nixpkgs/nixos/modules/services/security/tor.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.tor;
  torDirectory = "/var/lib/tor";

  opt    = name: value: optionalString (value != null) "${name} ${value}";
  optint = name: value: optionalString (value != 0)    "${name} ${toString value}";

  torRc = ''
    User tor
    DataDirectory ${torDirectory}

    ${optint "ControlPort" cfg.controlPort}
  ''
  # Client connection config
  + optionalString cfg.client.enable  ''
    SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr
    SOCKSPort ${cfg.client.socksListenAddressFaster}
    ${opt "SocksPolicy" cfg.client.socksPolicy}
  ''
  # Relay config
  + optionalString cfg.relay.enable ''
    ORPort ${cfg.relay.portSpec}
    ${opt "Nickname" cfg.relay.nickname}
    ${opt "ContactInfo" cfg.relay.contactInfo}

    ${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
    ${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
    ${opt "AccountingMax" cfg.relay.accountingMax}
    ${opt "AccountingStart" cfg.relay.accountingStart}

    ${if cfg.relay.isExit then
        opt "ExitPolicy" cfg.relay.exitPolicy
      else
        "ExitPolicy reject *:*"}

    ${optionalString cfg.relay.isBridge ''
      BridgeRelay 1
      ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed
    ''}
  ''
  + cfg.extraConfig;

  torRcFile = pkgs.writeText "torrc" torRc;
in
{
  options = {
    services.tor = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the Tor daemon. By default, the daemon is run without
          relay, exit, bridge or client connectivity.
        '';
      };

      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Extra configuration. Contents will be added verbatim to the
          configuration file at the end.
        '';
      };

      controlPort = mkOption {
        type = types.int;
        default = 0;
        example = 9051;
        description = ''
          If set, Tor will accept connections on the specified port
          and allow them to control the tor process.
        '';
      };

      client = {
        enable = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Whether to enable Tor daemon to route application
            connections.  You might want to disable this if you plan
            running a dedicated Tor relay.
          '';
        };

        socksListenAddress = mkOption {
          type = types.str;
          default = "127.0.0.1:9050";
          example = "192.168.0.1:9100";
          description = ''
            Bind to this address to listen for connections from
            Socks-speaking applications. Provides strong circuit
            isolation, separate circuit per IP address.
          '';
        };

        socksListenAddressFaster = mkOption {
          type = types.str;
          default = "127.0.0.1:9063";
          example = "192.168.0.1:9101";
          description = ''
            Bind to this address to listen for connections from
            Socks-speaking applications. Same as socksListenAddress
            but uses weaker circuit isolation to provide performance
            suitable for a web browser.
           '';
         };

        socksPolicy = mkOption {
          type = types.nullOr types.str;
          default = null;
          example = "accept 192.168.0.0/16, reject *";
          description = ''
            Entry policies to allow/deny SOCKS requests based on IP
            address.  First entry that matches wins. If no SocksPolicy
            is set, we accept all (and only) requests from
            SocksListenAddress.
          '';
        };

        privoxy.enable = mkOption {
          default = true;
          description = ''
            Whether to enable and configure the system Privoxy to use Tor's
            faster port, suitable for HTTP.

            To have anonymity, protocols need to be scrubbed of identifying
            information, and this can be accomplished for HTTP by Privoxy.

            Privoxy can also be useful for KDE torification. A good setup would be:
            setting SOCKS proxy to the default Tor port, providing maximum
            circuit isolation where possible; and setting HTTP proxy to Privoxy
            to route HTTP traffic over faster, but less isolated port.
          '';
        };
      };

      relay = {
        enable = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Whether to enable relaying TOR traffic for others.

            See https://www.torproject.org/docs/tor-doc-relay for details.
          '';
        };

        isBridge = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Bridge relays (or "bridges") are Tor relays that aren't
            listed in the main directory. Since there is no complete
            public list of them, even if an ISP is filtering
            connections to all the known Tor relays, they probably
            won't be able to block all the bridges.

            A bridge relay can't be an exit relay.

            You need to set relay.enable to true for this option to
            take effect.

            The bridge is set up with an obfuscated transport proxy.

            See https://www.torproject.org/bridges.html.en for more info.
          '';
        };

        isExit = mkOption {
          type = types.bool;
          default = false;
          description = ''
            An exit relay allows Tor users to access regular Internet
            services.

            Unlike running a non-exit relay, running an exit relay may
            expose you to abuse complaints. See
            https://www.torproject.org/faq.html.en#ExitPolicies for
            more info.

            You can specify which services Tor users may access via
            your exit relay using exitPolicy option.
          '';
        };

        nickname = mkOption {
          type = types.str;
          default = "anonymous";
          description = ''
            A unique handle for your TOR relay.
          '';
        };

        contactInfo = mkOption {
          type = types.nullOr types.str;
          default = null;
          example = "admin@relay.com";
          description = ''
            Contact information for the relay owner (e.g. a mail
            address and GPG key ID).
          '';
        };

        accountingMax = mkOption {
          type = types.nullOr types.str;
          default = null;
          example = "450 GBytes";
          description = ''
            Specify maximum bandwidth allowed during an accounting
            period. This allows you to limit overall tor bandwidth
            over some time period. See the
            <literal>AccountingMax</literal> option by looking at the
            tor manual (<literal>man tor</literal>) for more.

            Note this limit applies individually to upload and
            download; if you specify <literal>"500 GBytes"</literal>
            here, then you may transfer up to 1 TBytes of overall
            bandwidth (500 GB upload, 500 GB download).
          '';
        };

        accountingStart = mkOption {
          type = types.nullOr types.str;
          default = null;
          example = "month 1 1:00";
          description = ''
            Specify length of an accounting period. This allows you to
            limit overall tor bandwidth over some time period. See the
            <literal>AccountingStart</literal> option by looking at
            the tor manual (<literal>man tor</literal>) for more.
          '';
        };

        bandwidthRate = mkOption {
          type = types.int;
          default = 0;
          example = 100;
          description = ''
            Specify this to limit the bandwidth usage of relayed (server)
            traffic. Your own traffic is still unthrottled. Units: bytes/second.
          '';
        };

        bandwidthBurst = mkOption {
          type = types.int;
          default = cfg.relay.bandwidthRate;
          example = 200;
          description = ''
            Specify this to allow bursts of the bandwidth usage of relayed (server)
            traffic. The average usage will still be as specified in relayBandwidthRate.
            Your own traffic is still unthrottled. Units: bytes/second.
          '';
        };

        portSpec = mkOption {
          type    = types.str;
          example = "143";
          description = ''
            What port to advertise for Tor connections. This corresponds
            to the <literal>ORPort</literal> section in the Tor manual; see
            <literal>man tor</literal> for more details.

            At a minimum, you should just specify the port for the
            relay to listen on; a common one like 143, 22, 80, or 443
            to help Tor users who may have very restrictive port-based
            firewalls.
          '';
        };

        exitPolicy = mkOption {
          type    = types.nullOr types.str;
          default = null;
          example = "accept *:6660-6667,reject *:*";
          description = ''
            A comma-separated list of exit policies. They're
            considered first to last, and the first match wins. If you
            want to _replace_ the default exit policy, end this with
            either a reject *:* or an accept *:*. Otherwise, you're
            _augmenting_ (prepending to) the default exit
            policy. Leave commented to just use the default, which is
            available in the man page or at
            https://www.torproject.org/documentation.html

            Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
            for issues you might encounter if you use the default exit policy.

            If certain IPs and ports are blocked externally, e.g. by
            your firewall, you should update your exit policy to
            reflect this -- otherwise Tor users will be told that
            those destinations are down.
          '';
        };
      };
    };
  };

  config = mkIf cfg.enable {
    assertions = singleton
      { message = "Can't be both an exit and a bridge relay at the same time";
        assertion =
          cfg.relay.enable -> !(cfg.relay.isBridge && cfg.relay.isExit);
      };

    users.extraGroups.tor.gid = config.ids.gids.tor;
    users.extraUsers.tor =
      { description = "Tor Daemon User";
        createHome  = true;
        home        = torDirectory;
        group       = "tor";
        uid         = config.ids.uids.tor;
      };

    systemd.services.tor =
      { description = "Tor Daemon";
        path = [ pkgs.tor ];

        wantedBy = [ "multi-user.target" ];
        after    = [ "network.target" ];
        restartTriggers = [ torRcFile ];

        # Translated from the upstream contrib/dist/tor.service.in
        serviceConfig =
          { Type         = "simple";
            ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config";
            ExecStart    = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0";
            ExecReload   = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
            KillSignal   = "SIGINT";
            TimeoutSec   = 30;
            Restart      = "on-failure";
            LimitNOFILE  = 32768;

            # Hardening
            # Note: DevicePolicy is set to 'closed', although the
            # minimal permissions are really:
            #   DeviceAllow /dev/null rw
            #   DeviceAllow /dev/urandom r
            # .. but we can't specify DeviceAllow multiple times. 'closed'
            # is close enough.
            PrivateTmp              = "yes";
            DevicePolicy            = "closed";
            InaccessibleDirectories = "/home";
            ReadOnlyDirectories     = "/";
            ReadWriteDirectories    = torDirectory;
            NoNewPrivileges         = "yes";
          };
      };

    environment.systemPackages = [ pkgs.tor ];

    services.privoxy = mkIf (cfg.client.enable && cfg.client.privoxy.enable) {
      enable = true;
      extraConfig = ''
        forward-socks4a / ${cfg.client.socksListenAddressFaster} .
        toggle  1
        enable-remote-toggle 0
        enable-edit-actions 0
        enable-remote-http-toggle 0
      '';
    };
  };
}