diff --git a/flake.nix b/flake.nix index 6d2d2c63..7fc3b583 100644 --- a/flake.nix +++ b/flake.nix @@ -224,6 +224,18 @@ enable = true; certs = [ "debug.mirism.one" ]; }; + frpClient = + { + enable = true; + serverName = "frp.chn.moe"; + user = "pc"; + tcp.store = + { + localIp = "127.0.0.1"; + localPort = 5000; + remotePort = 5000; + }; + }; }; bugs = [ @@ -292,6 +304,7 @@ snapper = { enable = true; configs.persistent = "/nix/persistent"; }; sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; sshd.enable = true; + frpServer = { enable = true; serverName = "frp.chn.moe"; }; }; boot = { diff --git a/modules/services/default.nix b/modules/services/default.nix index 79a8f178..9b204d66 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -53,6 +53,30 @@ inputs: enable = mkOption { type = types.bool; default = false; }; certs = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; }; + frpClient = + { + enable = mkOption { type = types.bool; default = false; }; + serverName = mkOption { type = types.nonEmptyStr; }; + user = mkOption { type = types.nonEmptyStr; }; + tcp = mkOption + { + type = types.attrsOf (types.submodule + { + options = + { + localIp = mkOption { type = types.nonEmptyStr; }; + localPort = mkOption { type = types.ints.unsigned; }; + remotePort = mkOption { type = types.ints.unsigned; }; + }; + }); + default = {}; + }; + }; + frpServer = + { + enable = mkOption { type = types.bool; default = false; }; + serverName = mkOption { type = types.nonEmptyStr; }; + }; }; config = let @@ -404,5 +428,120 @@ inputs: sops.secrets."acme/cloudflare.ini" = {}; } ) + ( + mkIf (services.frpClient.enable) + { + systemd.services.frpc = + let + frpc = "${inputs.pkgs.frp}/bin/frpc"; + config = inputs.config.sops.templates."frpc.ini"; + in + { + description = "Frp Client Service"; + after = [ "network.target" ]; + serviceConfig = + { + Type = "simple"; + User = "frp"; + Restart = "on-failure"; + RestartSec = "5s"; + ExecStart = "${frpc} -c ${config.path}"; + LimitNOFILE = 1048576; + }; + wantedBy= [ "multi-user.target" ]; + restartTriggers = [ config.file ]; + }; + sops = + { + templates."frpc.ini" = + { + mode = "0440"; + owner = "frp"; + group = "frp"; + content = inputs.lib.generators.toINI {} + ( + { + common = + { + server_addr = services.frpClient.serverName; + server_port = 7000; + token = inputs.config.sops.placeholder."frp/token"; + user = services.frpClient.user; + tls_enable = true; + }; + } + // (listToAttrs (map + (tcp: + { + name = tcp.name; + value = + { + type = "tcp"; + local_ip = tcp.value.localIp; + local_port = tcp.value.localPort; + remote_port = tcp.value.remotePort; + use_compression = true; + }; + }) + (attrsToList services.frpClient.tcp)) + ) + ); + }; + secrets."frp/token" = {}; + }; + users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; }; + } + ) + ( + mkIf (services.frpServer.enable) + { + systemd.services.frps = + let + frps = "${inputs.pkgs.frp}/bin/frps"; + config = inputs.config.sops.templates."frps.ini"; + in + { + description = "Frp Server Service"; + after = [ "network.target" ]; + serviceConfig = + { + Type = "simple"; + User = "frp"; + Restart = "on-failure"; + RestartSec = "5s"; + ExecStart = "${frps} -c ${config.path}"; + LimitNOFILE = 1048576; + }; + wantedBy= [ "multi-user.target" ]; + restartTriggers = [ config.file ]; + }; + sops = + { + templates."frps.ini" = + { + mode = "0440"; + owner = "frp"; + group = "frp"; + content = inputs.lib.generators.toINI {} + { + common = let cert = inputs.config.security.acme.certs.${services.frpServer.serverName}.directory; in + { + bind_port = 7000; + bind_udp_port = 7000; + token = inputs.config.sops.placeholder."frp/token"; + tls_cert_file = "${cert}/fullchain.pem"; + tls_key_file = "${cert}/privkey.pem"; + tls_only = true; + user_conn_timeout = 30; + }; + }; + }; + secrets."frp/token" = {}; + }; + nixos.services.acme = { enable = true; certs = [ services.frpServer.serverName ]; }; + security.acme.certs.${services.frpServer.serverName}.group = "frp"; + users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; }; + } + ) ]; } diff --git a/secrets/chn-PC.yaml b/secrets/chn-PC.yaml index 9c11c4ce..3525e8a9 100644 --- a/secrets/chn-PC.yaml +++ b/secrets/chn-PC.yaml @@ -4,6 +4,8 @@ xray-client: serverName: ENC[AES256_GCM,data:2kXUR/DWn9Sd97YMqsjH+k6sKT8klw==,iv:6SbPM5cIoKfCqPd4CnFnXSRTPjsozP/Fpd0BgAA0dBk=,tag:tSJf1XED45xkkCxkoq81pw==,type:str] acme: cloudflare.ini: ENC[AES256_GCM,data:hPNpTclYvRbcbFO6aR9PNyHt3kDUmjeUgg4NPsr+c/yxKPundoiziNYBRfF7/axlw8Hu32jf/cDlcWaEmqCBQJY=,iv:bdGCD/a6AnGQhiFNyZ+fD1f/rILsEcPXC2qRDsAO4n8=,tag:MLZak9uSqsg/0Ldx2Wgb6A==,type:str] +frp: + token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +30,8 @@ sops: OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-04T12:21:05Z" - mac: ENC[AES256_GCM,data:TXezPNpHqF8LTD0ijpYG3nDwVmH1Eg/m9u8mh4lqlmjq1fJdHVkzCzfgMHVE8lThAVUzOGGDxFgCJ5+o5wwIrHxhHHo6uRoJC90jypTeHZ3z1h9SzvZ/dihLnt0xzd7dxbhQ6JvzBGB7n87sL/dK1xdFWBn1yQuC4PI/L+ZHegY=,iv:mIMDJPMU+WSmCUzHxMj2R/8mAR7HyaeO/y0Or1byBaI=,tag:Lcvmdr2MeypOpLcLZjemcw==,type:str] + lastmodified: "2023-08-07T13:09:31Z" + mac: ENC[AES256_GCM,data:+YOY3O1RBzOtSR6m7ZpTht5Wx0G7PLJShMRnTsFIiRAMN41oo4nVTkg4Skh9NbyXIdRPIMoPwXst4AKJIvUegD+yUGZWtCvdEm9uprJS+eozvQKsKF7HlTXuaWX4IZpISHMSy5id8gmYKfZkKIMgNZpx67Zdc+vsMcC0zqYPat8=,iv:BaxHyb74KaC6Lb8H0lXsq1KmS9AST+DL74zfJvGHw1A=,tag:Wj0HjpgoXQIzkBhXd8dCsw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/secrets/vps6.yaml b/secrets/vps6.yaml index e69de29b..8b58b0ba 100644 --- a/secrets/vps6.yaml +++ b/secrets/vps6.yaml @@ -0,0 +1,33 @@ +acme: + cloudflare.ini: ENC[AES256_GCM,data:X1v1QuOZemIuxldd1bzIvbUsq+8HMGLh91zUB+fnrxaW40z0OQh9L1rF/0Nj3gmUmgT4KEV7nkHFYYpZBp4/Kyc=,iv:fQmbhx9wV3l+DVPaBrAyJbTCsS3q3s5F9Go1F7pZ2pQ=,tag:P4vuruX460YSOUsx6zGHXQ==,type:str] +frp: + token: ENC[AES256_GCM,data:T8b1ku4HNCNSJ+33QgIt1GILFA4wTu3Qd0rDqHPVgdqsGo0R90k0u8z+dElSO7q9PapTqUbZ,iv:hwnMu6JxfYLgw4TyhujX5dI2IAytgZh+Bexhgta6ATQ=,tag:lqgwvXlS/jGPxasmk5Vh3w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QXc4NzREZHlhMDV2WXlM + a2I4d1pjWm9Xd2gzUDUwZ1ZSTkFGR1ZQNDJzCmJwcWFxRWNNVGxTNno2b1NxNktO + aHhINXBjdmE3alFGYk9kUHZ1UzdJUk0KLS0tIFdKMDlvb1Z2Qi8xRjl0MXpKMDMz + cVVNdDRDNmtHZlJEcVRXR1FLVkZrMWcKn2iTHH7/52fJNXcbDFbzOxNAaiQRA0nO + we74EeNzcaaQwuEmBQPKxd/g7/kjhnHzTkoX3OneXMd/gBZMn2knXw== + -----END AGE ENCRYPTED FILE----- + - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEw1bXA4QUZkUzJ0Z3pM + Z0xHam5SLzRGV21XYUtxTFh1VnhQUk1NbzAwCkU1Z3VTR1FtZ05GOWNDOENlZTgz + SitzYXo2Q2VEaGtLTGE2UGRoUDkxN28KLS0tIHhRS2Y1cnQreC9Fc2FLdGR1ZXdJ + ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW + ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-07T13:16:17Z" + mac: ENC[AES256_GCM,data:7e8voN3mIeqg7Rhxy1zbkvoLRx3d2t/PBnEGiBJT/xFtqrZBrQyvYOWII5gHuaEAuhQPR5wmFolJjUOm3fXzt/3GCYszLBcchr6m8yZOhO4BMR7977sfwggJ2WdoEV3uDZyAdp1H2vgbQXLhWyjmfrMoHRDPkJ6iQk4p3wKXACU=,iv:1qBcuZQ1Skr3Zw2H8PMj78EMqhxoSS9+1Fi5kzucYGI=,tag:xWPippyUMH2bbhrITQK3xg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3