pyrox.dev / nixpkgs
lol
fork atom

nixos/frp: init

authored by

zaldnoay and committed by
Lin Jian 6cd38e43 948e8754

+96
+2
nixos/doc/manual/release-notes/rl-2311.section.md
··· 16 16 17 17 - [acme-dns](https://github.com/joohoi/acme-dns), a limited DNS server to handle ACME DNS challenges easily and securely. Available as [services.acme-dns](#opt-services.acme-dns.enable). 18 18 19 + - [frp](https://github.com/fatedier/frp), a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. Available as [services.frp](#opt-services.frp.enable). 20 + 19 21 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> 20 22 21 23 - [river](https://github.com/riverwm/river), A dynamic tiling wayland compositor. Available as [programs.river](#opt-programs.river.enable).
+1
nixos/modules/module-list.nix
··· 899 899 ./services/networking/flannel.nix 900 900 ./services/networking/freenet.nix 901 901 ./services/networking/freeradius.nix 902 + ./services/networking/frp.nix 902 903 ./services/networking/frr.nix 903 904 ./services/networking/gateone.nix 904 905 ./services/networking/gdomap.nix
+93
nixos/modules/services/networking/frp.nix
··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + 5 + let 6 + cfg = config.services.frp; 7 + settingsFormat = pkgs.formats.ini { }; 8 + configFile = settingsFormat.generate "frp.ini" cfg.settings; 9 + isClient = (cfg.role == "client"); 10 + isServer = (cfg.role == "server"); 11 + in 12 + { 13 + options = { 14 + services.frp = { 15 + enable = mkEnableOption (mdDoc "frp"); 16 + 17 + package = mkPackageOptionMD pkgs "frp" { }; 18 + 19 + role = mkOption { 20 + type = types.enum [ "server" "client" ]; 21 + description = mdDoc '' 22 + The frp consists of `client` and `server`. The server is usually 23 + deployed on the machine with a public IP address, and 24 + the client is usually deployed on the machine 25 + where the Intranet service to be penetrated resides. 26 + ''; 27 + }; 28 + 29 + settings = mkOption { 30 + type = settingsFormat.type; 31 + default = { }; 32 + description = mdDoc '' 33 + Frp configuration, for configuration options 34 + see the example of [client](https://github.com/fatedier/frp/blob/dev/conf/frpc_full.ini) 35 + or [server](https://github.com/fatedier/frp/blob/dev/conf/frps_full.ini) on github. 36 + ''; 37 + example = literalExpression '' 38 + { 39 + common = { 40 + server_addr = "x.x.x.x"; 41 + server_port = 7000; 42 + }; 43 + } 44 + ''; 45 + }; 46 + }; 47 + }; 48 + 49 + config = 50 + let 51 + serviceCapability = optionals isServer [ "CAP_NET_BIND_SERVICE" ]; 52 + executableFile = if isClient then "frpc" else "frps"; 53 + in 54 + mkIf cfg.enable { 55 + systemd.services = { 56 + frp = { 57 + wants = optionals isClient [ "network-online.target" ]; 58 + after = if isClient then [ "network-online.target" ] else [ "network.target" ]; 59 + wantedBy = [ "multi-user.target" ]; 60 + description = "A fast reverse proxy frp ${cfg.role}"; 61 + serviceConfig = { 62 + Type = "simple"; 63 + Restart = "on-failure"; 64 + RestartSec = 15; 65 + ExecStart = "${cfg.package}/bin/${executableFile} -c ${configFile}"; 66 + StateDirectoryMode = optionalString isServer "0700"; 67 + DynamicUser = true; 68 + # Hardening 69 + UMask = optionalString isServer "0007"; 70 + CapabilityBoundingSet = serviceCapability; 71 + AmbientCapabilities = serviceCapability; 72 + PrivateDevices = true; 73 + ProtectHostname = true; 74 + ProtectClock = true; 75 + ProtectKernelTunables = true; 76 + ProtectKernelModules = true; 77 + ProtectKernelLogs = true; 78 + ProtectControlGroups = true; 79 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ] ++ optionals isClient [ "AF_UNIX" ]; 80 + LockPersonality = true; 81 + MemoryDenyWriteExecute = true; 82 + RestrictRealtime = true; 83 + RestrictSUIDSGID = true; 84 + PrivateMounts = true; 85 + SystemCallArchitectures = "native"; 86 + SystemCallFilter = [ "@system-service" ]; 87 + }; 88 + }; 89 + }; 90 + }; 91 + 92 + meta.maintainers = with maintainers; [ zaldnoay ]; 93 + }