dunkirk.sh
Kieran's opinionated (and probably slightly dumb) nix config
bore (server)#
Lightweight tunneling server built on frp. Supports HTTP (wildcard subdomains), TCP, and UDP tunnels with optional OAuth authentication via Indiko.
Domain: bore.dunkirk.sh · frp port: 7000
This is a custom module — it does not use mkService.
Options#
| Option | Type | Default | Description |
|---|---|---|---|
enable |
bool | false |
Enable bore server |
domain |
string | — | Base domain for wildcard subdomains |
bindAddr |
string | "0.0.0.0" |
frps bind address |
bindPort |
port | 7000 |
frps bind port |
vhostHTTPPort |
port | 7080 |
Virtual host HTTP port |
allowedTCPPorts |
list of ports | 20000–20099 |
Ports available for TCP tunnels |
allowedUDPPorts |
list of ports | 20000–20099 |
Ports available for UDP tunnels |
authToken |
string or null | null |
frp auth token (use authTokenFile instead) |
authTokenFile |
path or null | null |
Path to file containing frp auth token |
enableCaddy |
bool | true |
Auto-configure Caddy wildcard vhost |
Authentication#
When enabled, all HTTP tunnels are gated behind Indiko OAuth. Users must sign in before accessing tunneled services.
| Option | Type | Default | Description |
|---|---|---|---|
auth.enable |
bool | false |
Enable bore-auth OAuth middleware |
auth.indikoURL |
string | "https://indiko.dunkirk.sh" |
Indiko server URL |
auth.clientID |
string | — | OAuth client ID from Indiko |
auth.clientSecretFile |
path | — | Path to OAuth client secret |
auth.cookieHashKeyFile |
path | — | 32-byte cookie signing key |
auth.cookieBlockKeyFile |
path | — | 32-byte cookie encryption key |
After authentication, these headers are passed to tunneled services:
X-Auth-User— user's profile URLX-Auth-Name— display nameX-Auth-Email— email address
See bore (client) for the home-manager client module.