pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / security / torsocks.nix
at release-16.03-start 3.6 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 cfg = config.services.tor.torsocks; 7 optionalNullStr = b: v: optionalString (b != null) v; 8 9 configFile = server: '' 10 TorAddress ${toString (head (splitString ":" server))} 11 TorPort ${toString (tail (splitString ":" server))} 12 13 OnionAddrRange ${cfg.onionAddrRange} 14 15 ${optionalNullStr cfg.socks5Username 16 "SOCKS5Username ${cfg.socks5Username}"} 17 ${optionalNullStr cfg.socks5Password 18 "SOCKS5Password ${cfg.socks5Password}"} 19 20 AllowInbound ${if cfg.allowInbound then "1" else "0"} 21 ''; 22 23 wrapTorsocks = name: server: pkgs.writeTextFile { 24 name = name; 25 text = '' 26 #!${pkgs.stdenv.shell} 27 TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (configFile server)} ${pkgs.torsocks}/bin/torsocks "$@" 28 ''; 29 executable = true; 30 destination = "/bin/${name}"; 31 }; 32 33in 34{ 35 options = { 36 services.tor.torsocks = { 37 enable = mkOption { 38 type = types.bool; 39 default = config.services.tor.enable && config.services.tor.client.enable; 40 description = '' 41 Whether to build <literal>/etc/tor/torsocks.conf</literal> 42 containing the specified global torsocks configuration. 43 ''; 44 }; 45 46 server = mkOption { 47 type = types.str; 48 default = "127.0.0.1:9050"; 49 example = "192.168.0.20:1234"; 50 description = '' 51 IP/Port of the Tor SOCKS server. Currently, hostnames are 52 NOT supported by torsocks. 53 ''; 54 }; 55 56 fasterServer = mkOption { 57 type = types.str; 58 default = "127.0.0.1:9063"; 59 example = "192.168.0.20:1234"; 60 description = '' 61 IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP. 62 Currently, hostnames are NOT supported by torsocks. 63 ''; 64 }; 65 66 onionAddrRange = mkOption { 67 type = types.str; 68 default = "127.42.42.0/24"; 69 description = '' 70 Tor hidden sites do not have real IP addresses. This 71 specifies what range of IP addresses will be handed to the 72 application as "cookies" for .onion names. Of course, you 73 should pick a block of addresses which you aren't going to 74 ever need to actually connect to. This is similar to the 75 MapAddress feature of the main tor daemon. 76 ''; 77 }; 78 79 socks5Username = mkOption { 80 type = types.nullOr types.str; 81 default = null; 82 example = "bob"; 83 description = '' 84 SOCKS5 username. The <literal>TORSOCKS_USERNAME</literal> 85 environment variable overrides this option if it is set. 86 ''; 87 }; 88 89 socks5Password = mkOption { 90 type = types.nullOr types.str; 91 default = null; 92 example = "sekret"; 93 description = '' 94 SOCKS5 password. The <literal>TORSOCKS_PASSWORD</literal> 95 environment variable overrides this option if it is set. 96 ''; 97 }; 98 99 allowInbound = mkOption { 100 type = types.bool; 101 default = false; 102 description = '' 103 Set Torsocks to accept inbound connections. If set to 104 <literal>true</literal>, listen() and accept() will be 105 allowed to be used with non localhost address. 106 ''; 107 }; 108 109 }; 110 }; 111 112 config = mkIf cfg.enable { 113 environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ]; 114 115 environment.etc = 116 [ { source = pkgs.writeText "torsocks.conf" (configFile cfg.server); 117 target = "tor/torsocks.conf"; 118 } 119 ]; 120 }; 121}