pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / security / torsocks.nix
at master 3.6 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 cfg = config.services.tor.torsocks; 9 optionalNullStr = b: v: lib.optionalString (b != null) v; 10 11 configFile = server: '' 12 TorAddress ${toString (lib.head (lib.splitString ":" server))} 13 TorPort ${toString (lib.tail (lib.splitString ":" server))} 14 15 OnionAddrRange ${cfg.onionAddrRange} 16 17 ${optionalNullStr cfg.socks5Username "SOCKS5Username ${cfg.socks5Username}"} 18 ${optionalNullStr cfg.socks5Password "SOCKS5Password ${cfg.socks5Password}"} 19 20 AllowInbound ${if cfg.allowInbound then "1" else "0"} 21 ''; 22 23 wrapTorsocks = 24 name: server: 25 pkgs.writeTextFile { 26 name = name; 27 text = '' 28 #!${pkgs.runtimeShell} 29 TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (configFile server)} ${pkgs.torsocks}/bin/torsocks "$@" 30 ''; 31 executable = true; 32 destination = "/bin/${name}"; 33 }; 34 35in 36{ 37 options = { 38 services.tor.torsocks = { 39 enable = lib.mkOption { 40 type = lib.types.bool; 41 default = false; 42 description = '' 43 Whether to build `/etc/tor/torsocks.conf` 44 containing the specified global torsocks configuration. 45 ''; 46 }; 47 48 server = lib.mkOption { 49 type = lib.types.str; 50 default = "127.0.0.1:9050"; 51 example = "192.168.0.20:1234"; 52 description = '' 53 IP/Port of the Tor SOCKS server. Currently, hostnames are 54 NOT supported by torsocks. 55 ''; 56 }; 57 58 fasterServer = lib.mkOption { 59 type = lib.types.str; 60 default = "127.0.0.1:9063"; 61 example = "192.168.0.20:1234"; 62 description = '' 63 IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP. 64 Currently, hostnames are NOT supported by torsocks. 65 ''; 66 }; 67 68 onionAddrRange = lib.mkOption { 69 type = lib.types.str; 70 default = "127.42.42.0/24"; 71 description = '' 72 Tor hidden sites do not have real IP addresses. This 73 specifies what range of IP addresses will be handed to the 74 application as "cookies" for .onion names. Of course, you 75 should pick a block of addresses which you aren't going to 76 ever need to actually connect to. This is similar to the 77 MapAddress feature of the main tor daemon. 78 ''; 79 }; 80 81 socks5Username = lib.mkOption { 82 type = lib.types.nullOr lib.types.str; 83 default = null; 84 example = "bob"; 85 description = '' 86 SOCKS5 username. The `TORSOCKS_USERNAME` 87 environment variable overrides this option if it is set. 88 ''; 89 }; 90 91 socks5Password = lib.mkOption { 92 type = lib.types.nullOr lib.types.str; 93 default = null; 94 example = "sekret"; 95 description = '' 96 SOCKS5 password. The `TORSOCKS_PASSWORD` 97 environment variable overrides this option if it is set. 98 ''; 99 }; 100 101 allowInbound = lib.mkOption { 102 type = lib.types.bool; 103 default = false; 104 description = '' 105 Set Torsocks to accept inbound connections. If set to 106 `true`, listen() and accept() will be 107 allowed to be used with non localhost address. 108 ''; 109 }; 110 111 }; 112 }; 113 114 config = lib.mkIf cfg.enable { 115 environment.systemPackages = [ 116 pkgs.torsocks 117 (wrapTorsocks "torsocks-faster" cfg.fasterServer) 118 ]; 119 120 environment.etc."tor/torsocks.conf" = { 121 source = pkgs.writeText "torsocks.conf" (configFile cfg.server); 122 }; 123 }; 124}