-exclude ${pkgs.writeText "zapret-blacklist" (lib.concatStringsSep "\n" cfg.blacklist)}";

		ports = if cfg.httpSupport then "80,443" else "443";
		params = lib.concatStringsSep " " cfg.params;

		qnum = toString cfg.qnum;
		in
		{
		options.services.zapret = {
		@@ -29,7 +31,7 @@ in
		"--dpi-desync=fake,disorder2"
		"--dpi-desync-ttl=1"
		"--dpi-desync-autottl=2"
		];
		]
		'';
		description = ''
		Specify the bypass parameters for Zapret binary.
		@@ -40,8 +42,8 @@ in
		'';
		};
		whitelist = lib.mkOption {
		default = null;
		type = with lib.types; nullOr (listOf str);
		default = [ ];
		type = with lib.types; listOf str;
		example = ''
		[
		"youtube.com"
		@@ -59,8 +61,8 @@ in
		'';
		};
		blacklist = lib.mkOption {
		default = null;
		type = with lib.types; nullOr (listOf str);
		default = [ ];
		type = with lib.types; listOf str;
		example = ''
		[
		"example.com"
		@@ -96,6 +98,43 @@ in
		Http bypass rarely works and you might want to disable it if you don't utilise http connections.
		'';
		};
		httpMode = lib.mkOption {
		default = "first";
		type = lib.types.enum [
		"first"
		"full"
		];
		example = "full";
		description = ''
		By default this service only changes the first packet sent, which is enough in most cases.
		But there are DPIs that monitor the whole traffic within a session.
		That requires full processing of every packet, which increases the CPU usage.

		Set the mode to `full` if http doesn't work.
		'';
		};
		udpSupport = lib.mkOption {
		default = false;
		type = lib.types.bool;
		description = ''
		Enable UDP routing.
		This requires you to specify `udpPorts` and `--dpi-desync-any-protocol` parameter.
		'';
		};
		udpPorts = lib.mkOption {
		default = [ ];
		type = with lib.types; listOf str;
		example = ''
		[
		"50000:50099"
		"1234"
		]
		'';
		description = ''
		List of UDP ports to route.
		Port ranges are delimited with a colon like this "50000:50099".
		'';
		};
		};

		config = lib.mkIf cfg.enable (
		@@ -103,13 +142,21 @@ in
		{
		assertions = [
		{
		assertion = (cfg.whitelist == null) \|\| (cfg.blacklist == null);
		assertion = (builtins.length cfg.whitelist) == 0 \|\| (builtins.length cfg.blacklist) == 0;
		message = "Can't specify both whitelist and blacklist.";
		}
		{
		assertion = (builtins.length cfg.params) != 0;
		message = "You have to specify zapret parameters. See the params option's description.";
		}
		{
		assertion = cfg.udpSupport -> (builtins.length cfg.udpPorts) != 0;
		message = "You have to specify UDP ports or disable UDP support.";
		}
		{
		assertion = !cfg.configureFirewall \|\| !config.networking.nftables.enable;
		message = "You need to manually configure you firewall for Zapret service when using nftables.";
		}
		];

		systemd.services.zapret = {
		@@ -117,13 +164,13 @@ in
		wantedBy = [ "multi-user.target" ];
		after = [ "network.target" ];
		serviceConfig = {
		ExecStart = "${cfg.package}/bin/nfqws --pidfile=/run/nfqws.pid ${lib.concatStringsSep " " cfg.params} ${whitelist} ${blacklist} --qnum=${toString cfg.qnum}";
		ExecStart = "${cfg.package}/bin/nfqws --pidfile=/run/nfqws.pid ${params} ${whitelist} ${blacklist} --qnum=${qnum}";
		Type = "simple";
		PIDFile = "/run/nfqws.pid";
		Restart = "always";
		RuntimeMaxSec = "1h"; # This service loves to crash silently or cause network slowdowns. It also restarts instantly. In my experience restarting it hourly provided the best experience.
		RuntimeMaxSec = "1h"; # This service loves to crash silently or cause network slowdowns. It also restarts instantly. Restarting it at least hourly provided the best experience.

		# hardening
		# Hardening.
		DevicePolicy = "closed";
		KeyringMode = "private";
		PrivateTmp = true;
		@@ -145,8 +192,22 @@ in

		# Route system traffic via service for specified ports.
		(lib.mkIf cfg.configureFirewall {
		networking.firewall.extraCommands = ''
		iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports ${ports} -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${toString cfg.qnum} --queue-bypass
		networking.firewall.extraCommands =
		let
		httpParams = lib.optionalString (
		cfg.httpMode == "first"
		) "-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6";

		udpPorts = lib.concatStringsSep "," cfg.udpPorts;
		in
		''
		ip46tables -t mangle -I POSTROUTING -p tcp --dport 443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${qnum} --queue-bypass
		''
		+ lib.optionalString (cfg.httpSupport) ''
		ip46tables -t mangle -I POSTROUTING -p tcp --dport 80 ${httpParams} -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${qnum} --queue-bypass
		''
		+ lib.optionalString (cfg.udpSupport) ''
		ip46tables -t mangle -A POSTROUTING -p udp -m multiport --dports ${udpPorts} -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${qnum} --queue-bypass
		'';
		})
		]

nixos/modules/virtualisation/lxc-image-metadata.nix

+67 −42

Original line number	Diff line number	Diff line
		{ lib, config, pkgs, ... }:
		{
		lib,
		config,
		pkgs,
		...
		}:

		let
		templateSubmodule = {...}: {
		templateSubmodule =
		{ ... }:
		{
		options = {
		enable = lib.mkEnableOption "this template";

		@@ -28,24 +35,37 @@ let
		toYAML = name: data: pkgs.writeText name (lib.generators.toYAML { } data);

		cfg = config.virtualisation.lxc;
		templates = if cfg.templates != {} then let
		list = lib.mapAttrsToList (name: value: { inherit name; } // value)
		(lib.filterAttrs (name: value: value.enable) cfg.templates);
		templates =
		if cfg.templates != { } then
		let
		list = lib.mapAttrsToList (name: value: { inherit name; } // value) (
		lib.filterAttrs (name: value: value.enable) cfg.templates
		);
		in
		{
		files = map (tpl: {
		source = tpl.template;
		target = "/templates/${tpl.name}.tpl";
		}) list;
		properties = lib.listToAttrs (map (tpl: lib.nameValuePair tpl.target {
		properties = lib.listToAttrs (
		map (
		tpl:
		lib.nameValuePair tpl.target {
		when = tpl.when;
		template = "${tpl.name}.tpl";
		properties = tpl.properties;
		}) list);
		}
		else { files = []; properties = {}; };
		) list
		);
		}
		else
		{
		files = [ ];
		properties = { };
		};

		in {
		in
		{
		imports = [
		../image/file-options.nix
		];
		@@ -91,7 +111,10 @@ in {
		};

		config = {
		system.nixos.tags = [ "lxc" "metadata" ];
		system.nixos.tags = [
		"lxc"
		"metadata"
		];
		image.extension = "tar.xz";
		image.filePath = "tarball/${config.image.fileName}";
		system.build.image = config.system.build.metadata;
		@@ -100,7 +123,9 @@ in {
		contents = [
		{
		source = toYAML "metadata.yaml" {
		architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (toString pkgs.stdenv.hostPlatform.system)) 0;
		architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (
		toString pkgs.stdenv.hostPlatform.system
		)) 0;
		creation_date = 1;
		properties = {
		description = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.stdenv.hostPlatform.system}";

nixos/modules/virtualisation/lxc.nix

+53 −48

Original line number	Diff line number	Diff line
		# LXC Configuration

		{ config, lib, pkgs, ... }:
		{
		config,
		lib,
		pkgs,
		...
		}:

		let
		cfg = config.virtualisation.lxc;
		@@ -12,8 +17,7 @@ in
		};

		options.virtualisation.lxc = {
		enable =
		lib.mkOption {
		enable = lib.mkOption {
		type = lib.types.bool;
		default = false;
		description = ''
		@@ -25,8 +29,7 @@ in

		unprivilegedContainers = lib.mkEnableOption "support for unprivileged users to launch containers";

		systemConfig =
		lib.mkOption {
		systemConfig = lib.mkOption {
		type = lib.types.lines;
		default = "";
		description = ''
		@@ -36,8 +39,7 @@ in
		};
		package = lib.mkPackageOption pkgs "lxc" { };

		defaultConfig =
		lib.mkOption {
		defaultConfig = lib.mkOption {
		type = lib.types.lines;
		default = "";
		description = ''
		@@ -46,8 +48,7 @@ in
		'';
		};

		usernetConfig =
		lib.mkOption {
		usernetConfig = lib.mkOption {
		type = lib.types.lines;
		default = "";
		description = ''
		@@ -56,8 +57,7 @@ in
		'';
		};

		bridgeConfig =
		lib.mkOption {
		bridgeConfig = lib.mkOption {
		type = lib.types.lines;
		default = "";
		description = ''
		@@ -108,7 +108,12 @@ in
		lxc-net = {
		enable = true;
		wantedBy = [ "multi-user.target" ];
		path = [ pkgs.iproute2 pkgs.iptables pkgs.getent pkgs.dnsmasq ];
		path = [
		pkgs.iproute2
		pkgs.iptables
		pkgs.getent
		pkgs.dnsmasq
		];
		};
		};
		};

nixos/modules/virtualisation/lxcfs.nix

+25 −20

Original line number	Diff line number	Diff line
		# LXC Configuration

		{ config, lib, pkgs, ... }:
		{
		config,
		lib,
		pkgs,
		...
		}:

		let
		cfg = config.virtualisation.lxc.lxcfs;
		in {
		in
		{
		meta = {
		maintainers = lib.teams.lxc.members;
		};

		###### interface
		options.virtualisation.lxc.lxcfs = {
		enable =
		lib.mkOption {
		enable = lib.mkOption {
		type = lib.types.bool;
		default = false;
		description = ''