[Nix-dev] Re: Patches for a NixOS Tor service
roconnor at theorem.ca
roconnor at theorem.ca
Thu May 13 16:01:21 CEST 2010
Here are the admended patches. I've incorporated most of your
suggestions; however...
On Mon, 3 May 2010, Ludovic Courtès wrote:
> + config = mkOption {
> + default = "";
> + description = ''
> + Extra configuration. Contents will be added verbatim to the configuration file.
> + '';
>
> This kind of option should really be a last resort IMO. Are the most
> common options covered by the rest of this file?
There are many many options. The only real useful option I have given is
the ability to change the port, which is by far the most useful option
IMHO. The other optioms I've given are the options I needed to change
from default and they are less important.
I'll make you a deal though, you add all the options to Cups and I'll add
all the options to Tor. ;)
> Besides, it would be ideal if you could write a test case for this
> module.
I have no idea how to do this. Is there a description of the process on
the wiki? If not, could you add one?
--
Russell O'Connor <http://r6.ca/>
``All talk about `theft,''' the general counsel of the American Graphophone
Company wrote, ``is the merest claptrap, for there exists no property in
ideas musical, literary or artistic, except as defined by statute.''
-------------- next part --------------
Index: pkgs/tools/security/tor/default.nix
===================================================================
--- pkgs/tools/security/tor/default.nix (revision 0)
+++ pkgs/tools/security/tor/default.nix (revision 0)
@@ -0,0 +1,30 @@
+{stdenv, fetchurl, libevent, openssl, zlib}:
+
+stdenv.mkDerivation {
+ name = "tor-0.2.1.25";
+
+ src = fetchurl {
+ url = "http://www.torproject.org/dist/tor-0.2.1.25.tar.gz";
+ sha256 = "17hpnvlqimblgprx6qwv8akqy5ric08m0265rl4zm1jnxa4v8n47";
+ };
+
+ buildInputs = [libevent openssl zlib];
+
+ doCheck = true;
+
+ meta = {
+ homepage = http://www.torproject.org/;
+ description = "Tor is an onion router enabling Internet anonymity by thwarting network traffic analysis";
+ longDescription=''
+ Tor protects you by bouncing your communications around a distributed
+ network of relays run by volunteers all around the world: it prevents
+ somebody watching your Internet connection from learning what sites you
+ visit, and it prevents the sites you visit from learning your physical
+ location. Tor works with many of your existing applications, including
+ web browsers, instant messaging clients, remote login, and other
+ applications based on the TCP protocol.
+ '';
+ license="bsd";
+ };
+
+}
Index: pkgs/top-level/all-packages.nix
===================================================================
--- pkgs/top-level/all-packages.nix (revision 21586)
+++ pkgs/top-level/all-packages.nix (working copy)
@@ -1690,6 +1690,10 @@
inherit (xlibs) libX11 libXext;
};
+ tor = import ../tools/security/tor {
+ inherit fetchurl stdenv libevent openssl zlib;
+ };
+
ttf2pt1 = import ../tools/misc/ttf2pt1 {
inherit fetchurl stdenv perl freetype;
};
-------------- next part --------------
Index: modules/services/security/tor.nix
===================================================================
--- modules/services/security/tor.nix (revision 0)
+++ modules/services/security/tor.nix (revision 0)
@@ -0,0 +1,174 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+
+ inherit (pkgs) tor privoxy;
+
+ stateDir = "/var/lib/tor";
+ privoxyDir = stateDir+"/privoxy";
+
+ modprobe = config.system.sbin.modprobe;
+
+ torUser = "tor";
+
+in
+
+{
+
+ ###### interface
+
+ options = {
+
+ services.tor = {
+
+ enable = mkOption {
+ default = false;
+ description = ''
+ Whether to enable the Tor anonymous routing daemon.
+ '';
+ };
+
+ socksListenAddress = mkOption {
+ default = "127.0.0.1:9050";
+ example = "192.168.0.1";
+ description = ''
+ Bind to this address to listen for connections from Socks-speaking
+ applications. You can also specify a port.
+ '';
+ };
+
+ config = mkOption {
+ default = "";
+ description = ''
+ Extra configuration. Contents will be added verbatim to the
+ configuration file.
+ '';
+ };
+
+ enablePrivoxy = mkOption {
+ default = true;
+ description = ''
+ Whether to enable a special instance of privoxy dedicated to Tor.
+ To have anonymity, protocols need to be scrubbed of identifying
+ information.
+ Most people using Tor want to anonymize their web traffic, so by
+ default we enable an special instance of privoxy specifically for
+ Tor.
+ However, if you are only going to use Tor only as a relay then you
+ can disable this option.
+ '';
+ };
+
+ privoxyListenAddress = mkOption {
+ default = "127.0.0.1:8118";
+ description = ''
+ Address that Tor's instance of privoxy is listening to.
+ *This does not configure the standard NixOS instance of privoxy.*
+ This is for Tor connections only!
+ See services.privoxy.listenAddress to configure the standard NixOS
+ instace of privoxy.
+ '';
+ };
+
+ privoxyConfig = mkOption {
+ default = "";
+ description = ''
+ Extra configuration for Tor's instance of privoxy. Contents will be
+ added verbatim to the configuration file.
+ *This does not configure the standard NixOS instance of privoxy.*
+ This is for Tor connections only!
+ See services.privoxy.extraConfig to configure the standard NixOS
+ instace of privoxy.
+ '';
+ };
+ };
+
+ };
+
+
+ ###### implementation
+
+ config = mkIf config.services.tor.enable {
+ environment.systemPackages = [ tor ]; # provides tor-resolve and torify
+
+ users.extraUsers = singleton
+ { name = torUser;
+ uid = config.ids.uids.tor;
+ description = "Tor daemon user";
+ home = stateDir;
+ };
+
+ jobs.tor =
+ { name = "Tor";
+
+ startOn = "started network-interfaces";
+ stopOn = "stopping network-interfaces";
+
+ preStart =
+ ''
+ mkdir -m 0755 -p ${stateDir}
+ chown ${torUser} ${stateDir}
+ '';
+ exec = "${tor}/bin/tor -f ${pkgs.writeText "torrc" config.services.tor.config}";
+ };
+
+ jobs.torPrivoxy = mkIf config.services.tor.enablePrivoxy
+ { name = "Tor-privoxy";
+
+ startOn = "starting Tor";
+ stopOn = "stopping Tor";
+
+ preStart =
+ ''
+ mkdir -m 0755 -p ${privoxyDir}
+ chown ${torUser} ${privoxyDir}
+
+ # Needed to run privoxy as an unprivileged user?
+ ${modprobe}/sbin/modprobe capability || true
+ '';
+ exec = "${privoxy}/sbin/privoxy --no-daemon --user ${torUser} ${pkgs.writeText "torPrivoxy.conf" config.services.tor.privoxyConfig}";
+ };
+
+ services.tor.config = ''
+ DataDirectory ${stateDir}
+ User ${torUser}
+ SocksListenAddress ${config.services.tor.socksListenAddress}
+
+ # Extra configurations go here
+ '';
+
+ services.tor.privoxyConfig = ''
+ # Generally, this file goes in /etc/privoxy/config
+ #
+ # Tor listens as a SOCKS4a proxy here:
+ forward-socks4a / ${config.services.tor.socksListenAddress} .
+ confdir ${privoxy}/etc
+ logdir ${privoxyDir}
+ # actionsfile standard # Internal purpose, recommended
+ actionsfile default.action # Main actions file
+ actionsfile user.action # User customizations
+ filterfile default.filter
+
+ # Don't log interesting things, only startup messages, warnings and errors
+ logfile logfile
+ #jarfile jarfile
+ #debug 0 # show each GET/POST/CONNECT request
+ debug 4096 # Startup banner and warnings
+ debug 8192 # Errors - *we highly recommended enabling this*
+
+ user-manual ${privoxy}/doc/privoxy/user-manual
+ listen-address ${config.services.tor.privoxyListenAddress}
+ toggle 1
+ enable-remote-toggle 0
+ enable-edit-actions 0
+ enable-remote-http-toggle 0
+ buffer-limit 4096
+
+ # Extra config goes here
+ '';
+
+ };
+
+}
Index: modules/misc/ids.nix
===================================================================
--- modules/misc/ids.nix (revision 21586)
+++ modules/misc/ids.nix (working copy)
@@ -53,6 +53,7 @@
davfs2 = 31;
privoxy = 32;
osgi = 34;
+ tor = 35;
# When adding a uid, make sure it doesn't match an existing gid.
nixbld = 30000; # start of range of uids
Index: modules/module-list.nix
===================================================================
--- modules/module-list.nix (revision 21586)
+++ modules/module-list.nix (working copy)
@@ -103,6 +103,7 @@
./services/scheduling/atd.nix
./services/scheduling/cron.nix
./services/scheduling/fcron.nix
+ ./services/security/tor.nix
./services/system/dbus.nix
./services/system/nscd.nix
./services/system/uptimed.nix
More information about the nix-dev
mailing list