frp: add stcp support

flake.nix

@@ -490,6 +490,13 @@
                     nix = { device = "/nix"; hashTableSizeMB = 128; };
                   };
                 };
+                frpClient =
+                {
+                  enable = true;
+                  serverName = "frp.chn.moe";
+                  user = "nas";
+                  stcp.hpc = { localIp = "hpc.xmu.edu.cn"; localPort = 22; };
+                };
               };
               users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
             };})

modules/services/frp.nix

@@ -1,3 +1,5 @@
+# TODO: update to json config at 23.11
+# TODO: switch to module in nixpkgs
 inputs:
 {
   options.nixos.services = let inherit (inputs.lib) mkOption types; in
@@ -21,6 +23,18 @@ inputs:
         }));
         default = {};
       };
+      stcp = mkOption
+      {
+        type = types.attrsOf (types.submodule (inputs:
+        {
+          options =
+          {
+            localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
+            localPort = mkOption { type = types.ints.unsigned; };
+          };
+        }));
+        default = {};
+      };
     };
     frpServer =
     {
@@ -92,6 +106,21 @@ inputs:
                   })
                   (attrsToList frpClient.tcp))
                 )
+                // (listToAttrs (map
+                  (stcp:
+                  {
+                    name = stcp.name;
+                    value =
+                    {
+                      type = "stcp";
+                      sk = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
+                      local_ip = stcp.value.localIp;
+                      local_port = stcp.value.localPort;
+                      use_compression = true;
+                    };
+                  })
+                  (attrsToList frpClient.stcp))
+                )
               );
             };
             secrets."frp/token" = {};

modules/services/groupshare.nix

@@ -20,6 +20,7 @@ inputs:
           (user:
           [
             "d /var/lib/groupshare/${user} 2750 ${user} groupshare"
+            # TODO: auto set 'X' bit in 23.11
             # systemd 253 does not support 'X' bit, it should be manually set
             # sudo setfacl -m 'xxx' dir
             # ("a /var/lib/groupshare/${user} - - - - "

modules/services/postgresql.nix

@@ -71,6 +71,7 @@ inputs:
             in
             # set user password
             "$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\""
+            # TODO: still needed in 23.11?
             # set db owner
               + "\n"
               + "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d"

secrets/nas.yaml

@@ -9,6 +9,10 @@ users:
     zem: ENC[AES256_GCM,data:VCVLfGO9a06XhAOBciFf1u7A5jaQikAt2wZf+dCAi1BglXpM6Hof1yAunadYOwLOBFgGlP19kX53CBBlZtaqZFL2GRDzXP0woQ==,iv:AFYtHCCkzNrllN/fjQ8GKYs2TyV3uj3BsU5n1tBQAmM=,tag:5dP7c5N4yG2NS4T+Vg0Zpg==,type:str]
     yjq: ENC[AES256_GCM,data:yn6eGrySCxlRsFioaE2p1qlTHkIGC9l64+edjuDvt232xc+iFeD03EYfuulyr0GxYFwnlAwtaJnyMi5eOrSd1W6HeV3Canzdbw==,iv:qTc6vA8uQza8CB+BvffEN9GqHkiwNM4h9RkqQR14ylk=,tag:UZ2GYCJLjcWLuVXlscLviw==,type:str]
     yxy: ENC[AES256_GCM,data:71vjvwr29lfPCarnblpbW3WVyJK8EMV+cR4prc4AM3r0PG4z88P6i0IrzSy8XwkVPrEasfYXxn+vDbzXyi7kIWaWXrkjcyGTxg==,iv:LfkinvbIhchvgfgixIY8Wg6esrc+TOS4YWqRTJ0qfvw=,tag:mLPw6z8DOPrHsRpUHn3/gw==,type:str]
+frp:
+    token: ENC[AES256_GCM,data:zYRZoWa3Llv0NiPXtSfhWUn+wt4uIcw8Wa+QBTzn7gLk6UVIA4FD7FLABBKoFbwg62Fo79Nn,iv:YZdOYkJf6BN76Z68nCtetKElJkqKiYmcx6UmLoIXSdo=,tag:5sC2vt3Z21KhgOU9mrfXhg==,type:str]
+    stcp:
+        hpc: ENC[AES256_GCM,data:lkpM4nzt8ymQ+5eV,iv:LvSShCSN8w0VsJYjICG9NWCMiw7NSPpoSZ+I2t7uILs=,tag:LLry5z4KpPdnN75x8dANqg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -33,8 +37,8 @@ sops:
             by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
             kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-14T11:09:58Z"
-    mac: ENC[AES256_GCM,data:f6D4N+He7Zz0VA2FxUzTARfckidgVlDHE1hZrYW6jDf+v9ZK/c/JAj12zLNiCy9aG6rBz5K0jdWpnTsguMlTYCKUjLcD8MSW4KJErYmeVFLpfuiSBMr0+pcSVA9DpEmekaYl0GbnxrgQKrfEL0dthR6+9m5CsP/1bvEs34XcKGk=,iv:0YVxL5iVOvmFzThk7fua2Cqpty9lTX/tdKNii5gY/UA=,tag:d+NwYbpeDziniYXwQYVCdg==,type:str]
+    lastmodified: "2023-11-06T11:12:54Z"
+    mac: ENC[AES256_GCM,data:nMnf+BTle1lrYnd87KZVk+W6N5y/P8SusF1Day7lstNxffPzLwaL+r7D9Lklem5nKPVYPA++ZSNpn2xn39rv24uJDmiI0lbkp/5tFK67flGehJr5YFssHSdsqhTs728IvropKuO3ZgTONVT1J0GSfrJVXNtIMsNgBCGceZ7ZHpM=,iv:2dCzL+do61xX57Do+Bw8gBWgdLgY6gIENdjqosOSGg0=,tag:K+fq9OvNDgwKrlo3InlHpg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3