nixos/frp: add setting

add setting environmentFiles to allow convenient way to pass secrets
2026-06-05 21:03:40 +00:00 · 2025-05-21 22:29:37 +02:00
parent 8330abc5b3
commit c546b27a6b
2 changed files with 35 additions and 4 deletions
--- a/nixos/modules/services/networking/frp.nix
+++ b/nixos/modules/services/networking/frp.nix
@@ -43,6 +43,17 @@ in
                '';
              };

+              environmentFiles = lib.mkOption {
+                type = lib.types.listOf lib.types.path;
+                description = ''
+                  List of paths files that follows systemd environmentfile structure.
+                  Can be used to pass secrets to settings attribute.
+
+                  Example content of a file: SECRET_TOKEN=1234
+                '';
+                default = [ ];
+              };
+
              settings = lib.mkOption {
                type = settingsFormat.type;
                default = { };
@@ -91,6 +102,7 @@ in
          RestartSec = 15;
          ExecStart = "${cfg.package}/bin/${executableFile} --strict_config -c ${configFile}";
          DynamicUser = true;
+          EnvironmentFile = options.environmentFiles;
          # Hardening
          CapabilityBoundingSet = serviceCapability;
          AmbientCapabilities = serviceCapability;
--- a/nixos/tests/frp.nix
+++ b/nixos/tests/frp.nix
@@ -1,4 +1,15 @@
 { pkgs, lib, ... }:
+let
+  token = "1234";
+  dummyFile = pkgs.writeTextFile {
+    name = "secrets";
+    text = "dummy=value";
+  };
+  secretFile = pkgs.writeTextFile {
+    name = "secrets";
+    text = "token=${token}";
+  };
+in
 {
  name = "frp";
  meta.maintainers = with lib.maintainers; [ zaldnoay ];
@@ -15,12 +26,18 @@
        networkConfig.Address = "10.0.0.1/24";
      };

-      services.frp = {
+      services.frp.instances.server = {
        enable = true;
        role = "server";
+        environmentFiles = [
+          (builtins.toPath dummyFile)
+          (builtins.toPath secretFile)
+        ];
        settings = {
          bindPort = 7000;
          vhostHTTPPort = 80;
+          auth.method = "token";
+          auth.token = "{{ .Envs.token }}";
        };
      };
    };
@@ -53,12 +70,14 @@
        enablePHP = true;
      };

-      services.frp = {
+      services.frp.instances.client = {
        enable = true;
        role = "client";
        settings = {
          serverAddr = "10.0.0.1";
          serverPort = 7000;
+          auth.method = "token";
+          auth.token = token;
          proxies = [
            {
              name = "web";
@@ -74,9 +93,9 @@

  testScript = ''
    start_all()
-    frps.wait_for_unit("frp.service")
+    frps.wait_for_unit("frp-server.service")
    frps.wait_for_open_port(80)
-    frpc.wait_for_unit("frp.service")
+    frpc.wait_for_unit("frp-client.service")
    response = frpc.succeed("curl -fvvv -s http://127.0.0.1/")
    assert "PHP Version ${pkgs.php84.version}" in response, "PHP version not detected"
    response = frpc.succeed("curl -fvvv -s http://10.0.0.1/")