chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2024-10-23 07:28:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

add frp

Browse Source
This commit is contained in:
陈浩南 2023-08-07 21:16:49 +08:00
parent 6075bef406
commit f0be22d66a
4 changed files with 189 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
flake.nix
View File

@ -224,6 +224,18 @@
enable = true;
certs = [ "debug.mirism.one" ];
};
frpClient =
{
enable = true;
serverName = "frp.chn.moe";
user = "pc";
tcp.store =
{
localIp = "127.0.0.1";
localPort = 5000;
remotePort = 5000;
};
};
};
bugs =
[
@ -292,6 +304,7 @@
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
sshd.enable = true;
frpServer = { enable = true; serverName = "frp.chn.moe"; };
};
boot =
{

139
modules/services/default.nix
View File

@ -53,6 +53,30 @@ inputs:
enable = mkOption { type = types.bool; default = false; };
certs = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};
frpClient =
{
enable = mkOption { type = types.bool; default = false; };
serverName = mkOption { type = types.nonEmptyStr; };
user = mkOption { type = types.nonEmptyStr; };
tcp = mkOption
{
type = types.attrsOf (types.submodule
{
options =
{
localIp = mkOption { type = types.nonEmptyStr; };
localPort = mkOption { type = types.ints.unsigned; };
remotePort = mkOption { type = types.ints.unsigned; };
};
});
default = {};
};
};
frpServer =
{
enable = mkOption { type = types.bool; default = false; };
serverName = mkOption { type = types.nonEmptyStr; };
};
};
config =
let
@ -404,5 +428,120 @@ inputs:
sops.secrets."acme/cloudflare.ini" = {};
}
)
(
mkIf (services.frpClient.enable)
{
systemd.services.frpc =
let
frpc = "${inputs.pkgs.frp}/bin/frpc";
config = inputs.config.sops.templates."frpc.ini";
in
{
description = "Frp Client Service";
after = [ "network.target" ];
serviceConfig =
{
Type = "simple";
User = "frp";
Restart = "on-failure";
RestartSec = "5s";
ExecStart = "${frpc} -c ${config.path}";
LimitNOFILE = 1048576;
};
wantedBy= [ "multi-user.target" ];
restartTriggers = [ config.file ];
};
sops =
{
templates."frpc.ini" =
{
mode = "0440";
owner = "frp";
group = "frp";
content = inputs.lib.generators.toINI {}
(
{
common =
{
server_addr = services.frpClient.serverName;
server_port = 7000;
token = inputs.config.sops.placeholder."frp/token";
user = services.frpClient.user;
tls_enable = true;
};
}
// (listToAttrs (map
(tcp:
{
name = tcp.name;
value =
{
type = "tcp";
local_ip = tcp.value.localIp;
local_port = tcp.value.localPort;
remote_port = tcp.value.remotePort;
use_compression = true;
};
})
(attrsToList services.frpClient.tcp))
)
);
};
secrets."frp/token" = {};
};
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
}
)
(
mkIf (services.frpServer.enable)
{
systemd.services.frps =
let
frps = "${inputs.pkgs.frp}/bin/frps";
config = inputs.config.sops.templates."frps.ini";
in
{
description = "Frp Server Service";
after = [ "network.target" ];
serviceConfig =
{
Type = "simple";
User = "frp";
Restart = "on-failure";
RestartSec = "5s";
ExecStart = "${frps} -c ${config.path}";
LimitNOFILE = 1048576;
};
wantedBy= [ "multi-user.target" ];
restartTriggers = [ config.file ];
};
sops =
{
templates."frps.ini" =
{
mode = "0440";
owner = "frp";
group = "frp";
content = inputs.lib.generators.toINI {}
{
common = let cert = inputs.config.security.acme.certs.${services.frpServer.serverName}.directory; in
{
bind_port = 7000;
bind_udp_port = 7000;
token = inputs.config.sops.placeholder."frp/token";
tls_cert_file = "${cert}/fullchain.pem";
tls_key_file = "${cert}/privkey.pem";
tls_only = true;
user_conn_timeout = 30;
};
};
};
secrets."frp/token" = {};
};
nixos.services.acme = { enable = true; certs = [ services.frpServer.serverName ]; };
security.acme.certs.${services.frpServer.serverName}.group = "frp";
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
}
)
];
}

6
secrets/chn-PC.yaml
View File

@ -4,6 +4,8 @@ xray-client:
serverName: ENC[AES256_GCM,data:2kXUR/DWn9Sd97YMqsjH+k6sKT8klw==,iv:6SbPM5cIoKfCqPd4CnFnXSRTPjsozP/Fpd0BgAA0dBk=,tag:tSJf1XED45xkkCxkoq81pw==,type:str]
acme:
cloudflare.ini: ENC[AES256_GCM,data:hPNpTclYvRbcbFO6aR9PNyHt3kDUmjeUgg4NPsr+c/yxKPundoiziNYBRfF7/axlw8Hu32jf/cDlcWaEmqCBQJY=,iv:bdGCD/a6AnGQhiFNyZ+fD1f/rILsEcPXC2qRDsAO4n8=,tag:MLZak9uSqsg/0Ldx2Wgb6A==,type:str]
frp:
token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str]
sops:
kms: []
gcp_kms: []
@ -28,8 +30,8 @@ sops:
OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
+K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-04T12:21:05Z"
mac: ENC[AES256_GCM,data:TXezPNpHqF8LTD0ijpYG3nDwVmH1Eg/m9u8mh4lqlmjq1fJdHVkzCzfgMHVE8lThAVUzOGGDxFgCJ5+o5wwIrHxhHHo6uRoJC90jypTeHZ3z1h9SzvZ/dihLnt0xzd7dxbhQ6JvzBGB7n87sL/dK1xdFWBn1yQuC4PI/L+ZHegY=,iv:mIMDJPMU+WSmCUzHxMj2R/8mAR7HyaeO/y0Or1byBaI=,tag:Lcvmdr2MeypOpLcLZjemcw==,type:str]
lastmodified: "2023-08-07T13:09:31Z"
mac: ENC[AES256_GCM,data:+YOY3O1RBzOtSR6m7ZpTht5Wx0G7PLJShMRnTsFIiRAMN41oo4nVTkg4Skh9NbyXIdRPIMoPwXst4AKJIvUegD+yUGZWtCvdEm9uprJS+eozvQKsKF7HlTXuaWX4IZpISHMSy5id8gmYKfZkKIMgNZpx67Zdc+vsMcC0zqYPat8=,iv:BaxHyb74KaC6Lb8H0lXsq1KmS9AST+DL74zfJvGHw1A=,tag:Wj0HjpgoXQIzkBhXd8dCsw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

33
secrets/vps6.yaml
View File

@ -0,0 +1,33 @@
acme:
cloudflare.ini: ENC[AES256_GCM,data:X1v1QuOZemIuxldd1bzIvbUsq+8HMGLh91zUB+fnrxaW40z0OQh9L1rF/0Nj3gmUmgT4KEV7nkHFYYpZBp4/Kyc=,iv:fQmbhx9wV3l+DVPaBrAyJbTCsS3q3s5F9Go1F7pZ2pQ=,tag:P4vuruX460YSOUsx6zGHXQ==,type:str]
frp:
token: ENC[AES256_GCM,data:T8b1ku4HNCNSJ+33QgIt1GILFA4wTu3Qd0rDqHPVgdqsGo0R90k0u8z+dElSO7q9PapTqUbZ,iv:hwnMu6JxfYLgw4TyhujX5dI2IAytgZh+Bexhgta6ATQ=,tag:lqgwvXlS/jGPxasmk5Vh3w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QXc4NzREZHlhMDV2WXlM
a2I4d1pjWm9Xd2gzUDUwZ1ZSTkFGR1ZQNDJzCmJwcWFxRWNNVGxTNno2b1NxNktO
aHhINXBjdmE3alFGYk9kUHZ1UzdJUk0KLS0tIFdKMDlvb1Z2Qi8xRjl0MXpKMDMz
cVVNdDRDNmtHZlJEcVRXR1FLVkZrMWcKn2iTHH7/52fJNXcbDFbzOxNAaiQRA0nO
we74EeNzcaaQwuEmBQPKxd/g7/kjhnHzTkoX3OneXMd/gBZMn2knXw==
-----END AGE ENCRYPTED FILE-----
- recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEw1bXA4QUZkUzJ0Z3pM
Z0xHam5SLzRGV21XYUtxTFh1VnhQUk1NbzAwCkU1Z3VTR1FtZ05GOWNDOENlZTgz
SitzYXo2Q2VEaGtLTGE2UGRoUDkxN28KLS0tIHhRS2Y1cnQreC9Fc2FLdGR1ZXdJ
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-07T13:16:17Z"
mac: ENC[AES256_GCM,data:7e8voN3mIeqg7Rhxy1zbkvoLRx3d2t/PBnEGiBJT/xFtqrZBrQyvYOWII5gHuaEAuhQPR5wmFolJjUOm3fXzt/3GCYszLBcchr6m8yZOhO4BMR7977sfwggJ2WdoEV3uDZyAdp1H2vgbQXLhWyjmfrMoHRDPkJ6iQk4p3wKXACU=,iv:1qBcuZQ1Skr3Zw2H8PMj78EMqhxoSS9+1Fi5kzucYGI=,tag:xWPippyUMH2bbhrITQK3xg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3