public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #34690 from dotlambda/tor

Browse Source 
nixos/tor: add hiddenServices.<name>.authorizeClient
This commit is contained in:
Joachim F 2018-02-08 17:08:44 +00:00 committed by GitHub
commit 65e6fbf2b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/types.nix
View File

@ -256,6 +256,10 @@ rec {
functor = (defaultFunctor name) // { wrapped = elemType; }; functor = (defaultFunctor name) // { wrapped = elemType; };
}; };
nonEmptyListOf = elemType:
let list = addCheck (types.listOf elemType) (l: l != []);
in list // { description = "non-empty " + list.description; };
attrsOf = elemType: mkOptionType rec { attrsOf = elemType: mkOptionType rec {
name = "attrsOf"; name = "attrsOf";
description = "attribute set of ${elemType.description}s"; description = "attribute set of ${elemType.description}s";

30
nixos/modules/services/security/tor.nix
View File

@ -88,6 +88,9 @@ let
${flip concatMapStrings v.map (p: '' ${flip concatMapStrings v.map (p: ''
HiddenServicePort ${toString p.port} ${p.destination} HiddenServicePort ${toString p.port} ${p.destination}
'')} '')}
${optionalString (v.authorizeClient != null) ''
HiddenServiceAuthorizeClient ${v.authorizeClient.authType} ${concatStringsSep "," v.authorizeClient.clientNames}
''}
'')) ''))
+ cfg.extraConfig; + cfg.extraConfig;
@ -619,6 +622,33 @@ in
})); }));
}; };
authorizeClient = mkOption {
default = null;
description = "If configured, the hidden service is accessible for authorized clients only.";
type = types.nullOr (types.submodule ({config, ...}: {
options = {
authType = mkOption {
type = types.enum [ "basic" "stealth" ];
description = ''
Either <literal>"basic"</literal> for a general-purpose authorization protocol
or <literal>"stealth"</literal> for a less scalable protocol
that also hides service activity from unauthorized clients.
'';
};
clientNames = mkOption {
type = types.nonEmptyListOf (types.strMatching "[A-Za-z0-9+-_]+");
description = ''
Only clients that are listed here are authorized to access the hidden service.
Generated authorization data can be found in <filename>${torDirectory}/onion/$name/hostname</filename>.
Clients need to put this authorization data in their configuration file using <literal>HidServAuth</literal>.
'';
};
};
}));
};
}; };
config = { config = {