public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #41852 from oxij/nixos/tor-service

Browse Source 
nixos/tor: fix systemd service
This commit is contained in:
Joachim F 2018-06-13 19:52:10 +00:00 committed by GitHub
commit f0f385ae76
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 33 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
nixos/modules/services/security/tor.nix
View File

@ -39,7 +39,7 @@ let
''} ''}
${optint "ControlPort" cfg.controlPort} ${optint "ControlPort" cfg.controlPort}
${optionalString cfg.controlSocket.enable "ControlSocket ${torRunDirectory}/control GroupWritable RelaxDirModeCheck"} ${optionalString cfg.controlSocket.enable "ControlPort unix:${torRunDirectory}/control GroupWritable RelaxDirModeCheck"}
'' ''
# Client connection config # Client connection config
+ optionalString cfg.client.enable '' + optionalString cfg.client.enable ''
@ -695,19 +695,38 @@ in
uid = config.ids.uids.tor; uid = config.ids.uids.tor;
}; };
# We have to do this instead of using RuntimeDirectory option in
# the service below because systemd has no way to set owners of
# RuntimeDirectory and putting this into the service below
# requires that service to relax it's sandbox since this needs
# writable /run
systemd.services.tor-init =
{ description = "Tor Daemon Init";
wantedBy = [ "tor.service" ];
after = [ "local-fs.target" ];
script = ''
install -m 0700 -o tor -g tor -d ${torDirectory} ${torDirectory}/onion
install -m 0750 -o tor -g tor -d ${torRunDirectory}
'';
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
};
systemd.services.tor = systemd.services.tor =
{ description = "Tor Daemon"; { description = "Tor Daemon";
path = [ pkgs.tor ]; path = [ pkgs.tor ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "tor-init.service" "network.target" ];
restartTriggers = [ torRcFile ]; restartTriggers = [ torRcFile ];
serviceConfig = serviceConfig =
{ Type = "simple"; { Type = "simple";
# Translated from the upstream contrib/dist/tor.service.in # Translated from the upstream contrib/dist/tor.service.in
ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config"; ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config";
ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0"; ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
KillSignal = "SIGINT"; KillSignal = "SIGINT";
TimeoutSec = 30; TimeoutSec = 30;
@ -715,20 +734,18 @@ in
LimitNOFILE = 32768; LimitNOFILE = 32768;
# Hardening # Hardening
# Note: DevicePolicy is set to 'closed', although the # this seems to unshare /run despite what systemd.exec(5) says
# minimal permissions are really: PrivateTmp = mkIf (!cfg.controlSocket.enable) "yes";
# DeviceAllow /dev/null rw PrivateDevices = "yes";
# DeviceAllow /dev/urandom r ProtectHome = "yes";
# .. but we can't specify DeviceAllow multiple times. 'closed' ProtectSystem = "strict";
# is close enough. InaccessiblePaths = "/home";
RuntimeDirectory = "tor"; ReadOnlyPaths = "/";
StateDirectory = [ "tor" "tor/onion" ]; ReadWritePaths = [ torDirectory torRunDirectory ];
PrivateTmp = "yes";
DevicePolicy = "closed";
InaccessibleDirectories = "/home";
ReadOnlyDirectories = "/";
ReadWriteDirectories = [torDirectory torRunDirectory];
NoNewPrivileges = "yes"; NoNewPrivileges = "yes";
# tor.service.in has this in, but this line it fails to spawn a namespace when using hidden services
#CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE";
}; };
}; };