Merge pull request #97740 from ju1m/tor

nixos/tor: improve type-checking and hardening
This commit is contained in:
Jörg Thalheim 2021-01-05 16:00:40 +00:00 committed by GitHub
commit a14ea3aecc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 861 additions and 566 deletions

View File

@ -286,6 +286,16 @@
<xref linkend="opt-services.privoxy.enableTor" /> = true; <xref linkend="opt-services.privoxy.enableTor" /> = true;
</programlisting> </programlisting>
</listitem> </listitem>
<listitem>
<para>
The <literal>services.tor</literal> module has a new exhaustively typed <xref linkend="opt-services.tor.settings" /> option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible.
The corresponding systemd service has been hardened,
but there is a chance that the service still requires more permissions,
so please report any related trouble on the bugtracker.
Onion services v3 are now supported in <xref linkend="opt-services.tor.relay.onionServices" />.
A new <xref linkend="opt-services.tor.openFirewall" /> option as been introduced for allowing connections on all the TCP ports configured.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The options <literal>services.slurm.dbdserver.storagePass</literal> The options <literal>services.slurm.dbdserver.storagePass</literal>

View File

@ -16,7 +16,7 @@ let
${concatMapStrings (f: "actionsfile ${f}\n") cfg.actionsFiles} ${concatMapStrings (f: "actionsfile ${f}\n") cfg.actionsFiles}
${concatMapStrings (f: "filterfile ${f}\n") cfg.filterFiles} ${concatMapStrings (f: "filterfile ${f}\n") cfg.filterFiles}
'' + optionalString cfg.enableTor '' '' + optionalString cfg.enableTor ''
forward-socks4a / ${config.services.tor.client.socksListenAddressFaster} . forward-socks5t / 127.0.0.1:9063 .
toggle 1 toggle 1
enable-remote-toggle 0 enable-remote-toggle 0
enable-edit-actions 0 enable-edit-actions 0
@ -123,6 +123,11 @@ in
serviceConfig.ProtectSystem = "full"; serviceConfig.ProtectSystem = "full";
}; };
services.tor.settings.SOCKSPort = mkIf cfg.enableTor [
# Route HTTP traffic over a faster port (without IsolateDestAddr).
{ addr = "127.0.0.1"; port = 9063; IsolateDestAddr = false; }
];
}; };
meta.maintainers = with lib.maintainers; [ rnhmjoj ]; meta.maintainers = with lib.maintainers; [ rnhmjoj ];

File diff suppressed because it is too large Load Diff

View File

@ -17,7 +17,7 @@ rec {
environment.systemPackages = with pkgs; [ netcat ]; environment.systemPackages = with pkgs; [ netcat ];
services.tor.enable = true; services.tor.enable = true;
services.tor.client.enable = true; services.tor.client.enable = true;
services.tor.controlPort = 9051; services.tor.settings.ControlPort = 9051;
}; };
testScript = '' testScript = ''

View File

@ -1,5 +1,6 @@
{ stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks { stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks
, libseccomp, systemd, libcap, lzma, zstd, scrypt, nixosTests , libseccomp, systemd, libcap, lzma, zstd, scrypt, nixosTests
, writeShellScript
# for update.nix # for update.nix
, writeScript , writeScript
@ -12,7 +13,21 @@
, gnused , gnused
, nix , nix
}: }:
let
tor-client-auth-gen = writeShellScript "tor-client-auth-gen" ''
PATH="${stdenv.lib.makeBinPath [coreutils gnugrep openssl]}"
pem="$(openssl genpkey -algorithm x25519)"
printf private_key=descriptor:x25519:
echo "$pem" | grep -v " PRIVATE KEY" |
base64 -d | tail --bytes=32 | base32 | tr -d =
printf public_key=descriptor:x25519:
echo "$pem" | openssl pkey -in /dev/stdin -pubout |
grep -v " PUBLIC KEY" |
base64 -d | tail --bytes=32 | base32 | tr -d =
'';
in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "tor"; pname = "tor";
version = "0.4.4.6"; version = "0.4.4.6";
@ -52,6 +67,7 @@ stdenv.mkDerivation rec {
mkdir -p $geoip/share/tor mkdir -p $geoip/share/tor
mv $out/share/tor/geoip{,6} $geoip/share/tor mv $out/share/tor/geoip{,6} $geoip/share/tor
rm -rf $out/share/tor rm -rf $out/share/tor
ln -s ${tor-client-auth-gen} $out/bin/tor-client-auth-gen
''; '';
passthru = { passthru = {