search

apernet / OpenGFW

OpenGFW is a flexible, easy-to-use, open source implementation of GFW (Great Firewall of China) on Linux
https://gfw.dev/
Mozilla Public License 2.0
9.47k stars 711 forks source link

Add Nix Flake with packaging and module #63

Open eum3l opened 6 months ago

eum3l commented 6 months ago

This Flake provides a NixOS module, Nix package and a Nix devshell for OpenGFW. With the packaging it is for example possible to run OpenGFW from anywhere just by:

nix run github:apernet/OpenGFW

The module adds a Systemd Service by an unprivileged user, who is able to run OpenGFW via a wrapper for the cap_net_admin capability.

It provides the following options:

Using it would look something like this:

{...}: {
  services.opengfw = {
    enable = true;
    settings = {
      io = {
        queueSize = 1024;
        local = true;
      };

      workers = {
        count = 4;
        queueSize = 16;
        tcpMaxBufferedPagesTotal = 4096;
        tcpMaxBufferedPagesPerConn = 64;
        udpMaxStreams = 4096;
      };
    };

    rules = [
      {
        name = "block CN geoip";
        action = "block";
        expr = ''geoip(string(ip.dst), "cn")'';
      }
      {
        name = "v2ex dns poisoning";
        action = "modify";
        modifier = {
          name = "dns";
          args = {
            a = "0.0.0.0";
            aaaa = "::";
          };
        };
        expr = ''dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})'';
      }
    ];
  };
}

You can either set rules/settings, rulesFile/settingsFile or put config.yaml and rules.yaml manually to dir. Then it is also possible to reload the service on changes, as it sends SIGHUP to $MAINPID.

One downside of this is, that you would need to run gomod2nix with every change to go.mod for the package to work:

nix develop --command gomod2nix
haruue commented 6 months ago

Thanks for your contribution.

Supporting the Nix ecosystem is definitely a good idea. However, I think this PR has added too many files to this repo, which will always require maintenance in the future. Especially, as the OpenGFW is not a Nix-related project, maintaining these files will increase the complexity of future development.

Could you please consider maintaining this Nix Flake in a separate repo? We can include a reference in our README.md.

BTW I Use NixOS.

eum3l commented 6 months ago

I could do that. I will also try to get this into nixpkgs, even though the README suggests that the project isn't ready for general use.

eum3l commented 6 months ago

Hi, the flake is available here for now, as my nixpkgs pull request hasn't received a comment or review in 5 days. It would be great if someone could take a quick look at the module's documentation or review my pull request.