[Nix-dev] Re: Patches for a NixOS Tor service
Lluís Batlle i Rossell
viriketo at gmail.com
Sun May 16 19:11:55 CEST 2010
Thank you!
I commited it, without caring much on the details due to a sudden need of
testing tor - it worked well. :)
On Thu, May 13, 2010 at 10:01:21AM -0400, roconnor at theorem.ca wrote:
> Here are the admended patches. I've incorporated most of your
> suggestions; however...
>
> On Mon, 3 May 2010, Ludovic Courtès wrote:
>
> >+ config = mkOption {
> >+ default = "";
> >+ description = ''
> >+ Extra configuration. Contents will be added verbatim to the configuration file.
> >+ '';
> >
> >This kind of option should really be a last resort IMO. Are the most
> >common options covered by the rest of this file?
>
> There are many many options. The only real useful option I have
> given is the ability to change the port, which is by far the most
> useful option IMHO. The other optioms I've given are the options I
> needed to change from default and they are less important.
>
> I'll make you a deal though, you add all the options to Cups and
> I'll add all the options to Tor. ;)
>
> >Besides, it would be ideal if you could write a test case for this
> >module.
>
> I have no idea how to do this. Is there a description of the
> process on the wiki? If not, could you add one?
>
> --
> Russell O'Connor <http://r6.ca/>
> ``All talk about `theft,''' the general counsel of the American Graphophone
> Company wrote, ``is the merest claptrap, for there exists no property in
> ideas musical, literary or artistic, except as defined by statute.''
> Index: pkgs/tools/security/tor/default.nix
> ===================================================================
> --- pkgs/tools/security/tor/default.nix (revision 0)
> +++ pkgs/tools/security/tor/default.nix (revision 0)
> @@ -0,0 +1,30 @@
> +{stdenv, fetchurl, libevent, openssl, zlib}:
> +
> +stdenv.mkDerivation {
> + name = "tor-0.2.1.25";
> +
> + src = fetchurl {
> + url = "http://www.torproject.org/dist/tor-0.2.1.25.tar.gz";
> + sha256 = "17hpnvlqimblgprx6qwv8akqy5ric08m0265rl4zm1jnxa4v8n47";
> + };
> +
> + buildInputs = [libevent openssl zlib];
> +
> + doCheck = true;
> +
> + meta = {
> + homepage = http://www.torproject.org/;
> + description = "Tor is an onion router enabling Internet anonymity by thwarting network traffic analysis";
> + longDescription=''
> + Tor protects you by bouncing your communications around a distributed
> + network of relays run by volunteers all around the world: it prevents
> + somebody watching your Internet connection from learning what sites you
> + visit, and it prevents the sites you visit from learning your physical
> + location. Tor works with many of your existing applications, including
> + web browsers, instant messaging clients, remote login, and other
> + applications based on the TCP protocol.
> + '';
> + license="bsd";
> + };
> +
> +}
> Index: pkgs/top-level/all-packages.nix
> ===================================================================
> --- pkgs/top-level/all-packages.nix (revision 21586)
> +++ pkgs/top-level/all-packages.nix (working copy)
> @@ -1690,6 +1690,10 @@
> inherit (xlibs) libX11 libXext;
> };
>
> + tor = import ../tools/security/tor {
> + inherit fetchurl stdenv libevent openssl zlib;
> + };
> +
> ttf2pt1 = import ../tools/misc/ttf2pt1 {
> inherit fetchurl stdenv perl freetype;
> };
> Index: modules/services/security/tor.nix
> ===================================================================
> --- modules/services/security/tor.nix (revision 0)
> +++ modules/services/security/tor.nix (revision 0)
> @@ -0,0 +1,174 @@
> +{ config, pkgs, ... }:
> +
> +with pkgs.lib;
> +
> +let
> +
> + inherit (pkgs) tor privoxy;
> +
> + stateDir = "/var/lib/tor";
> + privoxyDir = stateDir+"/privoxy";
> +
> + modprobe = config.system.sbin.modprobe;
> +
> + torUser = "tor";
> +
> +in
> +
> +{
> +
> + ###### interface
> +
> + options = {
> +
> + services.tor = {
> +
> + enable = mkOption {
> + default = false;
> + description = ''
> + Whether to enable the Tor anonymous routing daemon.
> + '';
> + };
> +
> + socksListenAddress = mkOption {
> + default = "127.0.0.1:9050";
> + example = "192.168.0.1";
> + description = ''
> + Bind to this address to listen for connections from Socks-speaking
> + applications. You can also specify a port.
> + '';
> + };
> +
> + config = mkOption {
> + default = "";
> + description = ''
> + Extra configuration. Contents will be added verbatim to the
> + configuration file.
> + '';
> + };
> +
> + enablePrivoxy = mkOption {
> + default = true;
> + description = ''
> + Whether to enable a special instance of privoxy dedicated to Tor.
> + To have anonymity, protocols need to be scrubbed of identifying
> + information.
> + Most people using Tor want to anonymize their web traffic, so by
> + default we enable an special instance of privoxy specifically for
> + Tor.
> + However, if you are only going to use Tor only as a relay then you
> + can disable this option.
> + '';
> + };
> +
> + privoxyListenAddress = mkOption {
> + default = "127.0.0.1:8118";
> + description = ''
> + Address that Tor's instance of privoxy is listening to.
> + *This does not configure the standard NixOS instance of privoxy.*
> + This is for Tor connections only!
> + See services.privoxy.listenAddress to configure the standard NixOS
> + instace of privoxy.
> + '';
> + };
> +
> + privoxyConfig = mkOption {
> + default = "";
> + description = ''
> + Extra configuration for Tor's instance of privoxy. Contents will be
> + added verbatim to the configuration file.
> + *This does not configure the standard NixOS instance of privoxy.*
> + This is for Tor connections only!
> + See services.privoxy.extraConfig to configure the standard NixOS
> + instace of privoxy.
> + '';
> + };
> + };
> +
> + };
> +
> +
> + ###### implementation
> +
> + config = mkIf config.services.tor.enable {
> + environment.systemPackages = [ tor ]; # provides tor-resolve and torify
> +
> + users.extraUsers = singleton
> + { name = torUser;
> + uid = config.ids.uids.tor;
> + description = "Tor daemon user";
> + home = stateDir;
> + };
> +
> + jobs.tor =
> + { name = "Tor";
> +
> + startOn = "started network-interfaces";
> + stopOn = "stopping network-interfaces";
> +
> + preStart =
> + ''
> + mkdir -m 0755 -p ${stateDir}
> + chown ${torUser} ${stateDir}
> + '';
> + exec = "${tor}/bin/tor -f ${pkgs.writeText "torrc" config.services.tor.config}";
> + };
> +
> + jobs.torPrivoxy = mkIf config.services.tor.enablePrivoxy
> + { name = "Tor-privoxy";
> +
> + startOn = "starting Tor";
> + stopOn = "stopping Tor";
> +
> + preStart =
> + ''
> + mkdir -m 0755 -p ${privoxyDir}
> + chown ${torUser} ${privoxyDir}
> +
> + # Needed to run privoxy as an unprivileged user?
> + ${modprobe}/sbin/modprobe capability || true
> + '';
> + exec = "${privoxy}/sbin/privoxy --no-daemon --user ${torUser} ${pkgs.writeText "torPrivoxy.conf" config.services.tor.privoxyConfig}";
> + };
> +
> + services.tor.config = ''
> + DataDirectory ${stateDir}
> + User ${torUser}
> + SocksListenAddress ${config.services.tor.socksListenAddress}
> +
> + # Extra configurations go here
> + '';
> +
> + services.tor.privoxyConfig = ''
> + # Generally, this file goes in /etc/privoxy/config
> + #
> + # Tor listens as a SOCKS4a proxy here:
> + forward-socks4a / ${config.services.tor.socksListenAddress} .
> + confdir ${privoxy}/etc
> + logdir ${privoxyDir}
> + # actionsfile standard # Internal purpose, recommended
> + actionsfile default.action # Main actions file
> + actionsfile user.action # User customizations
> + filterfile default.filter
> +
> + # Don't log interesting things, only startup messages, warnings and errors
> + logfile logfile
> + #jarfile jarfile
> + #debug 0 # show each GET/POST/CONNECT request
> + debug 4096 # Startup banner and warnings
> + debug 8192 # Errors - *we highly recommended enabling this*
> +
> + user-manual ${privoxy}/doc/privoxy/user-manual
> + listen-address ${config.services.tor.privoxyListenAddress}
> + toggle 1
> + enable-remote-toggle 0
> + enable-edit-actions 0
> + enable-remote-http-toggle 0
> + buffer-limit 4096
> +
> + # Extra config goes here
> + '';
> +
> + };
> +
> +}
> Index: modules/misc/ids.nix
> ===================================================================
> --- modules/misc/ids.nix (revision 21586)
> +++ modules/misc/ids.nix (working copy)
> @@ -53,6 +53,7 @@
> davfs2 = 31;
> privoxy = 32;
> osgi = 34;
> + tor = 35;
> # When adding a uid, make sure it doesn't match an existing gid.
>
> nixbld = 30000; # start of range of uids
> Index: modules/module-list.nix
> ===================================================================
> --- modules/module-list.nix (revision 21586)
> +++ modules/module-list.nix (working copy)
> @@ -103,6 +103,7 @@
> ./services/scheduling/atd.nix
> ./services/scheduling/cron.nix
> ./services/scheduling/fcron.nix
> + ./services/security/tor.nix
> ./services/system/dbus.nix
> ./services/system/nscd.nix
> ./services/system/uptimed.nix
> _______________________________________________
> nix-dev mailing list
> nix-dev at cs.uu.nl
> https://mail.cs.uu.nl/mailman/listinfo/nix-dev
More information about the nix-dev
mailing list