nixos/tor: fix HidServAuth (#122439)

* add an example for services.tor.settings.HidServAuth

* fix HidServAuth validation to require ".onion"
  Per https://manpages.debian.org/testing/tor/torrc.5.en.html :
  > Valid onion addresses contain 16 characters in a-z2-7 plus ".onion"

1 files changed, 8 insertions, 2 deletions

diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
index 54c2c2dea23..9e8f18e93c8 100644
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@@ -170,7 +170,7 @@ let
     else if k == "ServerTransportPlugin" then
       optionalString (v.transports != []) "${concatStringsSep "," v.transports} exec ${v.exec}"
     else if k == "HidServAuth" then
-      concatMapStringsSep "\n${k} " (settings: settings.onion + " " settings.auth) v
+      v.onion + " " + v.auth
     else generators.mkValueStringDefault {} v;
   genTorrc = settings:
     generators.toKeyValue {
@@ -715,7 +715,7 @@ in
               (submodule {
                 options = {
                   onion = mkOption {
-                    type = strMatching "[a-z2-7]{16}(\\.onion)?";
+                    type = strMatching "[a-z2-7]{16}\\.onion";
                     description = "Onion address.";
                     example = "xxxxxxxxxxxxxxxx.onion";
                   };
@@ -726,6 +726,12 @@ in
                 };
               })
             ]);
+            example = [
+              {
+                onion = "xxxxxxxxxxxxxxxx.onion";
+                auth = "xxxxxxxxxxxxxxxxxxxxxx";
+              }
+            ];
           };
           options.HiddenServiceNonAnonymousMode = optionBool "HiddenServiceNonAnonymousMode";
           options.HiddenServiceStatistics = optionBool "HiddenServiceStatistics";