Thank you! I commited it, without caring much on the details due to a sudden need of testing tor - it worked well. :)
On Thu, May 13, 2010 at 10:01:21AM -0400, [email protected] wrote: > Here are the admended patches. I've incorporated most of your > suggestions; however... > > On Mon, 3 May 2010, Ludovic Courtès wrote: > > >+ config = mkOption { > >+ default = ""; > >+ description = '' > >+ Extra configuration. Contents will be added verbatim to the > >configuration file. > >+ ''; > > > >This kind of option should really be a last resort IMO. Are the most > >common options covered by the rest of this file? > > There are many many options. The only real useful option I have > given is the ability to change the port, which is by far the most > useful option IMHO. The other optioms I've given are the options I > needed to change from default and they are less important. > > I'll make you a deal though, you add all the options to Cups and > I'll add all the options to Tor. ;) > > >Besides, it would be ideal if you could write a test case for this > >module. > > I have no idea how to do this. Is there a description of the > process on the wiki? If not, could you add one? > > -- > Russell O'Connor <http://r6.ca/> > ``All talk about `theft,''' the general counsel of the American Graphophone > Company wrote, ``is the merest claptrap, for there exists no property in > ideas musical, literary or artistic, except as defined by statute.'' > Index: pkgs/tools/security/tor/default.nix > =================================================================== > --- pkgs/tools/security/tor/default.nix (revision 0) > +++ pkgs/tools/security/tor/default.nix (revision 0) > @@ -0,0 +1,30 @@ > +{stdenv, fetchurl, libevent, openssl, zlib}: > + > +stdenv.mkDerivation { > + name = "tor-0.2.1.25"; > + > + src = fetchurl { > + url = "http://www.torproject.org/dist/tor-0.2.1.25.tar.gz";; > + sha256 = "17hpnvlqimblgprx6qwv8akqy5ric08m0265rl4zm1jnxa4v8n47"; > + }; > + > + buildInputs = [libevent openssl zlib]; > + > + doCheck = true; > + > + meta = { > + homepage = http://www.torproject.org/; > + description = "Tor is an onion router enabling Internet anonymity by > thwarting network traffic analysis"; > + longDescription='' > + Tor protects you by bouncing your communications around a distributed > + network of relays run by volunteers all around the world: it prevents > + somebody watching your Internet connection from learning what sites you > + visit, and it prevents the sites you visit from learning your physical > + location. Tor works with many of your existing applications, including > + web browsers, instant messaging clients, remote login, and other > + applications based on the TCP protocol. > + ''; > + license="bsd"; > + }; > + > +} > Index: pkgs/top-level/all-packages.nix > =================================================================== > --- pkgs/top-level/all-packages.nix (revision 21586) > +++ pkgs/top-level/all-packages.nix (working copy) > @@ -1690,6 +1690,10 @@ > inherit (xlibs) libX11 libXext; > }; > > + tor = import ../tools/security/tor { > + inherit fetchurl stdenv libevent openssl zlib; > + }; > + > ttf2pt1 = import ../tools/misc/ttf2pt1 { > inherit fetchurl stdenv perl freetype; > }; > Index: modules/services/security/tor.nix > =================================================================== > --- modules/services/security/tor.nix (revision 0) > +++ modules/services/security/tor.nix (revision 0) > @@ -0,0 +1,174 @@ > +{ config, pkgs, ... }: > + > +with pkgs.lib; > + > +let > + > + inherit (pkgs) tor privoxy; > + > + stateDir = "/var/lib/tor"; > + privoxyDir = stateDir+"/privoxy"; > + > + modprobe = config.system.sbin.modprobe; > + > + torUser = "tor"; > + > +in > + > +{ > + > + ###### interface > + > + options = { > + > + services.tor = { > + > + enable = mkOption { > + default = false; > + description = '' > + Whether to enable the Tor anonymous routing daemon. > + ''; > + }; > + > + socksListenAddress = mkOption { > + default = "127.0.0.1:9050"; > + example = "192.168.0.1"; > + description = '' > + Bind to this address to listen for connections from Socks-speaking > + applications. You can also specify a port. > + ''; > + }; > + > + config = mkOption { > + default = ""; > + description = '' > + Extra configuration. Contents will be added verbatim to the > + configuration file. > + ''; > + }; > + > + enablePrivoxy = mkOption { > + default = true; > + description = '' > + Whether to enable a special instance of privoxy dedicated to Tor. > + To have anonymity, protocols need to be scrubbed of identifying > + information. > + Most people using Tor want to anonymize their web traffic, so by > + default we enable an special instance of privoxy specifically for > + Tor. > + However, if you are only going to use Tor only as a relay then you > + can disable this option. > + ''; > + }; > + > + privoxyListenAddress = mkOption { > + default = "127.0.0.1:8118"; > + description = '' > + Address that Tor's instance of privoxy is listening to. > + *This does not configure the standard NixOS instance of privoxy.* > + This is for Tor connections only! > + See services.privoxy.listenAddress to configure the standard NixOS > + instace of privoxy. > + ''; > + }; > + > + privoxyConfig = mkOption { > + default = ""; > + description = '' > + Extra configuration for Tor's instance of privoxy. Contents will > be > + added verbatim to the configuration file. > + *This does not configure the standard NixOS instance of privoxy.* > + This is for Tor connections only! > + See services.privoxy.extraConfig to configure the standard NixOS > + instace of privoxy. > + ''; > + }; > + }; > + > + }; > + > + > + ###### implementation > + > + config = mkIf config.services.tor.enable { > + environment.systemPackages = [ tor ]; # provides tor-resolve and torify > + > + users.extraUsers = singleton > + { name = torUser; > + uid = config.ids.uids.tor; > + description = "Tor daemon user"; > + home = stateDir; > + }; > + > + jobs.tor = > + { name = "Tor"; > + > + startOn = "started network-interfaces"; > + stopOn = "stopping network-interfaces"; > + > + preStart = > + '' > + mkdir -m 0755 -p ${stateDir} > + chown ${torUser} ${stateDir} > + ''; > + exec = "${tor}/bin/tor -f ${pkgs.writeText "torrc" > config.services.tor.config}"; > + }; > + > + jobs.torPrivoxy = mkIf config.services.tor.enablePrivoxy > + { name = "Tor-privoxy"; > + > + startOn = "starting Tor"; > + stopOn = "stopping Tor"; > + > + preStart = > + '' > + mkdir -m 0755 -p ${privoxyDir} > + chown ${torUser} ${privoxyDir} > + > + # Needed to run privoxy as an unprivileged user? > + ${modprobe}/sbin/modprobe capability || true > + ''; > + exec = "${privoxy}/sbin/privoxy --no-daemon --user ${torUser} > ${pkgs.writeText "torPrivoxy.conf" config.services.tor.privoxyConfig}"; > + }; > + > + services.tor.config = '' > + DataDirectory ${stateDir} > + User ${torUser} > + SocksListenAddress ${config.services.tor.socksListenAddress} > + > + # Extra configurations go here > + ''; > + > + services.tor.privoxyConfig = '' > + # Generally, this file goes in /etc/privoxy/config > + # > + # Tor listens as a SOCKS4a proxy here: > + forward-socks4a / ${config.services.tor.socksListenAddress} . > + confdir ${privoxy}/etc > + logdir ${privoxyDir} > + # actionsfile standard # Internal purpose, recommended > + actionsfile default.action # Main actions file > + actionsfile user.action # User customizations > + filterfile default.filter > + > + # Don't log interesting things, only startup messages, warnings and > errors > + logfile logfile > + #jarfile jarfile > + #debug 0 # show each GET/POST/CONNECT request > + debug 4096 # Startup banner and warnings > + debug 8192 # Errors - *we highly recommended enabling this* > + > + user-manual ${privoxy}/doc/privoxy/user-manual > + listen-address ${config.services.tor.privoxyListenAddress} > + toggle 1 > + enable-remote-toggle 0 > + enable-edit-actions 0 > + enable-remote-http-toggle 0 > + buffer-limit 4096 > + > + # Extra config goes here > + ''; > + > + }; > + > +} > Index: modules/misc/ids.nix > =================================================================== > --- modules/misc/ids.nix (revision 21586) > +++ modules/misc/ids.nix (working copy) > @@ -53,6 +53,7 @@ > davfs2 = 31; > privoxy = 32; > osgi = 34; > + tor = 35; > # When adding a uid, make sure it doesn't match an existing gid. > > nixbld = 30000; # start of range of uids > Index: modules/module-list.nix > =================================================================== > --- modules/module-list.nix (revision 21586) > +++ modules/module-list.nix (working copy) > @@ -103,6 +103,7 @@ > ./services/scheduling/atd.nix > ./services/scheduling/cron.nix > ./services/scheduling/fcron.nix > + ./services/security/tor.nix > ./services/system/dbus.nix > ./services/system/nscd.nix > ./services/system/uptimed.nix > _______________________________________________ > nix-dev mailing list > [email protected] > https://mail.cs.uu.nl/mailman/listinfo/nix-dev _______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
