pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 cfg = config.services.tor.torsocks;
9 optionalNullStr = b: v: lib.optionalString (b != null) v;
10
11 configFile = server: ''
12 TorAddress ${toString (lib.head (lib.splitString ":" server))}
13 TorPort ${toString (lib.tail (lib.splitString ":" server))}
14
15 OnionAddrRange ${cfg.onionAddrRange}
16
17 ${optionalNullStr cfg.socks5Username "SOCKS5Username ${cfg.socks5Username}"}
18 ${optionalNullStr cfg.socks5Password "SOCKS5Password ${cfg.socks5Password}"}
19
20 AllowInbound ${if cfg.allowInbound then "1" else "0"}
21 '';
22
23 wrapTorsocks =
24 name: server:
25 pkgs.writeTextFile {
26 name = name;
27 text = ''
28 #!${pkgs.runtimeShell}
29 TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (configFile server)} ${pkgs.torsocks}/bin/torsocks "$@"
30 '';
31 executable = true;
32 destination = "/bin/${name}";
33 };
34
35in
36{
37 options = {
38 services.tor.torsocks = {
39 enable = lib.mkOption {
40 type = lib.types.bool;
41 default = config.services.tor.enable && config.services.tor.client.enable;
42 defaultText = lib.literalExpression "config.services.tor.enable && config.services.tor.client.enable";
43 description = ''
44 Whether to build `/etc/tor/torsocks.conf`
45 containing the specified global torsocks configuration.
46 '';
47 };
48
49 server = lib.mkOption {
50 type = lib.types.str;
51 default = "127.0.0.1:9050";
52 example = "192.168.0.20:1234";
53 description = ''
54 IP/Port of the Tor SOCKS server. Currently, hostnames are
55 NOT supported by torsocks.
56 '';
57 };
58
59 fasterServer = lib.mkOption {
60 type = lib.types.str;
61 default = "127.0.0.1:9063";
62 example = "192.168.0.20:1234";
63 description = ''
64 IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP.
65 Currently, hostnames are NOT supported by torsocks.
66 '';
67 };
68
69 onionAddrRange = lib.mkOption {
70 type = lib.types.str;
71 default = "127.42.42.0/24";
72 description = ''
73 Tor hidden sites do not have real IP addresses. This
74 specifies what range of IP addresses will be handed to the
75 application as "cookies" for .onion names. Of course, you
76 should pick a block of addresses which you aren't going to
77 ever need to actually connect to. This is similar to the
78 MapAddress feature of the main tor daemon.
79 '';
80 };
81
82 socks5Username = lib.mkOption {
83 type = lib.types.nullOr lib.types.str;
84 default = null;
85 example = "bob";
86 description = ''
87 SOCKS5 username. The `TORSOCKS_USERNAME`
88 environment variable overrides this option if it is set.
89 '';
90 };
91
92 socks5Password = lib.mkOption {
93 type = lib.types.nullOr lib.types.str;
94 default = null;
95 example = "sekret";
96 description = ''
97 SOCKS5 password. The `TORSOCKS_PASSWORD`
98 environment variable overrides this option if it is set.
99 '';
100 };
101
102 allowInbound = lib.mkOption {
103 type = lib.types.bool;
104 default = false;
105 description = ''
106 Set Torsocks to accept inbound connections. If set to
107 `true`, listen() and accept() will be
108 allowed to be used with non localhost address.
109 '';
110 };
111
112 };
113 };
114
115 config = lib.mkIf cfg.enable {
116 environment.systemPackages = [
117 pkgs.torsocks
118 (wrapTorsocks "torsocks-faster" cfg.fasterServer)
119 ];
120
121 environment.etc."tor/torsocks.conf" = {
122 source = pkgs.writeText "torsocks.conf" (configFile cfg.server);
123 };
124 };
125}