diff options
author | Jaka Hudoklin <offlinehacker@users.noreply.github.com> | 2017-12-03 21:47:11 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-12-03 21:47:11 +0100 |
commit | bc557912a17e81449765a8e0f75135dbd2c8646b (patch) | |
tree | 5b68dd505da68ba7b43b7572161bd1983a22a444 | |
parent | 2d0ed7bef5328725f5a7c1262c7f2e2f5b91e8f9 (diff) | |
parent | 78a86c9072e28af3bc4f316e3a978030ec11ad07 (diff) | |
download | nixpkgs-bc557912a17e81449765a8e0f75135dbd2c8646b.tar nixpkgs-bc557912a17e81449765a8e0f75135dbd2c8646b.tar.gz nixpkgs-bc557912a17e81449765a8e0f75135dbd2c8646b.tar.bz2 nixpkgs-bc557912a17e81449765a8e0f75135dbd2c8646b.tar.lz nixpkgs-bc557912a17e81449765a8e0f75135dbd2c8646b.tar.xz nixpkgs-bc557912a17e81449765a8e0f75135dbd2c8646b.tar.zst nixpkgs-bc557912a17e81449765a8e0f75135dbd2c8646b.zip |
Merge pull request #28939 from xtruder/nixos/tor/trans_proxy
tor module: add support for transparent proxy and dns
-rw-r--r-- | nixos/modules/services/security/tor.nix | 83 |
1 files changed, 81 insertions, 2 deletions
diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index bc79d9f2a59..fa4aeb22ae9 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -9,6 +9,26 @@ let opt = name: value: optionalString (value != null) "${name} ${value}"; optint = name: value: optionalString (value != null && value != 0) "${name} ${toString value}"; + isolationOptions = { + type = types.listOf (types.enum [ + "IsolateClientAddr" + "IsolateSOCKSAuth" + "IsolateClientProtocol" + "IsolateDestPort" + "IsolateDestAddr" + ]); + default = []; + example = [ + "IsolateClientAddr" + "IsolateSOCKSAuth" + "IsolateClientProtocol" + "IsolateDestPort" + "IsolateDestAddr" + ]; + description = "Tor isolation options"; + }; + + torRc = '' User tor DataDirectory ${torDirectory} @@ -20,10 +40,20 @@ let ${optint "ControlPort" cfg.controlPort} '' # Client connection config - + optionalString cfg.client.enable '' - SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr + + optionalString cfg.client.enable '' + SOCKSPort ${cfg.client.socksListenAddress} ${toString cfg.client.socksIsolationOptions} SOCKSPort ${cfg.client.socksListenAddressFaster} ${opt "SocksPolicy" cfg.client.socksPolicy} + + ${optionalString cfg.client.transparentProxy.enable '' + TransPort ${cfg.client.transparentProxy.listenAddress} ${toString cfg.client.transparentProxy.isolationOptions} + ''} + + ${optionalString cfg.client.dns.enable '' + DNSPort ${cfg.client.dns.listenAddress} ${toString cfg.client.dns.isolationOptions} + AutomapHostsOnResolve 1 + AutomapHostsSuffixes ${concatStringsSep "," cfg.client.dns.automapHostsSuffixes} + ''} '' # Relay config + optionalString cfg.relay.enable '' @@ -154,6 +184,55 @@ in ''; }; + socksIsolationOptions = mkOption (isolationOptions // { + default = ["IsolateDestAddr"]; + }); + + transparentProxy = { + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable tor transaprent proxy"; + }; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1:9040"; + example = "192.168.0.1:9040"; + description = '' + Bind transparent proxy to this address. + ''; + }; + + isolationOptions = mkOption isolationOptions; + }; + + dns = { + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable tor dns resolver"; + }; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1:9053"; + example = "192.168.0.1:9053"; + description = '' + Bind tor dns to this address. + ''; + }; + + isolationOptions = mkOption isolationOptions; + + automapHostsSuffixes = mkOption { + type = types.listOf types.str; + default = [".onion" ".exit"]; + example = [".onion"]; + description = "List of suffixes to use with automapHostsOnResolve"; + }; + }; + privoxy.enable = mkOption { type = types.bool; default = true; |