diff options
author | Joachim F <joachifm@users.noreply.github.com> | 2018-02-08 17:08:44 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-08 17:08:44 +0000 |
commit | 65e6fbf2b5c4c7b2dba0d02369f65870496b7197 (patch) | |
tree | 1484f11b94b74de285baaff1c9b3c35b29bcba6d | |
parent | 6b45dbd99c6078801dd49fd22c1f175b9fd19b31 (diff) | |
parent | 355de06fe474e5a25a4daca72c55681a0b7c6e83 (diff) | |
download | nixpkgs-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar nixpkgs-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.gz nixpkgs-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.bz2 nixpkgs-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.lz nixpkgs-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.xz nixpkgs-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.zst nixpkgs-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.zip |
Merge pull request #34690 from dotlambda/tor
nixos/tor: add hiddenServices.<name>.authorizeClient
-rw-r--r-- | lib/types.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/security/tor.nix | 30 |
2 files changed, 34 insertions, 0 deletions
diff --git a/lib/types.nix b/lib/types.nix index 88fc90d0597..a334db5c724 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -256,6 +256,10 @@ rec { functor = (defaultFunctor name) // { wrapped = elemType; }; }; + nonEmptyListOf = elemType: + let list = addCheck (types.listOf elemType) (l: l != []); + in list // { description = "non-empty " + list.description; }; + attrsOf = elemType: mkOptionType rec { name = "attrsOf"; description = "attribute set of ${elemType.description}s"; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index fa4aeb22ae9..fed91756e76 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -88,6 +88,9 @@ let ${flip concatMapStrings v.map (p: '' HiddenServicePort ${toString p.port} ${p.destination} '')} + ${optionalString (v.authorizeClient != null) '' + HiddenServiceAuthorizeClient ${v.authorizeClient.authType} ${concatStringsSep "," v.authorizeClient.clientNames} + ''} '')) + cfg.extraConfig; @@ -619,6 +622,33 @@ in })); }; + authorizeClient = mkOption { + default = null; + description = "If configured, the hidden service is accessible for authorized clients only."; + type = types.nullOr (types.submodule ({config, ...}: { + + options = { + + authType = mkOption { + type = types.enum [ "basic" "stealth" ]; + description = '' + Either <literal>"basic"</literal> for a general-purpose authorization protocol + or <literal>"stealth"</literal> for a less scalable protocol + that also hides service activity from unauthorized clients. + ''; + }; + + clientNames = mkOption { + type = types.nonEmptyListOf (types.strMatching "[A-Za-z0-9+-_]+"); + description = '' + Only clients that are listed here are authorized to access the hidden service. + Generated authorization data can be found in <filename>${torDirectory}/onion/$name/hostname</filename>. + Clients need to put this authorization data in their configuration file using <literal>HidServAuth</literal>. + ''; + }; + }; + })); + }; }; config = { |