nixos/tor: improve type-checking and hardening
Fixes #77395. Fixes #82790.
This commit is contained in:
parent
6b342809b1
commit
0ccdd6f2b0
5 changed files with 861 additions and 566 deletions
|
@ -278,6 +278,16 @@
|
|||
<xref linkend="opt-services.privoxy.enableTor" /> = true;
|
||||
</programlisting>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>services.tor</literal> module has a new exhaustively typed <xref linkend="opt-services.tor.settings" /> option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible.
|
||||
The corresponding systemd service has been hardened,
|
||||
but there is a chance that the service still requires more permissions,
|
||||
so please report any related trouble on the bugtracker.
|
||||
Onion services v3 are now supported in <xref linkend="opt-services.tor.relay.onionServices" />.
|
||||
A new <xref linkend="opt-services.tor.openFirewall" /> option as been introduced for allowing connections on all the TCP ports configured.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The options <literal>services.slurm.dbdserver.storagePass</literal>
|
||||
|
|
|
@ -16,7 +16,7 @@ let
|
|||
${concatMapStrings (f: "actionsfile ${f}\n") cfg.actionsFiles}
|
||||
${concatMapStrings (f: "filterfile ${f}\n") cfg.filterFiles}
|
||||
'' + optionalString cfg.enableTor ''
|
||||
forward-socks4a / ${config.services.tor.client.socksListenAddressFaster} .
|
||||
forward-socks5t / 127.0.0.1:9063 .
|
||||
toggle 1
|
||||
enable-remote-toggle 0
|
||||
enable-edit-actions 0
|
||||
|
@ -123,6 +123,11 @@ in
|
|||
serviceConfig.ProtectSystem = "full";
|
||||
};
|
||||
|
||||
services.tor.settings.SOCKSPort = mkIf cfg.enableTor [
|
||||
# Route HTTP traffic over a faster port (without IsolateDestAddr).
|
||||
{ addr = "127.0.0.1"; port = 9063; IsolateDestAddr = false; }
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -17,7 +17,7 @@ rec {
|
|||
environment.systemPackages = with pkgs; [ netcat ];
|
||||
services.tor.enable = true;
|
||||
services.tor.client.enable = true;
|
||||
services.tor.controlPort = 9051;
|
||||
services.tor.settings.ControlPort = 9051;
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
{ stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks
|
||||
, libseccomp, systemd, libcap, lzma, zstd, scrypt, nixosTests
|
||||
, writeShellScript
|
||||
|
||||
# for update.nix
|
||||
, writeScript
|
||||
|
@ -12,7 +13,21 @@
|
|||
, gnused
|
||||
, nix
|
||||
}:
|
||||
let
|
||||
tor-client-auth-gen = writeShellScript "tor-client-auth-gen" ''
|
||||
PATH="${stdenv.lib.makeBinPath [coreutils gnugrep openssl]}"
|
||||
pem="$(openssl genpkey -algorithm x25519)"
|
||||
|
||||
printf private_key=descriptor:x25519:
|
||||
echo "$pem" | grep -v " PRIVATE KEY" |
|
||||
base64 -d | tail --bytes=32 | base32 | tr -d =
|
||||
|
||||
printf public_key=descriptor:x25519:
|
||||
echo "$pem" | openssl pkey -in /dev/stdin -pubout |
|
||||
grep -v " PUBLIC KEY" |
|
||||
base64 -d | tail --bytes=32 | base32 | tr -d =
|
||||
'';
|
||||
in
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "tor";
|
||||
version = "0.4.4.6";
|
||||
|
@ -52,6 +67,7 @@ stdenv.mkDerivation rec {
|
|||
mkdir -p $geoip/share/tor
|
||||
mv $out/share/tor/geoip{,6} $geoip/share/tor
|
||||
rm -rf $out/share/tor
|
||||
ln -s ${tor-client-auth-gen} $out/bin/tor-client-auth-gen
|
||||
'';
|
||||
|
||||
passthru = {
|
||||
|
|
Loading…
Reference in a new issue