mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-27 22:03:54 +03:00
Merge pull request #97740 from ju1m/tor
nixos/tor: improve type-checking and hardening
This commit is contained in:
commit
a14ea3aecc
@ -286,6 +286,16 @@
|
|||||||
<xref linkend="opt-services.privoxy.enableTor" /> = true;
|
<xref linkend="opt-services.privoxy.enableTor" /> = true;
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The <literal>services.tor</literal> module has a new exhaustively typed <xref linkend="opt-services.tor.settings" /> option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible.
|
||||||
|
The corresponding systemd service has been hardened,
|
||||||
|
but there is a chance that the service still requires more permissions,
|
||||||
|
so please report any related trouble on the bugtracker.
|
||||||
|
Onion services v3 are now supported in <xref linkend="opt-services.tor.relay.onionServices" />.
|
||||||
|
A new <xref linkend="opt-services.tor.openFirewall" /> option as been introduced for allowing connections on all the TCP ports configured.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The options <literal>services.slurm.dbdserver.storagePass</literal>
|
The options <literal>services.slurm.dbdserver.storagePass</literal>
|
||||||
|
@ -16,7 +16,7 @@ let
|
|||||||
${concatMapStrings (f: "actionsfile ${f}\n") cfg.actionsFiles}
|
${concatMapStrings (f: "actionsfile ${f}\n") cfg.actionsFiles}
|
||||||
${concatMapStrings (f: "filterfile ${f}\n") cfg.filterFiles}
|
${concatMapStrings (f: "filterfile ${f}\n") cfg.filterFiles}
|
||||||
'' + optionalString cfg.enableTor ''
|
'' + optionalString cfg.enableTor ''
|
||||||
forward-socks4a / ${config.services.tor.client.socksListenAddressFaster} .
|
forward-socks5t / 127.0.0.1:9063 .
|
||||||
toggle 1
|
toggle 1
|
||||||
enable-remote-toggle 0
|
enable-remote-toggle 0
|
||||||
enable-edit-actions 0
|
enable-edit-actions 0
|
||||||
@ -123,6 +123,11 @@ in
|
|||||||
serviceConfig.ProtectSystem = "full";
|
serviceConfig.ProtectSystem = "full";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.tor.settings.SOCKSPort = mkIf cfg.enableTor [
|
||||||
|
# Route HTTP traffic over a faster port (without IsolateDestAddr).
|
||||||
|
{ addr = "127.0.0.1"; port = 9063; IsolateDestAddr = false; }
|
||||||
|
];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
|
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -17,7 +17,7 @@ rec {
|
|||||||
environment.systemPackages = with pkgs; [ netcat ];
|
environment.systemPackages = with pkgs; [ netcat ];
|
||||||
services.tor.enable = true;
|
services.tor.enable = true;
|
||||||
services.tor.client.enable = true;
|
services.tor.client.enable = true;
|
||||||
services.tor.controlPort = 9051;
|
services.tor.settings.ControlPort = 9051;
|
||||||
};
|
};
|
||||||
|
|
||||||
testScript = ''
|
testScript = ''
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
{ stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks
|
{ stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks
|
||||||
, libseccomp, systemd, libcap, lzma, zstd, scrypt, nixosTests
|
, libseccomp, systemd, libcap, lzma, zstd, scrypt, nixosTests
|
||||||
|
, writeShellScript
|
||||||
|
|
||||||
# for update.nix
|
# for update.nix
|
||||||
, writeScript
|
, writeScript
|
||||||
@ -12,7 +13,21 @@
|
|||||||
, gnused
|
, gnused
|
||||||
, nix
|
, nix
|
||||||
}:
|
}:
|
||||||
|
let
|
||||||
|
tor-client-auth-gen = writeShellScript "tor-client-auth-gen" ''
|
||||||
|
PATH="${stdenv.lib.makeBinPath [coreutils gnugrep openssl]}"
|
||||||
|
pem="$(openssl genpkey -algorithm x25519)"
|
||||||
|
|
||||||
|
printf private_key=descriptor:x25519:
|
||||||
|
echo "$pem" | grep -v " PRIVATE KEY" |
|
||||||
|
base64 -d | tail --bytes=32 | base32 | tr -d =
|
||||||
|
|
||||||
|
printf public_key=descriptor:x25519:
|
||||||
|
echo "$pem" | openssl pkey -in /dev/stdin -pubout |
|
||||||
|
grep -v " PUBLIC KEY" |
|
||||||
|
base64 -d | tail --bytes=32 | base32 | tr -d =
|
||||||
|
'';
|
||||||
|
in
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
pname = "tor";
|
pname = "tor";
|
||||||
version = "0.4.4.6";
|
version = "0.4.4.6";
|
||||||
@ -52,6 +67,7 @@ stdenv.mkDerivation rec {
|
|||||||
mkdir -p $geoip/share/tor
|
mkdir -p $geoip/share/tor
|
||||||
mv $out/share/tor/geoip{,6} $geoip/share/tor
|
mv $out/share/tor/geoip{,6} $geoip/share/tor
|
||||||
rm -rf $out/share/tor
|
rm -rf $out/share/tor
|
||||||
|
ln -s ${tor-client-auth-gen} $out/bin/tor-client-auth-gen
|
||||||
'';
|
'';
|
||||||
|
|
||||||
passthru = {
|
passthru = {
|
||||||
|
Loading…
Reference in New Issue
Block a user