public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/services/security/tor.nix

790 lines
28 KiB
Nix
Raw Normal View History

Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem.
2014-04-14 16:26:48 +02:00
{ config, lib, pkgs, ... }:
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem.
2014-04-14 16:26:48 +02:00
with lib;
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
let
Improved the TOR service to be able to act as a TOR relay and disable the client functionality. Doesn't change the behavior of the existing TOR configurations. svn path=/nixos/trunk/; revision=22554
2010-07-12 06:03:52 +00:00
cfg = config.services.tor;
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
torDirectory = "/var/lib/tor";
nixos/tor: expose control socket
2017-04-16 15:18:44 +02:00
torRunDirectory = "/run/tor";
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
opt = name: value: optionalString (value != null) "${name} ${value}";
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
optint = name: value: optionalString (value != null && value != 0) "${name} ${toString value}";
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
nixos/tor: add support for transparent proxy and dns
2017-04-16 15:19:16 +02:00
isolationOptions = {
type = types.listOf (types.enum [
"IsolateClientAddr"
"IsolateSOCKSAuth"
"IsolateClientProtocol"
"IsolateDestPort"
"IsolateDestAddr"
]);
default = [];
example = [
"IsolateClientAddr"
"IsolateSOCKSAuth"
"IsolateClientProtocol"
"IsolateDestPort"
"IsolateDestAddr"
];
description = "Tor isolation options";
};
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
torRc = ''
User tor
DataDirectory ${torDirectory}
nixos: tor: add enableGeoIP
2017-03-11 17:55:12 +00:00
${optionalString cfg.enableGeoIP ''
GeoIPFile ${pkgs.tor.geoip}/share/tor/geoip
GeoIPv6File ${pkgs.tor.geoip}/share/tor/geoip6
''}
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
tor: skip ControlPort in torrc, if not set.
2017-09-13 23:30:45 +01:00
${optint "ControlPort" cfg.controlPort}
nixos/tor: use ControlPort for controlSocket for simplicity
2018-05-01 00:00:00 +00:00
${optionalString cfg.controlSocket.enable "ControlPort unix:${torRunDirectory}/control GroupWritable RelaxDirModeCheck"}
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
''
# Client connection config
nixos/tor: add support for transparent proxy and dns
2017-04-16 15:19:16 +02:00
+ optionalString cfg.client.enable ''
SOCKSPort ${cfg.client.socksListenAddress} ${toString cfg.client.socksIsolationOptions}
tor: restore strong circuit isolation
2014-12-18 07:54:33 +02:00
SOCKSPort ${cfg.client.socksListenAddressFaster}
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
${opt "SocksPolicy" cfg.client.socksPolicy}
nixos/tor: add support for transparent proxy and dns
2017-04-16 15:19:16 +02:00
${optionalString cfg.client.transparentProxy.enable ''
TransPort ${cfg.client.transparentProxy.listenAddress} ${toString cfg.client.transparentProxy.isolationOptions}
''}
${optionalString cfg.client.dns.enable ''
DNSPort ${cfg.client.dns.listenAddress} ${toString cfg.client.dns.isolationOptions}
AutomapHostsOnResolve 1
AutomapHostsSuffixes ${concatStringsSep "," cfg.client.dns.automapHostsSuffixes}
''}
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
''
nixos/tor: better support non-anonymous services Tor requires ``SOCKSPort 0`` when non-anonymous hidden services are enabled. If the configuration doesn't enable Tor client features, generate a configuration file that explicitly includes this disabling to allow such non-anonymous hidden services to be created (note that doing so still requires additional configuration). See #48622.
2018-10-17 08:56:59 -04:00
# Explicitly disable the SOCKS server if the client is disabled. In
# particular, this makes non-anonymous hidden services possible.
+ optionalString (! cfg.client.enable) ''
SOCKSPort 0
''
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
# Relay config
+ optionalString cfg.relay.enable ''
nixos: tor: rename portSpec -> port, type all "port"s properly
2017-03-01 00:00:00 +00:00
ORPort ${toString cfg.relay.port}
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
${opt "Address" cfg.relay.address}
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
${opt "Nickname" cfg.relay.nickname}
${opt "ContactInfo" cfg.relay.contactInfo}
${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
${opt "AccountingMax" cfg.relay.accountingMax}
${opt "AccountingStart" cfg.relay.accountingStart}
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
${if (cfg.relay.role == "exit") then
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
opt "ExitPolicy" cfg.relay.exitPolicy
else
"ExitPolicy reject *:*"}
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
${optionalString (elem cfg.relay.role ["bridge" "private-bridge"]) ''
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
BridgeRelay 1
nixos/tor: fix obfs4 package
2019-07-19 04:03:51 +08:00
ServerTransportPlugin ${concatStringsSep "," cfg.relay.bridgeTransports} exec ${pkgs.obfs4}/bin/obfs4proxy managed
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
ExtORPort auto
${optionalString (cfg.relay.role == "private-bridge") ''
ExtraInfoStatistics 0
PublishServerDescriptor 0
''}
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
''}
''
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
# Hidden services
+ concatStrings (flip mapAttrsToList cfg.hiddenServices (n: v: ''
HiddenServiceDir ${torDirectory}/onion/${v.name}
nixos/tor: add HiddenServiceVersion option
2018-11-23 12:23:02 +00:00
${optionalString (v.version != null) "HiddenServiceVersion ${toString v.version}"}
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
${flip concatMapStrings v.map (p: ''
nixos: tor: rename portSpec -> port, type all "port"s properly
2017-03-01 00:00:00 +00:00
HiddenServicePort ${toString p.port} ${p.destination}
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
'')}
nixos/tor: add hiddenServices.<name>.authorizeClient
2018-02-07 03:20:41 +01:00
${optionalString (v.authorizeClient != null) ''
HiddenServiceAuthorizeClient ${v.authorizeClient.authType} ${concatStringsSep "," v.authorizeClient.clientNames}
''}
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
''))
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
+ cfg.extraConfig;
torRcFile = pkgs.writeText "torrc" torRc;
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
in
{
nixos/treewide: Move rename.nix imports to their respective modules A centralized list for these renames is not good because: - It breaks disabledModules for modules that have a rename defined - Adding/removing renames for a module means having to find them in the central file - Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
imports = [
(mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ])
(mkRemovedOptionModule [ "services" "tor" "relay" "isBridge" ] "Use services.tor.relay.role instead.")
(mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.")
];
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
options = {
services.tor = {
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable the Tor daemon. By default, the daemon is run without
relay, exit, bridge or client connectivity.
'';
};
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
nixos: tor: add enableGeoIP
2017-03-11 17:55:12 +00:00
enableGeoIP = mkOption {
type = types.bool;
default = true;
description = ''
Whenever to configure Tor daemon to use GeoIP databases.
Disabling this will disable by-country statistics for
bridges and relays and some client and third-party software
functionality.
'';
};
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
extraConfig = mkOption {
Tor module: append redundant specifications of 'extraConfig', via 'types.lines'.
2014-12-11 14:23:48 +00:00
type = types.lines;
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
default = "";
description = ''
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
Extra configuration. Contents will be added verbatim to the
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
configuration file at the end.
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
'';
};
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
controlPort = mkOption {
nixos: tor: rename portSpec -> port, type all "port"s properly
2017-03-01 00:00:00 +00:00
type = types.nullOr (types.either types.int types.str);
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
default = null;
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
example = 9051;
description = ''
If set, Tor will accept connections on the specified port
and allow them to control the tor process.
'';
};
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
nixos/tor: expose control socket
2017-04-16 15:18:44 +02:00
controlSocket = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Wheter to enable Tor control socket. Control socket is created
in <literal>${torRunDirectory}/control</literal>
'';
};
};
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
client = {
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
enable = mkOption {
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
type = types.bool;
TOR: client should be disabled by default svn path=/nixos/trunk/; revision=23860
2010-09-18 16:36:03 +00:00
default = false;
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
description = ''
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
Whether to enable Tor daemon to route application
connections. You might want to disable this if you plan
running a dedicated Tor relay.
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
'';
};
socksListenAddress = mkOption {
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
type = types.str;
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
default = "127.0.0.1:9050";
Replacing tsocks with torsocks. tsocks leaks DNS requests and is less secure than torsocks. torsocks is a fork of tsocks that is patched specifically for Tor. svn path=/nixos/trunk/; revision=24012
2010-10-01 03:41:43 +00:00
example = "192.168.0.1:9100";
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
description = ''
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
Bind to this address to listen for connections from
tor: restore strong circuit isolation
2014-12-18 07:54:33 +02:00
Socks-speaking applications. Provides strong circuit
isolation, separate circuit per IP address.
Tor: improve circuit isolation. By default apps are isolated better, with extra port available for web browsers to keep performance as it used to be before this commit.
2013-01-14 07:37:13 +02:00
'';
};
tor: restore strong circuit isolation
2014-12-18 07:54:33 +02:00
socksListenAddressFaster = mkOption {
type = types.str;
default = "127.0.0.1:9063";
example = "192.168.0.1:9101";
description = ''
Bind to this address to listen for connections from
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
Socks-speaking applications. Same as
<option>socksListenAddress</option> but uses weaker
circuit isolation to provide performance suitable for a
web browser.
tor: restore strong circuit isolation
2014-12-18 07:54:33 +02:00
'';
};
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
socksPolicy = mkOption {
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
type = types.nullOr types.str;
default = null;
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
example = "accept 192.168.0.0/16, reject *";
description = ''
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
Entry policies to allow/deny SOCKS requests based on IP
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
address. First entry that matches wins. If no SocksPolicy
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
is set, we accept all (and only) requests from
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
<option>socksListenAddress</option>.
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
'';
};
tor: restore the Privoxy setup, but configure the system Privoxy instead of running a separate instance.
2014-12-18 08:19:57 +02:00
nixos/tor: add support for transparent proxy and dns
2017-04-16 15:19:16 +02:00
socksIsolationOptions = mkOption (isolationOptions // {
default = ["IsolateDestAddr"];
});
transparentProxy = {
enable = mkOption {
type = types.bool;
default = false;
nixos/tor: Correct "transparent" typo
2018-09-17 09:55:18 -04:00
description = "Whether to enable tor transparent proxy";
nixos/tor: add support for transparent proxy and dns
2017-04-16 15:19:16 +02:00
};
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1:9040";
example = "192.168.0.1:9040";
description = ''
Bind transparent proxy to this address.
'';
};
isolationOptions = mkOption isolationOptions;
};
dns = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable tor dns resolver";
};
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1:9053";
example = "192.168.0.1:9053";
description = ''
Bind tor dns to this address.
'';
};
isolationOptions = mkOption isolationOptions;
automapHostsSuffixes = mkOption {
type = types.listOf types.str;
default = [".onion" ".exit"];
example = [".onion"];
description = "List of suffixes to use with automapHostsOnResolve";
};
};
tor: restore the Privoxy setup, but configure the system Privoxy instead of running a separate instance.
2014-12-18 08:19:57 +02:00
privoxy.enable = mkOption {
nixos/tor: add missing option type
2017-03-19 22:18:50 +01:00
type = types.bool;
tor: restore the Privoxy setup, but configure the system Privoxy instead of running a separate instance.
2014-12-18 08:19:57 +02:00
default = true;
description = ''
Whether to enable and configure the system Privoxy to use Tor's
faster port, suitable for HTTP.
To have anonymity, protocols need to be scrubbed of identifying
information, and this can be accomplished for HTTP by Privoxy.
Privoxy can also be useful for KDE torification. A good setup would be:
setting SOCKS proxy to the default Tor port, providing maximum
circuit isolation where possible; and setting HTTP proxy to Privoxy
to route HTTP traffic over faster, but less isolated port.
'';
};
Improved the TOR service to be able to act as a TOR relay and disable the client functionality. Doesn't change the behavior of the existing TOR configurations. svn path=/nixos/trunk/; revision=22554
2010-07-12 06:03:52 +00:00
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
relay = {
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
enable = mkOption {
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
type = types.bool;
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
default = false;
description = ''
Whether to enable relaying TOR traffic for others.
Improved the TOR service to be able to act as a TOR relay and disable the client functionality. Doesn't change the behavior of the existing TOR configurations. svn path=/nixos/trunk/; revision=22554
2010-07-12 06:03:52 +00:00
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
See <link xlink:href="https://www.torproject.org/docs/tor-doc-relay" />
for details.
TOR: add obfsproxy support by default for TOR bridges
2013-06-04 13:02:37 +03:00
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
Setting this to true requires setting
<option>services.tor.relay.role</option>
and
nixos: tor: rename portSpec -> port, type all "port"s properly
2017-03-01 00:00:00 +00:00
<option>services.tor.relay.port</option>
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
options.
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
'';
};
Improved the TOR service to be able to act as a TOR relay and disable the client functionality. Doesn't change the behavior of the existing TOR configurations. svn path=/nixos/trunk/; revision=22554
2010-07-12 06:03:52 +00:00
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
role = mkOption {
type = types.enum [ "exit" "relay" "bridge" "private-bridge" ];
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
description = ''
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
Your role in Tor network. There're several options:
<variablelist>
<varlistentry>
<term><literal>exit</literal></term>
<listitem>
<para>
An exit relay. This allows Tor users to access regular
Internet services through your public IP.
</para>
<important><para>
Running an exit relay may expose you to abuse
complaints. See
<link xlink:href="https://www.torproject.org/faq.html.en#ExitPolicies" />
for more info.
</para></important>
<para>
You can specify which services Tor users may access via
your exit relay using <option>exitPolicy</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>relay</literal></term>
<listitem>
<para>
Regular relay. This allows Tor users to relay onion
traffic to other Tor nodes, but not to public
Internet.
</para>
<important><para>
Note that some misconfigured and/or disrespectful
towards privacy sites will block you even if your
relay is not an exit relay. That is, just being listed
in a public relay directory can have unwanted
consequences.
Which means you might not want to use
this role if you browse public Internet from the same
network as your relay, unless you want to write
e-mails to those sites (you should!).
</para></important>
<para>
See
<link xlink:href="https://www.torproject.org/docs/tor-doc-relay.html.en" />
for more info.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>bridge</literal></term>
<listitem>
<para>
Regular bridge. Works like a regular relay, but
doesn't list you in the public relay directory and
nixos tor: use obfs4proxy, make transport list customizable
2019-04-29 22:56:47 -05:00
hides your Tor node behind obfs4proxy.
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
</para>
<para>
Using this option will make Tor advertise your bridge
to users through various mechanisms like
<link xlink:href="https://bridges.torproject.org/" />, though.
</para>
<important>
<para>
nixos/tor: grammer fix, advise -> advice Seems to me that the noun form is more appropriate here.
2018-06-13 00:15:45 +02:00
WARNING: THE FOLLOWING PARAGRAPH IS NOT LEGAL ADVICE.
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
Consult with your lawer when in doubt.
</para>
<para>
This role should be safe to use in most situations
(unless the act of forwarding traffic for others is
a punishable offence under your local laws, which
would be pretty insane as it would make ISP
illegal).
</para>
</important>
<para>
See <link xlink:href="https://www.torproject.org/docs/bridges.html.en" />
for more info.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>private-bridge</literal></term>
<listitem>
<para>
Private bridge. Works like regular bridge, but does
not advertise your node in any way.
</para>
<para>
Using this role means that you won't contribute to Tor
network in any way unless you advertise your node
yourself in some way.
</para>
<para>
Use this if you want to run a private bridge, for
example because you'll give out your bridge address
manually to your friends.
</para>
<para>
Switching to this role after measurable time in
nixos: tor: rename portSpec -> port, type all "port"s properly
2017-03-01 00:00:00 +00:00
"bridge" role is pretty useless as some Tor users
would have learned about your node already. In the
latter case you can still change
<option>port</option> option.
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
</para>
<para>
See <link xlink:href="https://www.torproject.org/docs/bridges.html.en" />
for more info.
</para>
</listitem>
</varlistentry>
</variablelist>
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
'';
};
Improved the TOR service to be able to act as a TOR relay and disable the client functionality. Doesn't change the behavior of the existing TOR configurations. svn path=/nixos/trunk/; revision=22554
2010-07-12 06:03:52 +00:00
nixos tor: use obfs4proxy, make transport list customizable
2019-04-29 22:56:47 -05:00
bridgeTransports = mkOption {
type = types.listOf types.str;
default = ["obfs4"];
example = ["obfs2" "obfs3" "obfs4" "scramblesuit"];
description = "List of pluggable transports";
};
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
nickname = mkOption {
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
type = types.str;
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
default = "anonymous";
description = ''
A unique handle for your TOR relay.
'';
};
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
contactInfo = mkOption {
type = types.nullOr types.str;
default = null;
example = "admin@relay.com";
description = ''
Contact information for the relay owner (e.g. a mail
address and GPG key ID).
'';
};
accountingMax = mkOption {
type = types.nullOr types.str;
default = null;
example = "450 GBytes";
description = ''
nixos/tor: add tor hidden service options (#28081) * nixos/tor: add hiddenServices option This change allows to configure hidden services more conveniently. * nixos/tor: fix default/example mixup * nixos/tor: use docbook in documentation Also use more elegant optionalString for optional strings. * tor: seperate hidden service port by newline * tor: better example for hidden service path a path below /var/lib/tor is usually used for hidden services
2017-08-11 23:59:52 +02:00
Specify maximum bandwidth allowed during an accounting period. This
allows you to limit overall tor bandwidth over some time period.
See the <literal>AccountingMax</literal> option by looking at the
tor manual <citerefentry><refentrytitle>tor</refentrytitle>
<manvolnum>1</manvolnum></citerefentry> for more.
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
Note this limit applies individually to upload and
download; if you specify <literal>"500 GBytes"</literal>
here, then you may transfer up to 1 TBytes of overall
bandwidth (500 GB upload, 500 GB download).
'';
};
accountingStart = mkOption {
type = types.nullOr types.str;
default = null;
example = "month 1 1:00";
description = ''
nixos/tor: add tor hidden service options (#28081) * nixos/tor: add hiddenServices option This change allows to configure hidden services more conveniently. * nixos/tor: fix default/example mixup * nixos/tor: use docbook in documentation Also use more elegant optionalString for optional strings. * tor: seperate hidden service port by newline * tor: better example for hidden service path a path below /var/lib/tor is usually used for hidden services
2017-08-11 23:59:52 +02:00
Specify length of an accounting period. This allows you to limit
overall tor bandwidth over some time period. See the
<literal>AccountingStart</literal> option by looking at the tor
manual <citerefentry><refentrytitle>tor</refentrytitle>
<manvolnum>1</manvolnum></citerefentry> for more.
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
'';
};
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
bandwidthRate = mkOption {
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
type = types.nullOr types.int;
default = null;
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
example = 100;
description = ''
Specify this to limit the bandwidth usage of relayed (server)
traffic. Your own traffic is still unthrottled. Units: bytes/second.
'';
};
bandwidthBurst = mkOption {
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
type = types.nullOr types.int;
TOR service: sane default for burst rate svn path=/nixos/trunk/; revision=23851
2010-09-18 12:43:48 +00:00
default = cfg.relay.bandwidthRate;
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
example = 200;
description = ''
Specify this to allow bursts of the bandwidth usage of relayed (server)
traffic. The average usage will still be as specified in relayBandwidthRate.
Your own traffic is still unthrottled. Units: bytes/second.
'';
};
Improved the TOR service to be able to act as a TOR relay and disable the client functionality. Doesn't change the behavior of the existing TOR configurations. svn path=/nixos/trunk/; revision=22554
2010-07-12 06:03:52 +00:00
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
address = mkOption {
type = types.nullOr types.str;
default = null;
example = "noname.example.com";
description = ''
The IP address or full DNS name for advertised address of your relay.
Leave unset and Tor will guess.
'';
};
nixos: tor: rename portSpec -> port, type all "port"s properly
2017-03-01 00:00:00 +00:00
port = mkOption {
type = types.either types.int types.str;
example = 143;
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
description = ''
nixos/tor: add tor hidden service options (#28081) * nixos/tor: add hiddenServices option This change allows to configure hidden services more conveniently. * nixos/tor: fix default/example mixup * nixos/tor: use docbook in documentation Also use more elegant optionalString for optional strings. * tor: seperate hidden service port by newline * tor: better example for hidden service path a path below /var/lib/tor is usually used for hidden services
2017-08-11 23:59:52 +02:00
What port to advertise for Tor connections. This corresponds to the
<literal>ORPort</literal> section in the Tor manual; see
<citerefentry><refentrytitle>tor</refentrytitle>
<manvolnum>1</manvolnum></citerefentry> for more details.
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
At a minimum, you should just specify the port for the
relay to listen on; a common one like 143, 22, 80, or 443
to help Tor users who may have very restrictive port-based
firewalls.
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
'';
};
exitPolicy = mkOption {
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
type = types.nullOr types.str;
default = null;
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
example = "accept *:6660-6667,reject *:*";
description = ''
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
A comma-separated list of exit policies. They're
considered first to last, and the first match wins. If you
want to _replace_ the default exit policy, end this with
either a reject *:* or an accept *:*. Otherwise, you're
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
_augmenting_ (prepending to) the default exit policy.
Leave commented to just use the default, which is
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
available in the man page or at
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
<link xlink:href="https://www.torproject.org/documentation.html" />.
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
nixos: tor: more options, no unexpected consequences for default relay operators Before this commit default relay configuration could produce unexpected real life consequences. This patch makes those choices explicit and documents them extensively.
2017-03-01 00:00:00 +00:00
Look at
<link xlink:href="https://www.torproject.org/faq-abuse.html#TypicalAbuses" />
for issues you might encounter if you use the default
exit policy.
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
If certain IPs and ports are blocked externally, e.g. by
your firewall, you should update your exit policy to
reflect this -- otherwise Tor users will be told that
those destinations are down.
TOR service: refactored options to avoid mess svn path=/nixos/trunk/; revision=23850
2010-09-18 11:30:14 +00:00
'';
};
Improved the TOR service to be able to act as a TOR relay and disable the client functionality. Doesn't change the behavior of the existing TOR configurations. svn path=/nixos/trunk/; revision=22554
2010-07-12 06:03:52 +00:00
};
nixos/tor: add tor hidden service options (#28081) * nixos/tor: add hiddenServices option This change allows to configure hidden services more conveniently. * nixos/tor: fix default/example mixup * nixos/tor: use docbook in documentation Also use more elegant optionalString for optional strings. * tor: seperate hidden service port by newline * tor: better example for hidden service path a path below /var/lib/tor is usually used for hidden services
2017-08-11 23:59:52 +02:00
hiddenServices = mkOption {
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
description = ''
A set of static hidden services that terminate their Tor
circuits at this node.
Every element in this set declares a virtual onion host.
You can specify your onion address by putting corresponding
private key to an appropriate place in ${torDirectory}.
For services without private keys in ${torDirectory} Tor
daemon will generate random key pairs (which implies random
onion addresses) on restart. The latter could take a while,
please be patient.
<note><para>
Hidden services can be useful even if you don't intend to
actually <emphasis>hide</emphasis> them, since they can
also be seen as a kind of NAT traversal mechanism.
E.g. the example will make your sshd, whatever runs on
"8080" and your mail server available from anywhere where
the Tor network is available (which, with the help from
bridges, is pretty much everywhere), even if both client
and server machines are behind NAT you have no control
over.
</para></note>
'';
nixos/tor: add tor hidden service options (#28081) * nixos/tor: add hiddenServices option This change allows to configure hidden services more conveniently. * nixos/tor: fix default/example mixup * nixos/tor: use docbook in documentation Also use more elegant optionalString for optional strings. * tor: seperate hidden service port by newline * tor: better example for hidden service path a path below /var/lib/tor is usually used for hidden services
2017-08-11 23:59:52 +02:00
default = {};
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
example = literalExample ''
{ "my-hidden-service-example".map = [
nixos: tor: rename portSpec -> port, type all "port"s properly
2017-03-01 00:00:00 +00:00
{ port = 22; } # map ssh port to this machine's ssh
{ port = 80; toPort = 8080; } # map http port to whatever runs on 8080
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
{ port = "sip"; toHost = "mail.example.com"; toPort = "imap"; } # because we can
];
}
'';
[bot] nixos/*: remove unused arguments in lambdas
2018-07-20 20:56:59 +00:00
type = types.loaOf (types.submodule ({name, ...}: {
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
options = {
name = mkOption {
type = types.str;
description = ''
Name of this tor hidden service.
This is purely descriptive.
After restarting Tor daemon you should be able to
find your .onion address in
<literal>${torDirectory}/onion/$name/hostname</literal>.
'';
};
map = mkOption {
default = [];
description = "Port mapping for this hidden service.";
type = types.listOf (types.submodule ({config, ...}: {
options = {
port = mkOption {
nixos: tor: rename portSpec -> port, type all "port"s properly
2017-03-01 00:00:00 +00:00
type = types.either types.int types.str;
example = 80;
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
description = ''
Hidden service port to "bind to".
'';
};
destination = mkOption {
internal = true;
type = types.str;
description = "Forward these connections where?";
};
toHost = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Mapping destination host.";
};
toPort = mkOption {
nixos: tor: rename portSpec -> port, type all "port"s properly
2017-03-01 00:00:00 +00:00
type = types.either types.int types.str;
example = 8080;
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
description = "Mapping destination port.";
};
};
config = {
toPort = mkDefault config.port;
nixos: tor: rename portSpec -> port, type all "port"s properly
2017-03-01 00:00:00 +00:00
destination = mkDefault "${config.toHost}:${toString config.toPort}";
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
};
}));
};
nixos/tor: add hiddenServices.<name>.authorizeClient
2018-02-07 03:20:41 +01:00
authorizeClient = mkOption {
default = null;
description = "If configured, the hidden service is accessible for authorized clients only.";
[bot] nixos/*: remove unused arguments in lambdas
2018-07-20 20:56:59 +00:00
type = types.nullOr (types.submodule ({...}: {
nixos/tor: add hiddenServices.<name>.authorizeClient
2018-02-07 03:20:41 +01:00
options = {
authType = mkOption {
type = types.enum [ "basic" "stealth" ];
description = ''
Either <literal>"basic"</literal> for a general-purpose authorization protocol
or <literal>"stealth"</literal> for a less scalable protocol
that also hides service activity from unauthorized clients.
'';
};
clientNames = mkOption {
type = types.nonEmptyListOf (types.strMatching "[A-Za-z0-9+-_]+");
description = ''
Only clients that are listed here are authorized to access the hidden service.
Generated authorization data can be found in <filename>${torDirectory}/onion/$name/hostname</filename>.
Clients need to put this authorization data in their configuration file using <literal>HidServAuth</literal>.
'';
};
};
}));
};
nixos/tor: add HiddenServiceVersion option
2018-11-23 12:23:02 +00:00
version = mkOption {
default = null;
description = "Rendezvous service descriptor version to publish for the hidden service. Currently, versions 2 and 3 are supported. (Default: 2)";
type = types.nullOr (types.enum [ 2 3 ]);
};
nixos/tor: add tor hidden service options (#28081) * nixos/tor: add hiddenServices option This change allows to configure hidden services more conveniently. * nixos/tor: fix default/example mixup * nixos/tor: use docbook in documentation Also use more elegant optionalString for optional strings. * tor: seperate hidden service port by newline * tor: better example for hidden service path a path below /var/lib/tor is usually used for hidden services
2017-08-11 23:59:52 +02:00
};
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
config = {
name = mkDefault name;
};
}));
nixos/tor: add tor hidden service options (#28081) * nixos/tor: add hiddenServices option This change allows to configure hidden services more conveniently. * nixos/tor: fix default/example mixup * nixos/tor: use docbook in documentation Also use more elegant optionalString for optional strings. * tor: seperate hidden service port by newline * tor: better example for hidden service path a path below /var/lib/tor is usually used for hidden services
2017-08-11 23:59:52 +02:00
};
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
};
};
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
config = mkIf cfg.enable {
nixos: tor: better submodule for hidden services Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
2017-03-01 00:00:00 +00:00
# Not sure if `cfg.relay.role == "private-bridge"` helps as tor
# sends a lot of stats
warnings = optional (cfg.relay.enable && cfg.hiddenServices != {})
''
Running Tor hidden services on a public relay makes the
presence of hidden services visible through simple statistical
analysis of publicly available data.
You can safely ignore this warning if you don't intend to
actually hide your hidden services. In either case, you can
always create a container/VM with a separate Tor daemon instance.
'';
nixos/modules: users.(extraUsers|extraGroup->users|group)
2018-06-30 01:58:35 +02:00
users.groups.tor.gid = config.ids.gids.tor;
users.users.tor =
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
{ description = "Tor Daemon User";
createHome = true;
home = torDirectory;
group = "tor";
uid = config.ids.uids.tor;
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
};
nixos/tor: add tor-init service to fix directory ownerships, fix hardenings This reverts a part of 5bd12c694bfebaef1d03eb7f74a6eca01b86f546. Apparently there's no way to specify user for RuntimeDirectory in systemd service file (it's always root) but tor won't create control socket if the dir is owned by anybody except the tor user. These hardenings were adopted from the upstream service file, checked against systemd.service(5) and systemd.exec(5) manuals, and tested to actually work with all the options enabled. `PrivateDevices` implies `DevicePolicy=closed` according to systemd.exec(5), removed. `--RunAsDaemon 0` is the default value according to tor(5), removed.
2018-05-01 00:00:00 +00:00
# We have to do this instead of using RuntimeDirectory option in
# the service below because systemd has no way to set owners of
# RuntimeDirectory and putting this into the service below
# requires that service to relax it's sandbox since this needs
# writable /run
systemd.services.tor-init =
{ description = "Tor Daemon Init";
wantedBy = [ "tor.service" ];
script = ''
install -m 0700 -o tor -g tor -d ${torDirectory} ${torDirectory}/onion
install -m 0750 -o tor -g tor -d ${torRunDirectory}
'';
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
};
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
systemd.services.tor =
{ description = "Tor Daemon";
path = [ pkgs.tor ];
wantedBy = [ "multi-user.target" ];
nixos/tor: add tor-init service to fix directory ownerships, fix hardenings This reverts a part of 5bd12c694bfebaef1d03eb7f74a6eca01b86f546. Apparently there's no way to specify user for RuntimeDirectory in systemd service file (it's always root) but tor won't create control socket if the dir is owned by anybody except the tor user. These hardenings were adopted from the upstream service file, checked against systemd.service(5) and systemd.exec(5) manuals, and tested to actually work with all the options enabled. `PrivateDevices` implies `DevicePolicy=closed` according to systemd.exec(5), removed. `--RunAsDaemon 0` is the default value according to tor(5), removed.
2018-05-01 00:00:00 +00:00
after = [ "tor-init.service" "network.target" ];
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
restartTriggers = [ torRcFile ];
serviceConfig =
{ Type = "simple";
nixos/tor: use RuntimeDirectory, StateDirectory (#39083)
2018-04-18 09:42:45 +02:00
# Translated from the upstream contrib/dist/tor.service.in
ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config";
nixos/tor: add tor-init service to fix directory ownerships, fix hardenings This reverts a part of 5bd12c694bfebaef1d03eb7f74a6eca01b86f546. Apparently there's no way to specify user for RuntimeDirectory in systemd service file (it's always root) but tor won't create control socket if the dir is owned by anybody except the tor user. These hardenings were adopted from the upstream service file, checked against systemd.service(5) and systemd.exec(5) manuals, and tested to actually work with all the options enabled. `PrivateDevices` implies `DevicePolicy=closed` according to systemd.exec(5), removed. `--RunAsDaemon 0` is the default value according to tor(5), removed.
2018-05-01 00:00:00 +00:00
ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile}";
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
KillSignal = "SIGINT";
TimeoutSec = 30;
Restart = "on-failure";
LimitNOFILE = 32768;
# Hardening
nixos/tor: add tor-init service to fix directory ownerships, fix hardenings This reverts a part of 5bd12c694bfebaef1d03eb7f74a6eca01b86f546. Apparently there's no way to specify user for RuntimeDirectory in systemd service file (it's always root) but tor won't create control socket if the dir is owned by anybody except the tor user. These hardenings were adopted from the upstream service file, checked against systemd.service(5) and systemd.exec(5) manuals, and tested to actually work with all the options enabled. `PrivateDevices` implies `DevicePolicy=closed` according to systemd.exec(5), removed. `--RunAsDaemon 0` is the default value according to tor(5), removed.
2018-05-01 00:00:00 +00:00
# this seems to unshare /run despite what systemd.exec(5) says
PrivateTmp = mkIf (!cfg.controlSocket.enable) "yes";
PrivateDevices = "yes";
ProtectHome = "yes";
ProtectSystem = "strict";
InaccessiblePaths = "/home";
ReadOnlyPaths = "/";
ReadWritePaths = [ torDirectory torRunDirectory ];
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
NoNewPrivileges = "yes";
nixos/tor: add tor-init service to fix directory ownerships, fix hardenings This reverts a part of 5bd12c694bfebaef1d03eb7f74a6eca01b86f546. Apparently there's no way to specify user for RuntimeDirectory in systemd service file (it's always root) but tor won't create control socket if the dir is owned by anybody except the tor user. These hardenings were adopted from the upstream service file, checked against systemd.service(5) and systemd.exec(5) manuals, and tested to actually work with all the options enabled. `PrivateDevices` implies `DevicePolicy=closed` according to systemd.exec(5), removed. `--RunAsDaemon 0` is the default value according to tor(5), removed.
2018-05-01 00:00:00 +00:00
# tor.service.in has this in, but this line it fails to spawn a namespace when using hidden services
#CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE";
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
};
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
nixos: overhaul Tor module This overhauls the Tor module in a few ways: - Uses systemd service files, including hardening/config checks - Removed old privoxy support; users should use the Tor Browser instead. - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds added complexity and confusion) - Added support for bandwidth accounting - Removed old relay listenAddress option; taken over by portSpec - Formatting, description, code cleanups. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 03:37:31 -06:00
environment.systemPackages = [ pkgs.tor ];
tor: restore the Privoxy setup, but configure the system Privoxy instead of running a separate instance.
2014-12-18 08:19:57 +02:00
services.privoxy = mkIf (cfg.client.enable && cfg.client.privoxy.enable) {
enable = true;
extraConfig = ''
forward-socks4a / ${cfg.client.socksListenAddressFaster} .
toggle 1
enable-remote-toggle 0
enable-edit-actions 0
enable-remote-http-toggle 0
'';
};
Use the "assertions" option instead of mkAssert
2013-10-30 18:30:23 +01:00
};
Adding the Tor service (patch by roconnor) svn path=/nixos/trunk/; revision=21795
2010-05-16 16:20:00 +00:00
}
Reference in New Issue Copy Permalink