diff options
| author | Jaka Hudoklin <jakahudoklin@gmail.com> | 2017-04-16 15:19:16 +0200 |
|---|---|---|
| committer | Jaka Hudoklin <jakahudoklin@gmail.com> | 2017-09-23 20:13:08 +0200 |
| commit | 78a86c9072e28af3bc4f316e3a978030ec11ad07 (patch) | |
| tree | 809bd09aa81e45a1c8f89169d7feb75e3a30cbe2 /nixos/modules/services/security/tor.nix | |
| parent | 101ccc0629790b8a404904f72e2fbf824de7c169 (diff) | |
| download | nixpkgs-78a86c9072e28af3bc4f316e3a978030ec11ad07.tar nixpkgs-78a86c9072e28af3bc4f316e3a978030ec11ad07.tar.gz nixpkgs-78a86c9072e28af3bc4f316e3a978030ec11ad07.tar.bz2 nixpkgs-78a86c9072e28af3bc4f316e3a978030ec11ad07.tar.lz nixpkgs-78a86c9072e28af3bc4f316e3a978030ec11ad07.tar.xz nixpkgs-78a86c9072e28af3bc4f316e3a978030ec11ad07.tar.zst nixpkgs-78a86c9072e28af3bc4f316e3a978030ec11ad07.zip | |
nixos/tor: add support for transparent proxy and dns
Diffstat (limited to 'nixos/modules/services/security/tor.nix')
| -rw-r--r-- | nixos/modules/services/security/tor.nix | 83 |
1 files changed, 81 insertions, 2 deletions
diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 04b065f6ae4..80df441cf66 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -9,6 +9,26 @@ let opt = name: value: optionalString (value != null) "${name} ${value}"; optint = name: value: optionalString (value != null && value != 0) "${name} ${toString value}"; + isolationOptions = { + type = types.listOf (types.enum [ + "IsolateClientAddr" + "IsolateSOCKSAuth" + "IsolateClientProtocol" + "IsolateDestPort" + "IsolateDestAddr" + ]); + default = []; + example = [ + "IsolateClientAddr" + "IsolateSOCKSAuth" + "IsolateClientProtocol" + "IsolateDestPort" + "IsolateDestAddr" + ]; + description = "Tor isolation options"; + }; + + torRc = '' User tor DataDirectory ${torDirectory} @@ -20,10 +40,20 @@ let ${optint "ControlPort" (toString cfg.controlPort)} '' # Client connection config - + optionalString cfg.client.enable '' - SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr + + optionalString cfg.client.enable '' + SOCKSPort ${cfg.client.socksListenAddress} ${toString cfg.client.socksIsolationOptions} SOCKSPort ${cfg.client.socksListenAddressFaster} ${opt "SocksPolicy" cfg.client.socksPolicy} + + ${optionalString cfg.client.transparentProxy.enable '' + TransPort ${cfg.client.transparentProxy.listenAddress} ${toString cfg.client.transparentProxy.isolationOptions} + ''} + + ${optionalString cfg.client.dns.enable '' + DNSPort ${cfg.client.dns.listenAddress} ${toString cfg.client.dns.isolationOptions} + AutomapHostsOnResolve 1 + AutomapHostsSuffixes ${concatStringsSep "," cfg.client.dns.automapHostsSuffixes} + ''} '' # Relay config + optionalString cfg.relay.enable '' @@ -154,6 +184,55 @@ in ''; }; + socksIsolationOptions = mkOption (isolationOptions // { + default = ["IsolateDestAddr"]; + }); + + transparentProxy = { + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable tor transaprent proxy"; + }; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1:9040"; + example = "192.168.0.1:9040"; + description = '' + Bind transparent proxy to this address. + ''; + }; + + isolationOptions = mkOption isolationOptions; + }; + + dns = { + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable tor dns resolver"; + }; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1:9053"; + example = "192.168.0.1:9053"; + description = '' + Bind tor dns to this address. + ''; + }; + + isolationOptions = mkOption isolationOptions; + + automapHostsSuffixes = mkOption { + type = types.listOf types.str; + default = [".onion" ".exit"]; + example = [".onion"]; + description = "List of suffixes to use with automapHostsOnResolve"; + }; + }; + privoxy.enable = mkOption { type = types.bool; default = true; |