pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / security / torsocks.nix
at 23.11-pre 3.7 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 cfg = config.services.tor.torsocks; 7 optionalNullStr = b: v: optionalString (b != null) v; 8 9 configFile = server: '' 10 TorAddress ${toString (head (splitString ":" server))} 11 TorPort ${toString (tail (splitString ":" server))} 12 13 OnionAddrRange ${cfg.onionAddrRange} 14 15 ${optionalNullStr cfg.socks5Username 16 "SOCKS5Username ${cfg.socks5Username}"} 17 ${optionalNullStr cfg.socks5Password 18 "SOCKS5Password ${cfg.socks5Password}"} 19 20 AllowInbound ${if cfg.allowInbound then "1" else "0"} 21 ''; 22 23 wrapTorsocks = name: server: pkgs.writeTextFile { 24 name = name; 25 text = '' 26 #!${pkgs.runtimeShell} 27 TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (configFile server)} ${pkgs.torsocks}/bin/torsocks "$@" 28 ''; 29 executable = true; 30 destination = "/bin/${name}"; 31 }; 32 33in 34{ 35 options = { 36 services.tor.torsocks = { 37 enable = mkOption { 38 type = types.bool; 39 default = config.services.tor.enable && config.services.tor.client.enable; 40 defaultText = literalExpression "config.services.tor.enable && config.services.tor.client.enable"; 41 description = lib.mdDoc '' 42 Whether to build `/etc/tor/torsocks.conf` 43 containing the specified global torsocks configuration. 44 ''; 45 }; 46 47 server = mkOption { 48 type = types.str; 49 default = "127.0.0.1:9050"; 50 example = "192.168.0.20:1234"; 51 description = lib.mdDoc '' 52 IP/Port of the Tor SOCKS server. Currently, hostnames are 53 NOT supported by torsocks. 54 ''; 55 }; 56 57 fasterServer = mkOption { 58 type = types.str; 59 default = "127.0.0.1:9063"; 60 example = "192.168.0.20:1234"; 61 description = lib.mdDoc '' 62 IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP. 63 Currently, hostnames are NOT supported by torsocks. 64 ''; 65 }; 66 67 onionAddrRange = mkOption { 68 type = types.str; 69 default = "127.42.42.0/24"; 70 description = lib.mdDoc '' 71 Tor hidden sites do not have real IP addresses. This 72 specifies what range of IP addresses will be handed to the 73 application as "cookies" for .onion names. Of course, you 74 should pick a block of addresses which you aren't going to 75 ever need to actually connect to. This is similar to the 76 MapAddress feature of the main tor daemon. 77 ''; 78 }; 79 80 socks5Username = mkOption { 81 type = types.nullOr types.str; 82 default = null; 83 example = "bob"; 84 description = lib.mdDoc '' 85 SOCKS5 username. The `TORSOCKS_USERNAME` 86 environment variable overrides this option if it is set. 87 ''; 88 }; 89 90 socks5Password = mkOption { 91 type = types.nullOr types.str; 92 default = null; 93 example = "sekret"; 94 description = lib.mdDoc '' 95 SOCKS5 password. The `TORSOCKS_PASSWORD` 96 environment variable overrides this option if it is set. 97 ''; 98 }; 99 100 allowInbound = mkOption { 101 type = types.bool; 102 default = false; 103 description = lib.mdDoc '' 104 Set Torsocks to accept inbound connections. If set to 105 `true`, listen() and accept() will be 106 allowed to be used with non localhost address. 107 ''; 108 }; 109 110 }; 111 }; 112 113 config = mkIf cfg.enable { 114 environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ]; 115 116 environment.etc."tor/torsocks.conf" = 117 { 118 source = pkgs.writeText "torsocks.conf" (configFile cfg.server); 119 }; 120 }; 121}