Add mitmproxy @darkstar to allow Assembly64 content to work with loadstar

3 files changed, 126 insertions, 9 deletions

diff --git a/hosts/darkstar/default.nix b/hosts/darkstar/default.nix
index 8cdf25e..a0e92c4 100644
--- a/hosts/darkstar/default.nix
+++ b/hosts/darkstar/default.nix
@@ -24,10 +24,13 @@
     zfs.package = pkgs.zfs_unstable;
   };
 
-  environment.systemPackages = [
-    pkgs.mitmproxy
-    pkgs.speedtest-go
-  ];
+  environment = {
+    etc."mitmproxy-c64u.py".source = ./mitmproxy-c64u.py;
+    systemPackages = [
+      pkgs.mitmproxy
+      pkgs.speedtest-go
+    ];
+  };
 
   imports = [
     ./disks.nix
@@ -120,7 +123,23 @@
 
   system.stateVersion = "23.11";
 
-  systemd.services."nftables-extra" = let rules_script = ''
+  systemd.services = {
+    "mitmproxy" = let rules_script = ''
+      ${pkgs.mitmproxy}/bin/mitmproxy -p 80 -s /etc/mitmproxy-c64u.py --mode reverse:http://hackerswithstyle.se:80 --set block_global=false
+    ''; in {
+      description = "proxy for C64 site hackerswithstyle.se";
+      script = rules_script;
+      serviceConfig = {
+        Restart = "on-failure";
+        RestartSec = 5;
+        StandardError = "append:/var/log/mitmproxy.log";
+        StandardOutput = "append:/var/log/mitmproxy.log";
+        Type = "simple";
+      };
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+    };
+    "nftables-extra" = let rules_script = ''
       ${pkgs.nftables}/bin/nft -a list chain inet nixos-fw input | ${pkgs.gnugrep}/bin/grep @anveo | ${pkgs.gnugrep}/bin/grep -Eo 'handle [[:digit:]]+$' | ${pkgs.gnused}/bin/sed -e 's/^handle //' | while read handle; do ${pkgs.nftables}/bin/nft delete rule inet nixos-fw input handle ''${handle}; done
       if ${pkgs.nftables}/bin/nft list set inet nixos-fw anveo 2>/dev/null; then ${pkgs.nftables}/bin/nft delete set inet nixos-fw anveo; fi
       if ${pkgs.nftables}/bin/nft list ct helpers table inet nixos-fw | ${pkgs.gnugrep}/bin/grep -qE '^[[:space:]]*ct helper sip-5060 {$'; then ${pkgs.nftables}/bin/nft delete ct helper inet nixos-fw sip-5060; fi
@@ -148,6 +167,7 @@
       wantedBy = [ "multi-user.target" ];
       after = [ "nftables.service" ];
       partOf = [ "nftables.service" ];
+    };
   };
 
   systemd.paths."nftables-extra" = {
diff --git a/hosts/darkstar/mitmproxy-c64u.py b/hosts/darkstar/mitmproxy-c64u.py
new file mode 100644
index 0000000..520112a
--- /dev/null
+++ b/hosts/darkstar/mitmproxy-c64u.py
@@ -0,0 +1,90 @@
+import json
+import os
+from mitmproxy import http
+from datetime import datetime
+
+STATE_FILE = "clients.json"
+
+def load_state():
+    if os.path.exists(STATE_FILE):
+        with open(STATE_FILE, "r") as f:
+            return json.load(f)
+    return {}
+
+def save_state(state):
+    with open(STATE_FILE, "w") as f:
+        json.dump(state, f, indent=4)
+
+def request(flow: http.HTTPFlow) -> None:
+    client_ip = flow.client_conn.peername[0]
+    timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+
+    # Get Client-Id header to detect device type
+    client_id_header = flow.request.headers.get("Client-Id")
+
+    # Load saved server choice for this client (assembly64 or commoserve)
+    state = load_state()
+    server_choice = state.get(client_ip)
+
+    # Default: give them what they can't normally access
+    # C64U (Commodore) -> default to assembly64
+    # Ultimate64 (Ultimate) -> default to commoserve
+    if server_choice is None:
+        if client_id_header == "Ultimate":
+            server_choice = "commoserve"
+        else:
+            server_choice = "assembly64"
+
+    query_string = flow.request.query.get("query", "").lower()
+
+    # 1. KEYWORD LOGIC
+    if "assembly64" in query_string:
+        state[client_ip] = "assembly64"
+        save_state(state)
+        server_choice = "assembly64"
+        print(f"[{timestamp}] SWITCH: {client_ip} -> Assembly64")
+
+    elif "commoserve" in query_string:
+        state[client_ip] = "commoserve"
+        save_state(state)
+        server_choice = "commoserve"
+        print(f"[{timestamp}] SWITCH: {client_ip} -> Commoserve")
+
+    # 2. HELP FEATURE
+    elif "help" in query_string:
+        device = "Ultimate64" if client_id_header == "Ultimate" else "C64U"
+        help_text = (
+            "PROXY HELP:\n"
+            f"Device: {device}\n"
+            f"Current: {server_choice}\n"
+            "Search 'commoserve' or 'assembly64' to switch."
+        )
+        flow.response = http.Response.make(
+            200,
+            json.dumps({"results": [{"name": help_text}]}),
+            {"Content-Type": "application/json"}
+        )
+        return
+
+    # 3. BOT PROTECTION
+    if not client_id_header and "/leet/search/" not in flow.request.path:
+        flow.kill()
+        return
+
+    # 4. APPLY HEADER PATCH
+    # C64U (Commodore) accessing assembly64 -> patch to Ultimate
+    # Ultimate64 (Ultimate) accessing commoserve -> patch to Commodore
+    if client_id_header == "Commodore" and server_choice == "assembly64":
+        flow.request.headers["Client-Id"] = "Ultimate"
+        print(f"[{timestamp}] PATCHED: {client_ip} (C64U) -> Assembly64")
+    elif client_id_header == "Ultimate" and server_choice == "commoserve":
+        flow.request.headers["Client-Id"] = "Commodore"
+        print(f"[{timestamp}] PATCHED: {client_ip} (Ultimate64) -> Commoserve")
+    else:
+        device = "Ultimate64" if client_id_header == "Ultimate" else "C64U"
+        print(f"[{timestamp}] FORWARDED: {client_ip} ({device}) -> {server_choice}")
+
+    # 5. FORWARDING
+    flow.request.host = "185.187.254.229"
+    flow.request.port = 80
+    flow.request.headers["Host"] = "hackerswithstyle.se"
diff --git a/hosts/darkstar/services.nix b/hosts/darkstar/services.nix
index 97d1750..ac033c9 100644
--- a/hosts/darkstar/services.nix
+++ b/hosts/darkstar/services.nix
@@ -7,10 +7,15 @@
       allowedUDPPorts = [
         53 # domain
       ];
-      interfaces.enp116s0.allowedUDPPorts = [
-        69 # xinetd/tftpd
-        123 # ntp
-      ];
+      interfaces.enp116s0 = {
+        allowedTCPPorts = [
+          80 # http
+        ];
+        allowedUDPPorts = [
+          69 # xinetd/tftpd
+          123 # ntp
+        ];
+      };
     };
   };
 
@@ -41,6 +46,7 @@
         ];
         local-data = [
           "\"darkstar.bitgnome.net. IN A 192.168.1.1\""
+          "\"hackerswithstyle.se. IN A 192.168.1.1\""
           "\"arrakis.bitgnome.net. IN A 192.168.1.2\""
           "\"caladan.bitgnome.net. IN A 192.168.1.4\""
           "\"jupiter.bitgnome.net. IN A 192.168.1.11\""
@@ -65,6 +71,7 @@
         ];
         local-zone = [
           "\"bitgnome.net.\" transparent"
+          "\"hackerswithstyle.se.\" transparent"
           "\"1.168.192.in-addr.arpa.\" static"
         ];
         verbosity = 2;