summary refs log tree commit diff
path: root/nixos/modules/services/security/tor.nix
Commit message (Collapse)AuthorAge
* treewide: use optional instead of 'then []'Felix Buehler2023-06-25
|
* nixos: fix typosfigsoda2022-12-17
|
* treewide: optional -> optionals where the argument is a listArtturin2022-10-10
| | | | the argument to optional should not be list
* nixos/*: convert straggler options to MDpennae2022-08-31
|
* nixos/*: md-convert hidden plaintext optionspennae2022-08-31
| | | | | | | most of these are hidden because they're either part of a submodule that doesn't have its type rendered (eg because the submodule type is used in an either type) or because they are explicitly hidden. some of them are merely hidden from nix-doc-munge by how their option is put together.
* nixos/*: automatically convert option descriptionspennae2022-08-31
| | | | | | | | | | | | conversions were done using https://github.com/pennae/nix-doc-munge using (probably) rev f34e145 running nix-doc-munge nixos/**/*.nix nix-doc-munge --import nixos/**/*.nix the tool ensures that only changes that could affect the generated manual *but don't* are committed, other changes require manual review and are discarded.
* nixos/*: convert varlist-using options to MDpennae2022-08-31
| | | | | | | | | | | there are sufficiently few variable list around, and they are sufficiently simple, that it doesn't seem helpful to add another markdown extension for them. rendering differences are small, except in the tor module: admonitions inside other blocks cannot be made to work well with mistune (and likely most other markdown processors), so those had to be shuffled a bit. we also lose paragraph breaks in the list items due to how we have to render from markdown to docbook, but once we remove docbook from the pipeline those paragraph breaks will be restored.
* nixos/*: remove indentation from long enable optionspennae2022-08-31
| | | | | | the way these are written they introduce lots of whitespace in each line, which will cause those lines to render as code when converted to markdown. override the whole description instead.
* nixos/tor: convert option descriptions to MDpennae2022-08-27
| | | | | | no change in rendered output. the html manual could render <screen> blocks differently, but so far it hasn't (and if we need to make a distinction we can use a special info string).
* nixos/*: automatically convert option docs to MDpennae2022-08-03
| | | | once again using nix-doc-munge (https://github.com/pennae/nix-doc-munge/commit/69d080323ae27c0d8da3967c62b925a9aedb2828)
* nixos/*: normalize link formatpennae2022-08-03
| | | | | | | | | make (almost) all links appear on only a single line, with no unnecessary whitespace, using double quotes for attributes. this lets us automatically convert them to markdown easily. the few remaining links are extremely long link in a gnome module, we'll come back to those at a later date.
* treewide: automatically md-convert option descriptionspennae2022-07-30
| | | | | | | | | | | | | | | | | | | | | | the conversion procedure is simple: - find all things that look like options, ie calls to either `mkOption` or `lib.mkOption` that take an attrset. remember the attrset as the option - for all options, find a `description` attribute who's value is not a call to `mdDoc` or `lib.mdDoc` - textually convert the entire value of the attribute to MD with a few simple regexes (the set from mdize-module.sh) - if the change produced a change in the manual output, discard - if the change kept the manual unchanged, add some text to the description to make sure we've actually found an option. if the manual changes this time, keep the converted description this procedure converts 80% of nixos options to markdown. around 2000 options remain to be inspected, but most of those fail the "does not change the manual output check": currently the MD conversion process does not faithfully convert docbook tags like <code> and <package>, so any option using such tags will not be converted at all.
* nixos/tor: fix services.tor.client.enable = false not workingLuflosi2022-03-15
| | | | | If `services.tor.client.enable` is set to false (the default), the `SOCKSPort` option is not added to the torrc file but since Tor defaults to listening on port 9050 when the option is not specified, the tor client is not actually disabled. To fix this, simply set `SOCKSPort` to 0, which disables the client. Use `mkForce` to prevent potentially two different `SOCKSPort` options in the torrc file, with one of them being 0 as this would cause Tor to fail to start. When `services.tor.client.enable` is set to false, this should always be disabled.
* nixos/tor: allow tor to read resolv.conf when using resolvedLuflosi2022-03-15
| | | | | | | | | | When `services.resolved.enable` is set to true, the file /etc/resolv.conf becomes a symlink to /etc/static/resolv.conf, which is a symlink to /run/systemd/resolve/stub-resolv.conf. Without this commit, tor does not have access to this file thanks to systemd confinement. This results in the following warning when tor starts: ``` [warn] Unable to stat resolver configuration in '/etc/resolv.conf': No such file or directory [warn] Could not read your DNS config from '/etc/resolv.conf' - please investigate your DNS configuration. This is possibly a problem. Meanwhile, falling back to local DNS at 127.0.0.1. ``` To fix this, simply allow read-only access to the file when resolved is in use. According to https://github.com/NixOS/nixpkgs/pull/161818#discussion_r824820462, the symlink may also point to /run/systemd/resolve/resolv.conf, so allow that as well.
* nixos/tor: admit newlines in secret keylassulus2022-03-09
|
* nixos/tor: fix tor getting killed by systemd when shuttding downLuflosi2022-01-25
| | | | | | Tor waits ShutdownWaitLength seconds (30s by default) before actually shutting down. Since the systemd timeout is also set to 30 seconds, this results in a race condition that ends up killing Tor most of the time on my machine during shutdown. To fix this, add the ShutdownWaitLength setting and tell systemd to wait 30 seconds more than that. Arch Linux also has `TimeoutSec` set to 60 seconds: https://github.com/archlinux/svntogit-community/blob/6df716fe195984624d475b79b2cd9d290452c346/trunk/tor.service.
* treewide: add defaultText for options with simple cfg.* expression defaultspennae2021-12-09
| | | | | adds defaultText for options with defaults that use only literals, full config.* paths, and the cfg shortcut binding.
* Merge pull request #122452 from ju1m/torSandro2021-11-09
|\
| * nixos/tor: harden ProcSubset and ProtectProcJulien Moutinho2021-05-10
| |
* | nixos/doc: clean up defaults and examplesNaïm Favier2021-10-04
| |
* | nixos/tor: allow AF_NETLINK address familyPierre Bourdon2021-08-25
| | | | | | | | | | | | | | | | | | | | | | Tor attempts to detect what external IP address a machine is using by listing addresses on all network interfaces on the system. This listing is done using getifaddrs(3), which relies on netlink in order to get IPv6 address information. This change fixes Tor not finding the relay's IPv6 address unless explicitly configured via either an ORPort directive or via DNS resolution of the machine hostname.
* | nixos/tor: fix HidServAuth (#122439)Tom2021-05-11
|/ | | | | | | * add an example for services.tor.settings.HidServAuth * fix HidServAuth validation to require ".onion" Per https://manpages.debian.org/testing/tor/torrc.5.en.html : > Valid onion addresses contain 16 characters in a-z2-7 plus ".onion"
* nixos/tor: fix openFirewall when ORPort isIntJulien Moutinho2021-01-12
|
* nixos/tor: fix client.dns.automapHostsSuffixes renamingJulien Moutinho2021-01-05
|
* nixos/tor: improve type-checking and hardeningJulien Moutinho2021-01-04
| | | | | Fixes #77395. Fixes #82790.
* nixos/tor: don't do privoxy stuff by defaultAlyssa Ross2020-12-16
| | | | | | | | | | | | | It's very surprising that services.tor.client.enable would set services.privoxy.enable. This violates the principle of least astonishment, because it's Privoxy that can integrate with Tor, rather than the other way around. So this patch moves the Privoxy Tor integration to the Privoxy module, and it also disables it by default. This change is documented in the release notes. Reported-by: V <v@anomalous.eu>
* Merge pull request #96042 from rnhmjoj/loaOfWORLDofPEACE2020-09-02
|\ | | | | treewide: completely remove types.loaOf
| * treewide: completely remove types.loaOfrnhmjoj2020-09-02
| |
* | Add option to tor service for packageAndrew R. M2020-08-30
|/
* nixos/*: wheter -> whetherSamuel Gräfenstein2020-07-04
|
* nixos/treewide: Move rename.nix imports to their respective modulesSilvan Mosberger2019-12-10
| | | | | | | | A centralized list for these renames is not good because: - It breaks disabledModules for modules that have a rename defined - Adding/removing renames for a module means having to find them in the central file - Merge conflicts due to multiple people editing the central file
* nixos: remove dependencies on local-fs.targetFlorian Klink2019-09-01
| | | | | | | Since https://github.com/NixOS/nixpkgs/pull/61321, local-fs.target is part of sysinit.target again, meaning units without DefaultDependencies=no will automatically depend on it, and the manual set dependencies can be dropped.
* nixos/tor: fix obfs4 packagefuwa2019-07-19
|
* nixos tor: use obfs4proxy, make transport list customizableWill Dietz2019-05-01
|
* nixos/tor: add HiddenServiceVersion optionJonas Nick2018-11-23
|
* nixos/tor: better support non-anonymous servicesJean-Paul Calderone2018-10-17
| | | | | | | | Tor requires ``SOCKSPort 0`` when non-anonymous hidden services are enabled. If the configuration doesn't enable Tor client features, generate a configuration file that explicitly includes this disabling to allow such non-anonymous hidden services to be created (note that doing so still requires additional configuration). See #48622.
* nixos/tor: Correct "transparent" typoJean-Paul Calderone2018-09-17
|
* [bot] nixos/*: remove unused arguments in lambdasvolth2018-07-20
|
* nixos/modules: users.(extraUsers|extraGroup->users|group)Florian Klink2018-06-30
|
* nixos/tor: grammer fix, advise -> adviceJoachim Fasting2018-06-18
| | | | Seems to me that the noun form is more appropriate here.
* nixos/tor: use ControlPort for controlSocket for simplicitySLNOS2018-06-11
|
* nixos/tor: add tor-init service to fix directory ownerships, fix hardeningsSLNOS2018-06-11
| | | | | | | | | | | | | | | | | This reverts a part of 5bd12c694bfebaef1d03eb7f74a6eca01b86f546. Apparently there's no way to specify user for RuntimeDirectory in systemd service file (it's always root) but tor won't create control socket if the dir is owned by anybody except the tor user. These hardenings were adopted from the upstream service file, checked against systemd.service(5) and systemd.exec(5) manuals, and tested to actually work with all the options enabled. `PrivateDevices` implies `DevicePolicy=closed` according to systemd.exec(5), removed. `--RunAsDaemon 0` is the default value according to tor(5), removed.
* nixos/tor: use RuntimeDirectory, StateDirectory (#39083)Robert Schütz2018-04-18
|
* nixos/tor: expose control socketJaka Hudoklin2018-03-26
|
* nixos/tor: add hiddenServices.<name>.authorizeClientRobert Schütz2018-02-08
|
* Merge pull request #28939 from xtruder/nixos/tor/trans_proxyJaka Hudoklin2017-12-03
|\ | | | | tor module: add support for transparent proxy and dns
| * nixos/tor: add support for transparent proxy and dnsJaka Hudoklin2017-09-23
| |
* | tor: skip ControlPort in torrc, if not set.Jörg Thalheim2017-09-13
|/
* nixos: tor: rename portSpec -> port, type all "port"s properlySLNOS2017-08-22
|
* nixos: tor: better submodule for hidden servicesSLNOS2017-08-22
| | | | | Rebased onto master with a different implementation. Originally: "add support for serving hidden services".
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-16 16:05:22 +0000