367 lines
12 KiB
Nix
367 lines
12 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.tor;
|
|
torDirectory = "/var/lib/tor";
|
|
|
|
opt = name: value: optionalString (value != null) "${name} ${value}";
|
|
optint = name: value: optionalString (value != 0) "${name} ${toString value}";
|
|
|
|
torRc = ''
|
|
User tor
|
|
DataDirectory ${torDirectory}
|
|
|
|
${optint "ControlPort" cfg.controlPort}
|
|
''
|
|
# Client connection config
|
|
+ optionalString cfg.client.enable ''
|
|
SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr
|
|
SOCKSPort ${cfg.client.socksListenAddressFaster}
|
|
${opt "SocksPolicy" cfg.client.socksPolicy}
|
|
''
|
|
# Relay config
|
|
+ optionalString cfg.relay.enable ''
|
|
ORPort ${cfg.relay.portSpec}
|
|
${opt "Nickname" cfg.relay.nickname}
|
|
${opt "ContactInfo" cfg.relay.contactInfo}
|
|
|
|
${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
|
|
${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
|
|
${opt "AccountingMax" cfg.relay.accountingMax}
|
|
${opt "AccountingStart" cfg.relay.accountingStart}
|
|
|
|
${if cfg.relay.isExit then
|
|
opt "ExitPolicy" cfg.relay.exitPolicy
|
|
else
|
|
"ExitPolicy reject *:*"}
|
|
|
|
${optionalString cfg.relay.isBridge ''
|
|
BridgeRelay 1
|
|
ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed
|
|
''}
|
|
''
|
|
+ cfg.extraConfig;
|
|
|
|
torRcFile = pkgs.writeText "torrc" torRc;
|
|
in
|
|
{
|
|
options = {
|
|
services.tor = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Enable the Tor daemon. By default, the daemon is run without
|
|
relay, exit, bridge or client connectivity.
|
|
'';
|
|
};
|
|
|
|
extraConfig = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
description = ''
|
|
Extra configuration. Contents will be added verbatim to the
|
|
configuration file at the end.
|
|
'';
|
|
};
|
|
|
|
controlPort = mkOption {
|
|
type = types.int;
|
|
default = 0;
|
|
example = 9051;
|
|
description = ''
|
|
If set, Tor will accept connections on the specified port
|
|
and allow them to control the tor process.
|
|
'';
|
|
};
|
|
|
|
client = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to enable Tor daemon to route application
|
|
connections. You might want to disable this if you plan
|
|
running a dedicated Tor relay.
|
|
'';
|
|
};
|
|
|
|
socksListenAddress = mkOption {
|
|
type = types.str;
|
|
default = "127.0.0.1:9050";
|
|
example = "192.168.0.1:9100";
|
|
description = ''
|
|
Bind to this address to listen for connections from
|
|
Socks-speaking applications. Provides strong circuit
|
|
isolation, separate circuit per IP address.
|
|
'';
|
|
};
|
|
|
|
socksListenAddressFaster = mkOption {
|
|
type = types.str;
|
|
default = "127.0.0.1:9063";
|
|
example = "192.168.0.1:9101";
|
|
description = ''
|
|
Bind to this address to listen for connections from
|
|
Socks-speaking applications. Same as socksListenAddress
|
|
but uses weaker circuit isolation to provide performance
|
|
suitable for a web browser.
|
|
'';
|
|
};
|
|
|
|
socksPolicy = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "accept 192.168.0.0/16, reject *";
|
|
description = ''
|
|
Entry policies to allow/deny SOCKS requests based on IP
|
|
address. First entry that matches wins. If no SocksPolicy
|
|
is set, we accept all (and only) requests from
|
|
SocksListenAddress.
|
|
'';
|
|
};
|
|
|
|
privoxy.enable = mkOption {
|
|
default = true;
|
|
description = ''
|
|
Whether to enable and configure the system Privoxy to use Tor's
|
|
faster port, suitable for HTTP.
|
|
|
|
To have anonymity, protocols need to be scrubbed of identifying
|
|
information, and this can be accomplished for HTTP by Privoxy.
|
|
|
|
Privoxy can also be useful for KDE torification. A good setup would be:
|
|
setting SOCKS proxy to the default Tor port, providing maximum
|
|
circuit isolation where possible; and setting HTTP proxy to Privoxy
|
|
to route HTTP traffic over faster, but less isolated port.
|
|
'';
|
|
};
|
|
};
|
|
|
|
relay = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to enable relaying TOR traffic for others.
|
|
|
|
See https://www.torproject.org/docs/tor-doc-relay for details.
|
|
'';
|
|
};
|
|
|
|
isBridge = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Bridge relays (or "bridges") are Tor relays that aren't
|
|
listed in the main directory. Since there is no complete
|
|
public list of them, even if an ISP is filtering
|
|
connections to all the known Tor relays, they probably
|
|
won't be able to block all the bridges.
|
|
|
|
A bridge relay can't be an exit relay.
|
|
|
|
You need to set relay.enable to true for this option to
|
|
take effect.
|
|
|
|
The bridge is set up with an obfuscated transport proxy.
|
|
|
|
See https://www.torproject.org/bridges.html.en for more info.
|
|
'';
|
|
};
|
|
|
|
isExit = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
An exit relay allows Tor users to access regular Internet
|
|
services.
|
|
|
|
Unlike running a non-exit relay, running an exit relay may
|
|
expose you to abuse complaints. See
|
|
https://www.torproject.org/faq.html.en#ExitPolicies for
|
|
more info.
|
|
|
|
You can specify which services Tor users may access via
|
|
your exit relay using exitPolicy option.
|
|
'';
|
|
};
|
|
|
|
nickname = mkOption {
|
|
type = types.str;
|
|
default = "anonymous";
|
|
description = ''
|
|
A unique handle for your TOR relay.
|
|
'';
|
|
};
|
|
|
|
contactInfo = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "admin@relay.com";
|
|
description = ''
|
|
Contact information for the relay owner (e.g. a mail
|
|
address and GPG key ID).
|
|
'';
|
|
};
|
|
|
|
accountingMax = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "450 GBytes";
|
|
description = ''
|
|
Specify maximum bandwidth allowed during an accounting
|
|
period. This allows you to limit overall tor bandwidth
|
|
over some time period. See the
|
|
<literal>AccountingMax</literal> option by looking at the
|
|
tor manual (<literal>man tor</literal>) for more.
|
|
|
|
Note this limit applies individually to upload and
|
|
download; if you specify <literal>"500 GBytes"</literal>
|
|
here, then you may transfer up to 1 TBytes of overall
|
|
bandwidth (500 GB upload, 500 GB download).
|
|
'';
|
|
};
|
|
|
|
accountingStart = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "month 1 1:00";
|
|
description = ''
|
|
Specify length of an accounting period. This allows you to
|
|
limit overall tor bandwidth over some time period. See the
|
|
<literal>AccountingStart</literal> option by looking at
|
|
the tor manual (<literal>man tor</literal>) for more.
|
|
'';
|
|
};
|
|
|
|
bandwidthRate = mkOption {
|
|
type = types.int;
|
|
default = 0;
|
|
example = 100;
|
|
description = ''
|
|
Specify this to limit the bandwidth usage of relayed (server)
|
|
traffic. Your own traffic is still unthrottled. Units: bytes/second.
|
|
'';
|
|
};
|
|
|
|
bandwidthBurst = mkOption {
|
|
type = types.int;
|
|
default = cfg.relay.bandwidthRate;
|
|
example = 200;
|
|
description = ''
|
|
Specify this to allow bursts of the bandwidth usage of relayed (server)
|
|
traffic. The average usage will still be as specified in relayBandwidthRate.
|
|
Your own traffic is still unthrottled. Units: bytes/second.
|
|
'';
|
|
};
|
|
|
|
portSpec = mkOption {
|
|
type = types.str;
|
|
example = "143";
|
|
description = ''
|
|
What port to advertise for Tor connections. This corresponds
|
|
to the <literal>ORPort</literal> section in the Tor manual; see
|
|
<literal>man tor</literal> for more details.
|
|
|
|
At a minimum, you should just specify the port for the
|
|
relay to listen on; a common one like 143, 22, 80, or 443
|
|
to help Tor users who may have very restrictive port-based
|
|
firewalls.
|
|
'';
|
|
};
|
|
|
|
exitPolicy = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "accept *:6660-6667,reject *:*";
|
|
description = ''
|
|
A comma-separated list of exit policies. They're
|
|
considered first to last, and the first match wins. If you
|
|
want to _replace_ the default exit policy, end this with
|
|
either a reject *:* or an accept *:*. Otherwise, you're
|
|
_augmenting_ (prepending to) the default exit
|
|
policy. Leave commented to just use the default, which is
|
|
available in the man page or at
|
|
https://www.torproject.org/documentation.html
|
|
|
|
Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
|
|
for issues you might encounter if you use the default exit policy.
|
|
|
|
If certain IPs and ports are blocked externally, e.g. by
|
|
your firewall, you should update your exit policy to
|
|
reflect this -- otherwise Tor users will be told that
|
|
those destinations are down.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
assertions = singleton
|
|
{ message = "Can't be both an exit and a bridge relay at the same time";
|
|
assertion =
|
|
cfg.relay.enable -> !(cfg.relay.isBridge && cfg.relay.isExit);
|
|
};
|
|
|
|
users.extraGroups.tor.gid = config.ids.gids.tor;
|
|
users.extraUsers.tor =
|
|
{ description = "Tor Daemon User";
|
|
createHome = true;
|
|
home = torDirectory;
|
|
group = "tor";
|
|
uid = config.ids.uids.tor;
|
|
};
|
|
|
|
systemd.services.tor =
|
|
{ description = "Tor Daemon";
|
|
path = [ pkgs.tor ];
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
restartTriggers = [ torRcFile ];
|
|
|
|
# Translated from the upstream contrib/dist/tor.service.in
|
|
serviceConfig =
|
|
{ Type = "simple";
|
|
ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config";
|
|
ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0";
|
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
|
KillSignal = "SIGINT";
|
|
TimeoutSec = 30;
|
|
Restart = "on-failure";
|
|
LimitNOFILE = 32768;
|
|
|
|
# Hardening
|
|
# Note: DevicePolicy is set to 'closed', although the
|
|
# minimal permissions are really:
|
|
# DeviceAllow /dev/null rw
|
|
# DeviceAllow /dev/urandom r
|
|
# .. but we can't specify DeviceAllow multiple times. 'closed'
|
|
# is close enough.
|
|
PrivateTmp = "yes";
|
|
DevicePolicy = "closed";
|
|
InaccessibleDirectories = "/home";
|
|
ReadOnlyDirectories = "/";
|
|
ReadWriteDirectories = torDirectory;
|
|
NoNewPrivileges = "yes";
|
|
};
|
|
};
|
|
|
|
environment.systemPackages = [ pkgs.tor ];
|
|
|
|
services.privoxy = mkIf (cfg.client.enable && cfg.client.privoxy.enable) {
|
|
enable = true;
|
|
extraConfig = ''
|
|
forward-socks4a / ${cfg.client.socksListenAddressFaster} .
|
|
toggle 1
|
|
enable-remote-toggle 0
|
|
enable-edit-actions 0
|
|
enable-remote-http-toggle 0
|
|
'';
|
|
};
|
|
};
|
|
}
|