nixos/zapret: init

[Nishimara]

Description of changes

Added zapret service. Systemd service is from upstream, not sure if i need to change it, except hardening

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[ASHGOLDOFFICIAL]

Options like that should be created:

    # a better name needed
    ipsetHostsUser = {
      exclude = mkOption {
        type = types.lines;
        default = ''
          10.0.0.0/8
          172.16.0.0/12
          192.168.0.0/16
          169.254.0.0/16
          fc00::/7
          fe80::/10
        '';
        description = "Contents of ipset/zapret-hosts-user-exclude.txt.";
      };
      
      include = mkOption {
        type = types.lines;
        default = "";
        example = "nonexistent.domain";
        description = "Contents of ipset/zapret-hosts-user.txt.";
      };
  
      ipban = mkOption {
        type = types.lines;
        default = "";
        example = "nonexistent.domain";
        description = "Contents of ipset/zapret-hosts-user-ipban.txt.";
      };
    };

Then values of these options should be written somewhere. Is there a way (for example, by changing an environment variable) to tell zapret to look for these files in different directory (somewhere in /etc, for example). Maybe we can ask bol-van to create such functionality?

Maybe add arguments with default values like hostsUserExclude ? "notadomen.domain" to package definition, and then during configurePhase or some other phase write these arguments' values to needed files. But in that case module can't be used (I think).

[Nishimara]

I don't think that we can do something with files, that meant to be changed except config. We can put this in package options, but that will be nasty

package = pkgs.zapret.override {
  zapret-hosts-user = ''
    site1
    site2
    ...
  '';
};

We can change files in package source so it will look in /etc/zapret rather than in $ZAPRET_BASE/ipset, but that's too much changes. I will create an issue in zapret.

For now you can use even nastier method

package = pkgs.zapret.overrideAttrs (prev: {
  installPhase = ''
    ${prev.installPhase}
    
    cat << EOF > $out/usr/share/zapret/ipset/needed-file
      needed-configuration
    EOF
  '';
});

[ASHGOLDOFFICIAL]

I think every way to implement it now would be nasty. The only clean way is for bol-van to allow changing these files' location. I'm not an expert but I think configuration files should be separate from program's files.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/4379

[voronind-com]

I've created an alternative PR here #347805

[Nishimara]

Closing due to better implementation at #347805