diff options
Diffstat (limited to 'nixos/modules/services/security/torsocks.nix')
-rw-r--r-- | nixos/modules/services/security/torsocks.nix | 118 |
1 files changed, 77 insertions, 41 deletions
diff --git a/nixos/modules/services/security/torsocks.nix b/nixos/modules/services/security/torsocks.nix index ede6c983677..1b5a05b21e7 100644 --- a/nixos/modules/services/security/torsocks.nix +++ b/nixos/modules/services/security/torsocks.nix @@ -1,85 +1,121 @@ { config, lib, pkgs, ... }: + with lib; + let + cfg = config.services.tor.torsocks; + optionalNullStr = b: v: optionalString (b != null) v; - cfg = config.services.tor; + configFile = server: '' + TorAddress ${toString (head (splitString ":" server))} + TorPort ${toString (tail (splitString ":" server))} - makeConfig = server: '' - server = ${toString(head (splitString ":" server))} - server_port = ${toString(tail (splitString ":" server))} + OnionAddrRange ${cfg.onionAddrRange} - local = 127.0.0.0/255.128.0.0 - local = 127.128.0.0/255.192.0.0 - local = 169.254.0.0/255.255.0.0 - local = 172.16.0.0/255.240.0.0 - local = 192.168.0.0/255.255.0.0 + ${optionalNullStr cfg.socks5Username + "SOCKS5Username ${cfg.socks5Username}"} + ${optionalNullStr cfg.socks5Password + "SOCKS5Password ${cfg.socks5Password}"} - ${cfg.torsocks.config} - ''; - makeTorsocks = name: server: pkgs.writeTextFile { + AllowInbound ${if cfg.allowInbound then "1" else "0"} + ''; + + wrapTorsocks = name: server: pkgs.writeTextFile { name = name; text = '' #!${pkgs.stdenv.shell} - TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (makeConfig server)} LD_PRELOAD="${pkgs.torsocks}/lib/torsocks/libtorsocks.so $LD_PRELOAD" "$@" + TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (configFile server)} ${pkgs.torsocks}/bin/torsocks "$@" ''; executable = true; destination = "/bin/${name}"; }; - torsocks = makeTorsocks "torsocks" cfg.torsocks.server; - torsocksFaster = makeTorsocks "torsocks-faster" cfg.torsocks.serverFaster; in - { - - ###### interface - options = { - services.tor.torsocks = { - enable = mkOption { - default = cfg.client.enable; + type = types.bool; + default = config.services.tor.enable && config.services.tor.client.enable; description = '' - Whether to build torsocks scipt to relay application traffic via TOR. + Whether to build <literal>/etc/tor/torsocks.conf</literal> + containing the specified global torsocks configuration. ''; }; server = mkOption { - default = cfg.client.socksListenAddress; - example = "192.168.0.20:9050"; + type = types.str; + default = "127.0.0.1:9050"; + example = "192.168.0.20:1234"; description = '' - IP address of TOR client to use. + IP/Port of the Tor SOCKS server. Currently, hostnames are + NOT supported by torsocks. ''; }; - serverFaster = mkOption { - default = cfg.client.socksListenAddressFaster; - example = "192.168.0.20:9063"; + fasterServer = mkOption { + type = types.str; + default = "127.0.0.1:9063"; + example = "192.168.0.20:1234"; description = '' - IP address of TOR client to use for applications like web browsers which - need less circuit isolation to achive satisfactory performance. + IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP. + Currently, hostnames are NOT supported by torsocks. ''; }; - config = mkOption { - default = ""; + onionAddrRange = mkOption { + type = types.str; + default = "127.42.42.0/24"; description = '' - Extra configuration. Contents will be added verbatim to torsocks - configuration file. + Tor hidden sites do not have real IP addresses. This + specifies what range of IP addresses will be handed to the + application as "cookies" for .onion names. Of course, you + should pick a block of addresses which you aren't going to + ever need to actually connect to. This is similar to the + MapAddress feature of the main tor daemon. ''; }; - }; + socks5Username = mkOption { + type = types.nullOr types.str; + default = null; + example = "bob"; + description = '' + SOCKS5 username. The <literal>TORSOCKS_USERNAME</literal> + environment variable overrides this option if it is set. + ''; + }; - }; + socks5Password = mkOption { + type = types.nullOr types.str; + default = null; + example = "sekret"; + description = '' + SOCKS5 password. The <literal>TORSOCKS_PASSWORD</literal> + environment variable overrides this option if it is set. + ''; + }; - ###### implementation + allowInbound = mkOption { + type = types.bool; + default = false; + description = '' + Set Torsocks to accept inbound connections. If set to + <literal>true</literal>, listen() and accept() will be + allowed to be used with non localhost address. + ''; + }; - config = mkIf cfg.torsocks.enable { + }; + }; - environment.systemPackages = [ torsocks torsocksFaster ]; # expose it to the users + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ]; + environment.etc = + [ { source = pkgs.writeText "torsocks.conf" (configFile cfg.server); + target = "tor/torsocks.conf"; + } + ]; }; - } |