mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 07:28:56 +08:00
add frp
This commit is contained in:
parent
6075bef406
commit
f0be22d66a
13
flake.nix
13
flake.nix
@ -224,6 +224,18 @@
|
||||
enable = true;
|
||||
certs = [ "debug.mirism.one" ];
|
||||
};
|
||||
frpClient =
|
||||
{
|
||||
enable = true;
|
||||
serverName = "frp.chn.moe";
|
||||
user = "pc";
|
||||
tcp.store =
|
||||
{
|
||||
localIp = "127.0.0.1";
|
||||
localPort = 5000;
|
||||
remotePort = 5000;
|
||||
};
|
||||
};
|
||||
};
|
||||
bugs =
|
||||
[
|
||||
@ -292,6 +304,7 @@
|
||||
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
|
||||
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
|
||||
sshd.enable = true;
|
||||
frpServer = { enable = true; serverName = "frp.chn.moe"; };
|
||||
};
|
||||
boot =
|
||||
{
|
||||
|
@ -53,6 +53,30 @@ inputs:
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
certs = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
};
|
||||
frpClient =
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
serverName = mkOption { type = types.nonEmptyStr; };
|
||||
user = mkOption { type = types.nonEmptyStr; };
|
||||
tcp = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule
|
||||
{
|
||||
options =
|
||||
{
|
||||
localIp = mkOption { type = types.nonEmptyStr; };
|
||||
localPort = mkOption { type = types.ints.unsigned; };
|
||||
remotePort = mkOption { type = types.ints.unsigned; };
|
||||
};
|
||||
});
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
frpServer =
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
serverName = mkOption { type = types.nonEmptyStr; };
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
@ -404,5 +428,120 @@ inputs:
|
||||
sops.secrets."acme/cloudflare.ini" = {};
|
||||
}
|
||||
)
|
||||
(
|
||||
mkIf (services.frpClient.enable)
|
||||
{
|
||||
systemd.services.frpc =
|
||||
let
|
||||
frpc = "${inputs.pkgs.frp}/bin/frpc";
|
||||
config = inputs.config.sops.templates."frpc.ini";
|
||||
in
|
||||
{
|
||||
description = "Frp Client Service";
|
||||
after = [ "network.target" ];
|
||||
serviceConfig =
|
||||
{
|
||||
Type = "simple";
|
||||
User = "frp";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "5s";
|
||||
ExecStart = "${frpc} -c ${config.path}";
|
||||
LimitNOFILE = 1048576;
|
||||
};
|
||||
wantedBy= [ "multi-user.target" ];
|
||||
restartTriggers = [ config.file ];
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates."frpc.ini" =
|
||||
{
|
||||
mode = "0440";
|
||||
owner = "frp";
|
||||
group = "frp";
|
||||
content = inputs.lib.generators.toINI {}
|
||||
(
|
||||
{
|
||||
common =
|
||||
{
|
||||
server_addr = services.frpClient.serverName;
|
||||
server_port = 7000;
|
||||
token = inputs.config.sops.placeholder."frp/token";
|
||||
user = services.frpClient.user;
|
||||
tls_enable = true;
|
||||
};
|
||||
}
|
||||
// (listToAttrs (map
|
||||
(tcp:
|
||||
{
|
||||
name = tcp.name;
|
||||
value =
|
||||
{
|
||||
type = "tcp";
|
||||
local_ip = tcp.value.localIp;
|
||||
local_port = tcp.value.localPort;
|
||||
remote_port = tcp.value.remotePort;
|
||||
use_compression = true;
|
||||
};
|
||||
})
|
||||
(attrsToList services.frpClient.tcp))
|
||||
)
|
||||
);
|
||||
};
|
||||
secrets."frp/token" = {};
|
||||
};
|
||||
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
|
||||
}
|
||||
)
|
||||
(
|
||||
mkIf (services.frpServer.enable)
|
||||
{
|
||||
systemd.services.frps =
|
||||
let
|
||||
frps = "${inputs.pkgs.frp}/bin/frps";
|
||||
config = inputs.config.sops.templates."frps.ini";
|
||||
in
|
||||
{
|
||||
description = "Frp Server Service";
|
||||
after = [ "network.target" ];
|
||||
serviceConfig =
|
||||
{
|
||||
Type = "simple";
|
||||
User = "frp";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "5s";
|
||||
ExecStart = "${frps} -c ${config.path}";
|
||||
LimitNOFILE = 1048576;
|
||||
};
|
||||
wantedBy= [ "multi-user.target" ];
|
||||
restartTriggers = [ config.file ];
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates."frps.ini" =
|
||||
{
|
||||
mode = "0440";
|
||||
owner = "frp";
|
||||
group = "frp";
|
||||
content = inputs.lib.generators.toINI {}
|
||||
{
|
||||
common = let cert = inputs.config.security.acme.certs.${services.frpServer.serverName}.directory; in
|
||||
{
|
||||
bind_port = 7000;
|
||||
bind_udp_port = 7000;
|
||||
token = inputs.config.sops.placeholder."frp/token";
|
||||
tls_cert_file = "${cert}/fullchain.pem";
|
||||
tls_key_file = "${cert}/privkey.pem";
|
||||
tls_only = true;
|
||||
user_conn_timeout = 30;
|
||||
};
|
||||
};
|
||||
};
|
||||
secrets."frp/token" = {};
|
||||
};
|
||||
nixos.services.acme = { enable = true; certs = [ services.frpServer.serverName ]; };
|
||||
security.acme.certs.${services.frpServer.serverName}.group = "frp";
|
||||
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
|
||||
}
|
||||
)
|
||||
];
|
||||
}
|
||||
|
@ -4,6 +4,8 @@ xray-client:
|
||||
serverName: ENC[AES256_GCM,data:2kXUR/DWn9Sd97YMqsjH+k6sKT8klw==,iv:6SbPM5cIoKfCqPd4CnFnXSRTPjsozP/Fpd0BgAA0dBk=,tag:tSJf1XED45xkkCxkoq81pw==,type:str]
|
||||
acme:
|
||||
cloudflare.ini: ENC[AES256_GCM,data:hPNpTclYvRbcbFO6aR9PNyHt3kDUmjeUgg4NPsr+c/yxKPundoiziNYBRfF7/axlw8Hu32jf/cDlcWaEmqCBQJY=,iv:bdGCD/a6AnGQhiFNyZ+fD1f/rILsEcPXC2qRDsAO4n8=,tag:MLZak9uSqsg/0Ldx2Wgb6A==,type:str]
|
||||
frp:
|
||||
token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -28,8 +30,8 @@ sops:
|
||||
OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
|
||||
+K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-08-04T12:21:05Z"
|
||||
mac: ENC[AES256_GCM,data:TXezPNpHqF8LTD0ijpYG3nDwVmH1Eg/m9u8mh4lqlmjq1fJdHVkzCzfgMHVE8lThAVUzOGGDxFgCJ5+o5wwIrHxhHHo6uRoJC90jypTeHZ3z1h9SzvZ/dihLnt0xzd7dxbhQ6JvzBGB7n87sL/dK1xdFWBn1yQuC4PI/L+ZHegY=,iv:mIMDJPMU+WSmCUzHxMj2R/8mAR7HyaeO/y0Or1byBaI=,tag:Lcvmdr2MeypOpLcLZjemcw==,type:str]
|
||||
lastmodified: "2023-08-07T13:09:31Z"
|
||||
mac: ENC[AES256_GCM,data:+YOY3O1RBzOtSR6m7ZpTht5Wx0G7PLJShMRnTsFIiRAMN41oo4nVTkg4Skh9NbyXIdRPIMoPwXst4AKJIvUegD+yUGZWtCvdEm9uprJS+eozvQKsKF7HlTXuaWX4IZpISHMSy5id8gmYKfZkKIMgNZpx67Zdc+vsMcC0zqYPat8=,iv:BaxHyb74KaC6Lb8H0lXsq1KmS9AST+DL74zfJvGHw1A=,tag:Wj0HjpgoXQIzkBhXd8dCsw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
@ -0,0 +1,33 @@
|
||||
acme:
|
||||
cloudflare.ini: ENC[AES256_GCM,data:X1v1QuOZemIuxldd1bzIvbUsq+8HMGLh91zUB+fnrxaW40z0OQh9L1rF/0Nj3gmUmgT4KEV7nkHFYYpZBp4/Kyc=,iv:fQmbhx9wV3l+DVPaBrAyJbTCsS3q3s5F9Go1F7pZ2pQ=,tag:P4vuruX460YSOUsx6zGHXQ==,type:str]
|
||||
frp:
|
||||
token: ENC[AES256_GCM,data:T8b1ku4HNCNSJ+33QgIt1GILFA4wTu3Qd0rDqHPVgdqsGo0R90k0u8z+dElSO7q9PapTqUbZ,iv:hwnMu6JxfYLgw4TyhujX5dI2IAytgZh+Bexhgta6ATQ=,tag:lqgwvXlS/jGPxasmk5Vh3w==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QXc4NzREZHlhMDV2WXlM
|
||||
a2I4d1pjWm9Xd2gzUDUwZ1ZSTkFGR1ZQNDJzCmJwcWFxRWNNVGxTNno2b1NxNktO
|
||||
aHhINXBjdmE3alFGYk9kUHZ1UzdJUk0KLS0tIFdKMDlvb1Z2Qi8xRjl0MXpKMDMz
|
||||
cVVNdDRDNmtHZlJEcVRXR1FLVkZrMWcKn2iTHH7/52fJNXcbDFbzOxNAaiQRA0nO
|
||||
we74EeNzcaaQwuEmBQPKxd/g7/kjhnHzTkoX3OneXMd/gBZMn2knXw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEw1bXA4QUZkUzJ0Z3pM
|
||||
Z0xHam5SLzRGV21XYUtxTFh1VnhQUk1NbzAwCkU1Z3VTR1FtZ05GOWNDOENlZTgz
|
||||
SitzYXo2Q2VEaGtLTGE2UGRoUDkxN28KLS0tIHhRS2Y1cnQreC9Fc2FLdGR1ZXdJ
|
||||
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
|
||||
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-08-07T13:16:17Z"
|
||||
mac: ENC[AES256_GCM,data:7e8voN3mIeqg7Rhxy1zbkvoLRx3d2t/PBnEGiBJT/xFtqrZBrQyvYOWII5gHuaEAuhQPR5wmFolJjUOm3fXzt/3GCYszLBcchr6m8yZOhO4BMR7977sfwggJ2WdoEV3uDZyAdp1H2vgbQXLhWyjmfrMoHRDPkJ6iQk4p3wKXACU=,iv:1qBcuZQ1Skr3Zw2H8PMj78EMqhxoSS9+1Fi5kzucYGI=,tag:xWPippyUMH2bbhrITQK3xg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
Loading…
Reference in New Issue
Block a user