87 lines
3.0 KiB
Nix
87 lines
3.0 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.services.frp;
|
|
settingsFormat = pkgs.formats.toml { };
|
|
configFile = settingsFormat.generate "frp.toml" cfg.settings;
|
|
isClient = (cfg.role == "client");
|
|
isServer = (cfg.role == "server");
|
|
in
|
|
{
|
|
options = {
|
|
services.frp = {
|
|
enable = lib.mkEnableOption "frp";
|
|
|
|
package = lib.mkPackageOption pkgs "frp" { };
|
|
|
|
role = lib.mkOption {
|
|
type = lib.types.enum [ "server" "client" ];
|
|
description = ''
|
|
The frp consists of `client` and `server`. The server is usually
|
|
deployed on the machine with a public IP address, and
|
|
the client is usually deployed on the machine
|
|
where the Intranet service to be penetrated resides.
|
|
'';
|
|
};
|
|
|
|
settings = lib.mkOption {
|
|
type = settingsFormat.type;
|
|
default = { };
|
|
description = ''
|
|
Frp configuration, for configuration options
|
|
see the example of [client](https://github.com/fatedier/frp/blob/dev/conf/frpc_full_example.toml)
|
|
or [server](https://github.com/fatedier/frp/blob/dev/conf/frps_full_example.toml) on github.
|
|
'';
|
|
example = {
|
|
serverAddr = "x.x.x.x";
|
|
serverPort = 7000;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
config =
|
|
let
|
|
serviceCapability = lib.optionals isServer [ "CAP_NET_BIND_SERVICE" ];
|
|
executableFile = if isClient then "frpc" else "frps";
|
|
in
|
|
lib.mkIf cfg.enable {
|
|
systemd.services = {
|
|
frp = {
|
|
wants = lib.optionals isClient [ "network-online.target" ];
|
|
after = if isClient then [ "network-online.target" ] else [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
description = "A fast reverse proxy frp ${cfg.role}";
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
Restart = "on-failure";
|
|
RestartSec = 15;
|
|
ExecStart = "${cfg.package}/bin/${executableFile} --strict_config -c ${configFile}";
|
|
StateDirectoryMode = lib.optionalString isServer "0700";
|
|
DynamicUser = true;
|
|
# Hardening
|
|
UMask = lib.optionalString isServer "0007";
|
|
CapabilityBoundingSet = serviceCapability;
|
|
AmbientCapabilities = serviceCapability;
|
|
PrivateDevices = true;
|
|
ProtectHostname = true;
|
|
ProtectClock = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ] ++ lib.optionals isClient [ "AF_UNIX" ];
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
PrivateMounts = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [ "@system-service" ];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
meta.maintainers = with lib.maintainers; [ zaldnoay ];
|
|
}
|